Executive Summary

Summary
Title Red Hat build of Eclipse Vert.x 3.8.5 security update
Informations
Name RHSA-2020:0567 First vendor Publication 2020-03-03
Vendor RedHat Last vendor Modification 2020-03-03
Severity (Vendor) N/A Revision 01

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Overall CVSS Score 9.1
Base Score 9.1 Environmental Score 9.1
impact SubScore 5.2 Temporal Score 9.1
Exploitabality Sub Score 3.9
 
Attack Vector Network Attack Complexity Low
Privileges Required None User Interaction None
Scope Unchanged Confidentiality Impact High
Integrity Impact High Availability Impact None
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:N)
Cvss Base Score 6.4 Attack Range Network
Cvss Impact Score 4.9 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

An update is now available for Red Hat build of Eclipse Vert.x.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.

2. Description:

This release of Red Hat build of Eclipse Vert.x 3.8.5 includes security updates, bug fixes, and enhancements. For more information, see the release notes page listed in the References section.

Security Fix(es):

* netty: HTTP request smuggling (CVE-2019-20444)

* netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header (CVE-2019-20445)

* netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238)

For more details about the security issues and their impact, the CVSS score, acknowledgements, and other related information, see the CVE pages listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.

The References section of this erratum contains a download link for the update. You must be logged in to download the update.

4. Bugs fixed (https://bugzilla.redhat.com/):

1796225 - CVE-2020-7238 netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling 1798509 - CVE-2019-20445 netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header 1798524 - CVE-2019-20444 netty: HTTP request smuggling

5. References:

https://access.redhat.com/security/cve/CVE-2019-20444 https://access.redhat.com/security/cve/CVE-2019-20445 https://access.redhat.com/security/cve/CVE-2020-7238 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_build_of_eclipse_vert.x/3.8/html/release_notes_for_eclipse_vert.x_3.8/index https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=catRhoar.eclipse.vertx&version=3.8.5

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2020-0567.html

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 2
Application 51
Application 3
Application 1
Application 1
Os 1
Os 3
Os 1

Alert History

If you want to see full details history, please login or register.
0
1
Date Informations
2020-05-23 13:03:45
  • Multiple Updates
2020-03-19 13:20:04
  • First insertion