Lucene search

RedHatRHSA-2021:4863

HistoryNov 30, 2021 - 2:21 p.m.

(RHSA-2021:4863) Important: Red Hat JBoss Web Server 5.6.0 Security release

2021-11-3014:21:16

access.redhat.com

red hat jboss

web server

security release

apache tomcat

cve-2021-42340

cve-2021-33037

cve-2021-30640

outofmemoryerror

http upgrade connection leak

dos

http request smuggling

jndi realm authentication weakness

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.15

Percentile

95.9%

JSON

Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.

This release of Red Hat JBoss Web Server 5.6.0 serves as a replacement for Red Hat JBoss Web Server 5.5.0. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References.

Security Fix(es):

tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS (CVE-2021-42340)
tomcat: HTTP request smuggling when used with a reverse proxy (CVE-2021-33037)
tomcat: JNDI realm authentication weakness (CVE-2021-30640)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.