9.1 - RHSA-2020:0497

Executive Summary

Summary
Title	AMQ Online security update

Informations
Name	RHSA-2020:0497	First vendor Publication	2020-02-13
Vendor	RedHat	Last vendor Modification	2020-02-13
Severity (Vendor)	N/A	Revision	01

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Overall CVSS Score	9.1
Base Score	9.1	Environmental Score	9.1
impact SubScore	5.2	Temporal Score	9.1
Exploitabality Sub Score	3.9

Attack Vector	Network	Attack Complexity	Low
Privileges Required	None	User Interaction	None
Scope	Unchanged	Confidentiality Impact	High
Integrity Impact	High	Availability Impact	None
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:N)
Cvss Base Score	6.4	Attack Range	Network
Cvss Impact Score	4.9	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

An update of the Red Hat OpenShift Container Platform 3.11 and 4.1 container images is now available for Red Hat AMQ Online.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

2. Description:

The release of Red Hat AMQ Online 1.3.3 serves as a replacement for AMQ online 1.3.2, and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.

Security Fix(es):

* netty: HTTP request smuggling (CVE-2019-20444)

* netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header (CVE-2019-20445)

* netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

3. Solution:

The Red Hat OpenShift Container Platform 3.11 and 4.1 container images provided by this update can be downloaded from the Red Hat Container Registry at registry.access.redhat.com. Installation instructions for your platform are available from https://access.redhat.com.

Dockerfiles and scripts should be amended either to refer to this new image specifically, or to the latest image generally.

Before applying this update, make sure all previously released errata relevant to your system have been applied.

4. Bugs fixed (https://bugzilla.redhat.com/):

1796225 - CVE-2020-7238 netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling 1798509 - CVE-2019-20445 netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header 1798524 - CVE-2019-20444 netty: HTTP request smuggling

5. References:

https://access.redhat.com/security/cve/CVE-2019-20444 https://access.redhat.com/security/cve/CVE-2019-20445 https://access.redhat.com/security/cve/CVE-2020-7238 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_amq/7.5/html/release_notes_for_amq_online_1.3_on_openshift/

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2020-0497.html

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-444	Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CPE : Common Platform Enumeration

Type	Description	Count
Application	Apache Spark cpe:2.3:a:apache:spark:2.4.8:::::::* cpe:2.3:a:apache:spark:2.4.7:::::::*	2
Application	Netty cpe:2.3:a:netty:netty:4.1.43:::::::* cpe:2.3:a:netty:netty:4.1.0:beta4:::::: cpe:2.3:a:netty:netty:4.1.0:beta3:::::: cpe:2.3:a:netty:netty:4.1.0:beta1:::::: cpe:2.3:a:netty:netty:4.1.0:beta2:::::: cpe:2.3:a:netty:netty:4.0.9:::::::* cpe:2.3:a:netty:netty:4.0.8:::::::* cpe:2.3:a:netty:netty:4.0.7:::::::* cpe:2.3:a:netty:netty:4.0.6:::::::* cpe:2.3:a:netty:netty:4.0.5:::::::* cpe:2.3:a:netty:netty:4.0.4:::::::* cpe:2.3:a:netty:netty:4.0.3:::::::* cpe:2.3:a:netty:netty:4.0.27:::::::* cpe:2.3:a:netty:netty:4.0.26:::::::* cpe:2.3:a:netty:netty:4.0.25:::::::* cpe:2.3:a:netty:netty:4.0.24:::::::* cpe:2.3:a:netty:netty:4.0.23:::::::* cpe:2.3:a:netty:netty:4.0.22:::::::* cpe:2.3:a:netty:netty:4.0.21:::::::* cpe:2.3:a:netty:netty:4.0.20:::::::* cpe:2.3:a:netty:netty:4.0.2:::::::* cpe:2.3:a:netty:netty:4.0.19:::::::* cpe:2.3:a:netty:netty:4.0.18:::::::* cpe:2.3:a:netty:netty:4.0.17:::::::* cpe:2.3:a:netty:netty:4.0.16:::::::* cpe:2.3:a:netty:netty:4.0.15:::::::* cpe:2.3:a:netty:netty:4.0.14:-:::::: cpe:2.3:a:netty:netty:4.0.13:::::::* cpe:2.3:a:netty:netty:4.0.12:::::::* cpe:2.3:a:netty:netty:4.0.11:::::::* cpe:2.3:a:netty:netty:4.0.10:::::::* cpe:2.3:a:netty:netty:4.0.1:::::::* cpe:2.3:a:netty:netty:4.0.0:::::::* cpe:2.3:a:netty:netty:3.9.1:::::::* cpe:2.3:a:netty:netty:3.9.0:::::::* cpe:2.3:a:netty:netty:3.8.1:::::::* cpe:2.3:a:netty:netty:3.8.0:::::::* cpe:2.3:a:netty:netty:3.7.0:::::::* cpe:2.3:a:netty:netty:3.6.8:::::::* cpe:2.3:a:netty:netty:3.6.7:::::::* cpe:2.3:a:netty:netty:3.6.6:::::::* cpe:2.3:a:netty:netty:3.6.5:::::::* cpe:2.3:a:netty:netty:3.6.4:::::::* cpe:2.3:a:netty:netty:3.6.3:::::::* cpe:2.3:a:netty:netty:3.6.2:::::::* cpe:2.3:a:netty:netty:3.6.1:::::::* cpe:2.3:a:netty:netty:3.6.0:-:::::: cpe:2.3:a:netty:netty:3.10.2:::::::* cpe:2.3:a:netty:netty:3.10.1:::::::* cpe:2.3:a:netty:netty:3.10.0:::::::* cpe:2.3:a:netty:netty::::::::	51
Application	Redhat Jboss Enterprise Application Platform cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:::::::* cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:::::::* cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:::::::*	3
Application	Redhat Jboss Enterprise Application Platform Text-Only Advisories cpe:2.3:a:redhat:jboss_enterprise_application_platform_text-only_advisories:-:::::::*	1
Application	Redhat Openshift Application Runtimes Text-Only Advisories cpe:2.3:a:redhat:openshift_application_runtimes_text-only_advisories:-:::::::*	1
Os	Canonical Ubuntu Linux cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::	1
Os	Debian Debian Linux cpe:2.3:o:debian:debian_linux:10.0:::::::* cpe:2.3:o:debian:debian_linux:9.0:::::::* cpe:2.3:o:debian:debian_linux:8.0:::::::*	3
Os	Fedoraproject Fedora cpe:2.3:o:fedoraproject:fedora:33:::::::*	1

Alert History

If you want to see full details history, please login or register.

Date	Informations
2020-05-23 13:03:45	Multiple Updates
2020-03-19 13:19:57	First insertion

Global Informations

Type	Count
CWE ID(s)	3
CPE ID(s)	63

	Related
9.1	CVE-2019-20445
9.1	CVE-2019-20444
7.5	CVE-2020-7238
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 3 more Alert(s)

9.1 - RHSA-2020:0497

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

CWE : Common Weakness Enumeration

CPE : Common Platform Enumeration

Alert History

Global Informations

Open Standards

COMPANY

STANDARDS

RECENT POSTS

MENU