Bug 1875176 (CVE-2020-14384)
Summary: | CVE-2020-14384 jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Kunjan Rathod <krathod> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | aboyko, asoldano, atangrin, bbaranow, bmaxwell, brian.stansberry, cdewolf, chazlett, darran.lofthouse, dkreling, dosoudil, drieden, eleandro, iweiss, jawilson, jochrist, jolee, jperkins, jschatte, jstastny, jwon, krathod, kwills, lgao, msochure, msvehla, nwallace, pjindal, pmackay, psotirop, rfreire, rguimara, rstancel, rsvoboda, security-response-team, smaestri, tom.jenkinson, vhalbert |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | jbossweb 7.5.31.Final-redhat-3 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in jbossweb. The fix for CVE-2020-13935 was incomplete in JBossWeb, leaving it vulnerable to a denial of service attack when sending multiple requests with invalid payload length in a WebSocket frame. The highest threat from this vulnerability is to system availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-09-14 13:17:45 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1875177 | ||
Bug Blocks: | 1875065 |
Description
Kunjan Rathod
2020-09-02 23:50:08 UTC
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:3731 https://access.redhat.com/errata/RHSA-2020:3731 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2020:3730 https://access.redhat.com/errata/RHSA-2020:3730 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-14384 This issue has been addressed in the following products: EAP 6.4.24 release Via RHSA-2022:5458 https://access.redhat.com/errata/RHSA-2022:5458 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2022:5459 https://access.redhat.com/errata/RHSA-2022:5459 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2022:5460 https://access.redhat.com/errata/RHSA-2022:5460 |