{ "threat_severity" : "Important", "public_date" : "2020-01-29T00:00:00Z", "bugzilla" : { "description" : "netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header", "id" : "1798509", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1798509" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "status" : "verified" }, "cwe" : "CWE-444", "details" : [ "HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.", "A flaw was found in Netty before version 4.1.44, where it accepted multiple Content-Length headers and also accepted both Transfer-Encoding, as well as Content-Length headers where it should reject the message under such circumstances. In circumstances where Netty is used in the context of a server, it could result in a viable HTTP smuggling vulnerability." ], "statement" : "OpenShift Container Platform ships a vulnerable netty library as part of the logging-elasticsearch5 container. ElasticSearch's security team has stated that the previous vulnerability, CVE-2019-16869, does not poses a substantial practical threat to ElasticSearch 6 [1]. We agree that this issue would be difficult to exploit both these vulnerabilities on OpenShift Container Platform, so we're reducing the impact of this issue to moderate and may fix it in the future release.\nRed Hat Satellite ships a vulnerable version of netty embedded in Candlepin. However, the flaw can not be triggered in that context, because HTTP requests are handled by Tomcat, not by netty. A future release may fix this.\n[1] https://github.com/elastic/elasticsearch/issues/49396", "affected_release" : [ { "product_name" : "AMQ Clients 2.y for RHEL 6", "release_date" : "2020-02-25T00:00:00Z", "advisory" : "RHSA-2020:0601", "cpe" : "cpe:/a:redhat:a_mq_clients:2::el6", "package" : "qpid-proton-0:0.30.0-4.el6_10" }, { "product_name" : "AMQ Clients 2.y for RHEL 7", "release_date" : "2020-02-25T00:00:00Z", "advisory" : "RHSA-2020:0601", "cpe" : "cpe:/a:redhat:a_mq_clients:2::el7", "package" : "qpid-proton-0:0.30.0-2.el7" }, { "product_name" : "AMQ Clients 2.y for RHEL 7", "release_date" : "2020-02-25T00:00:00Z", "advisory" : "RHSA-2020:0601", "cpe" : "cpe:/a:redhat:a_mq_clients:2::el7", "package" : "rubygem-qpid_proton-0:0.30.0-1.el7" }, { "product_name" : "AMQ Clients 2.y for RHEL 8", "release_date" : "2020-02-25T00:00:00Z", "advisory" : "RHSA-2020:0601", "cpe" : "cpe:/a:redhat:a_mq_clients:2::el8", "package" : "nodejs-rhea-0:1.0.16-1.el8" }, { "product_name" : "AMQ Clients 2.y for RHEL 8", "release_date" : "2020-02-25T00:00:00Z", "advisory" : "RHSA-2020:0601", "cpe" : "cpe:/a:redhat:a_mq_clients:2::el8", "package" : "qpid-proton-0:0.30.0-3.el8" }, { "product_name" : "AMQ Clients 2.y for RHEL 8", "release_date" : "2020-02-25T00:00:00Z", "advisory" : "RHSA-2020:0601", "cpe" : "cpe:/a:redhat:a_mq_clients:2::el8", "package" : "rubygem-qpid_proton-0:0.30.0-1.el8" }, { "product_name" : "EAP-CD 19 Tech Preview", "release_date" : "2020-05-28T00:00:00Z", "advisory" : "RHSA-2020:2333", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_cd:19", "package" : "netty" }, { "product_name" : "Red Hat AMQ", "release_date" : "2020-03-23T00:00:00Z", "advisory" : "RHSA-2020:0922", "cpe" : "cpe:/a:redhat:amq_broker:7", "package" : "netty" }, { "product_name" : "Red Hat AMQ 7.4.3", "release_date" : "2020-04-14T00:00:00Z", "advisory" : "RHSA-2020:1445", "cpe" : "cpe:/a:redhat:amq_broker:7", "package" : "netty" }, { "product_name" : "Red Hat AMQ Online 1.3.3 GA", "release_date" : "2020-02-13T00:00:00Z", "advisory" : "RHSA-2020:0497", "cpe" : "cpe:/a:redhat:amq_online:1.3", "package" : "netty" }, { "product_name" : "Red Hat AMQ Streams 1", "release_date" : "2020-03-23T00:00:00Z", "advisory" : "RHSA-2020:0939", "cpe" : "cpe:/a:redhat:amq_streams:1", "package" : "netty" }, { "product_name" : "Red Hat Data Grid 7.3.6", "release_date" : "2020-05-26T00:00:00Z", "advisory" : "RHSA-2020:2321", "cpe" : "cpe:/a:redhat:jboss_data_grid:7.3", "package" : "netty" }, { "product_name" : "Red Hat Decision Manager 7", "release_date" : "2020-07-29T00:00:00Z", "advisory" : "RHSA-2020:3196", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7.8", "package" : "netty" }, { "product_name" : "Red Hat Fuse 7.7.0", "release_date" : "2020-07-28T00:00:00Z", "advisory" : "RHSA-2020:3192", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "netty" }, { "product_name" : "Red Hat Fuse 7.9", "release_date" : "2021-08-11T00:00:00Z", "advisory" : "RHSA-2021:3140", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "karaf-transaction-manager-narayana", "impact" : "low" }, { "product_name" : "Red Hat JBoss EAP 7.2", "release_date" : "2020-02-25T00:00:00Z", "advisory" : "RHSA-2020:0606", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2" }, { "product_name" : "Red Hat JBoss EAP 7.2", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0811", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2", "package" : "netty" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2024-08-26T00:00:00Z", "advisory" : "RHSA-2024:5856", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date" : "2020-02-25T00:00:00Z", "advisory" : "RHSA-2020:0605", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "package" : "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0804", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "package" : "eap7-activemq-artemis-0:2.9.0-2.redhat_00009.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0804", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "package" : "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0804", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "package" : "eap7-glassfish-el-0:3.0.1-4.b08_redhat_00003.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0804", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "package" : "eap7-glassfish-jaxb-0:2.3.3-4.b02_redhat_00001.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0804", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "package" : "eap7-glassfish-jsf-0:2.3.5-7.SP3_redhat_00005.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0804", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "package" : "eap7-hal-console-0:3.0.20-1.Final_redhat_00001.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0804", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "package" : "eap7-hibernate-0:5.3.15-1.Final_redhat_00001.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0804", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "package" : "eap7-infinispan-0:9.3.8-1.Final_redhat_00001.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0804", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "package" : "eap7-ironjacamar-0:1.4.20-1.Final_redhat_00001.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0804", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "package" : "eap7-jackson-databind-0:2.9.10.2-1.redhat_00001.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0804", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "package" : "eap7-jaegertracing-jaeger-client-java-0:0.34.1-1.redhat_00002.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0804", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "package" : "eap7-jboss-ejb-client-0:4.0.28-1.Final_redhat_00001.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0804", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "package" : "eap7-jboss-remoting-0:5.0.17-1.Final_redhat_00001.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0804", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "package" : "eap7-jboss-server-migration-0:1.3.1-8.Final_redhat_00009.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0804", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "package" : "eap7-picketlink-bindings-0:2.5.5-23.SP12_redhat_00012.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0804", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "package" : "eap7-stax2-api-0:4.2.0-1.redhat_00001.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0804", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "package" : "eap7-sun-istack-commons-0:3.0.10-1.redhat_00001.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0804", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "package" : "eap7-thrift-0:0.13.0-1.redhat_00002.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0804", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "package" : "eap7-wildfly-0:7.2.7-4.GA_redhat_00004.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0804", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "package" : "eap7-wildfly-http-client-0:1.0.20-1.Final_redhat_00001.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0804", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "package" : "eap7-wildfly-openssl-0:1.0.9-2.SP03_redhat_00001.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0804", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "package" : "eap7-wildfly-openssl-linux-x86_64-0:1.0.9-2.SP03_redhat_00001.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0804", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "package" : "eap7-wildfly-transaction-client-0:1.1.9-1.Final_redhat_00001.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0804", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "package" : "eap7-woodstox-core-0:6.0.3-1.redhat_00001.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0804", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "package" : "eap7-xml-security-0:2.1.4-1.redhat_00001.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date" : "2020-02-25T00:00:00Z", "advisory" : "RHSA-2020:0605", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "package" : "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0805", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "package" : "eap7-activemq-artemis-0:2.9.0-2.redhat_00009.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0805", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "package" : "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0805", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "package" : "eap7-glassfish-el-0:3.0.1-4.b08_redhat_00003.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0805", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "package" : "eap7-glassfish-jaxb-0:2.3.3-4.b02_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0805", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "package" : "eap7-glassfish-jsf-0:2.3.5-7.SP3_redhat_00005.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0805", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "package" : "eap7-hal-console-0:3.0.20-1.Final_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0805", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "package" : "eap7-hibernate-0:5.3.15-1.Final_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0805", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "package" : "eap7-infinispan-0:9.3.8-1.Final_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0805", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "package" : "eap7-ironjacamar-0:1.4.20-1.Final_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0805", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "package" : "eap7-jackson-databind-0:2.9.10.2-1.redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0805", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "package" : "eap7-jaegertracing-jaeger-client-java-0:0.34.1-1.redhat_00002.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0805", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "package" : "eap7-jboss-ejb-client-0:4.0.28-1.Final_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0805", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "package" : "eap7-jboss-remoting-0:5.0.17-1.Final_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0805", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "package" : "eap7-jboss-server-migration-0:1.3.1-8.Final_redhat_00009.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0805", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "package" : "eap7-picketlink-bindings-0:2.5.5-23.SP12_redhat_00012.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0805", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "package" : "eap7-stax2-api-0:4.2.0-1.redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0805", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "package" : "eap7-sun-istack-commons-0:3.0.10-1.redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0805", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "package" : "eap7-thrift-0:0.13.0-1.redhat_00002.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0805", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "package" : "eap7-wildfly-0:7.2.7-4.GA_redhat_00004.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0805", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "package" : "eap7-wildfly-http-client-0:1.0.20-1.Final_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0805", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "package" : "eap7-wildfly-openssl-0:1.0.9-2.SP03_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0805", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "package" : "eap7-wildfly-openssl-linux-x86_64-0:1.0.9-2.SP03_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0805", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "package" : "eap7-wildfly-transaction-client-0:1.1.9-1.Final_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0805", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "package" : "eap7-woodstox-core-0:6.0.3-1.redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0805", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "package" : "eap7-xml-security-0:2.1.4-1.redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date" : "2020-02-25T00:00:00Z", "advisory" : "RHSA-2020:0605", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "package" : "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0806", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "package" : "eap7-activemq-artemis-0:2.9.0-2.redhat_00009.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0806", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "package" : "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0806", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "package" : "eap7-glassfish-el-0:3.0.1-4.b08_redhat_00003.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0806", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "package" : "eap7-glassfish-jaxb-0:2.3.3-4.b02_redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0806", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "package" : "eap7-glassfish-jsf-0:2.3.5-7.SP3_redhat_00005.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0806", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "package" : "eap7-hal-console-0:3.0.20-1.Final_redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0806", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "package" : "eap7-hibernate-0:5.3.15-1.Final_redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0806", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "package" : "eap7-infinispan-0:9.3.8-1.Final_redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0806", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "package" : "eap7-ironjacamar-0:1.4.20-1.Final_redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0806", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "package" : "eap7-jackson-databind-0:2.9.10.2-1.redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0806", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "package" : "eap7-jaegertracing-jaeger-client-java-0:0.34.1-1.redhat_00002.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0806", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "package" : "eap7-jboss-ejb-client-0:4.0.28-1.Final_redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0806", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "package" : "eap7-jboss-remoting-0:5.0.17-1.Final_redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0806", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "package" : "eap7-jboss-server-migration-0:1.3.1-8.Final_redhat_00009.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0806", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "package" : "eap7-picketlink-bindings-0:2.5.5-23.SP12_redhat_00012.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0806", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "package" : "eap7-stax2-api-0:4.2.0-1.redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0806", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "package" : "eap7-sun-istack-commons-0:3.0.10-1.redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0806", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "package" : "eap7-thrift-0:0.13.0-1.redhat_00002.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0806", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "package" : "eap7-wildfly-0:7.2.7-4.GA_redhat_00004.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0806", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "package" : "eap7-wildfly-http-client-0:1.0.20-1.Final_redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0806", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "package" : "eap7-wildfly-openssl-0:1.0.9-2.SP03_redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0806", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "package" : "eap7-wildfly-openssl-linux-x86_64-0:1.0.9-2.SP03_redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0806", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "package" : "eap7-wildfly-transaction-client-0:1.1.9-1.Final_redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0806", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "package" : "eap7-woodstox-core-0:6.0.3-1.redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date" : "2020-03-12T00:00:00Z", "advisory" : "RHSA-2020:0806", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "package" : "eap7-xml-security-0:2.1.4-1.redhat_00001.1.el8eap" }, { "product_name" : "Red Hat Process Automation 7", "release_date" : "2020-07-29T00:00:00Z", "advisory" : "RHSA-2020:3197", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8", "package" : "netty" }, { "product_name" : "Red Hat Single Sign-On 7.3", "release_date" : "2020-03-23T00:00:00Z", "advisory" : "RHSA-2020:0951", "cpe" : "cpe:/a:redhat:jboss_single_sign_on:7.3", "package" : "netty" }, { "product_name" : "Text-Only RHOAR", "release_date" : "2020-03-03T00:00:00Z", "advisory" : "RHSA-2020:0567", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0", "package" : "netty" } ], "package_state" : [ { "product_name" : "Red Hat JBoss A-MQ 6", "fix_state" : "Out of support scope", "package_name" : "netty", "cpe" : "cpe:/a:redhat:jboss_amq:6", "impact" : "low" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 5", "fix_state" : "Out of support scope", "package_name" : "netty", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "netty", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Out of support scope", "package_name" : "netty", "cpe" : "cpe:/a:redhat:jboss_fuse:6", "impact" : "moderate" }, { "product_name" : "Red Hat JBoss Operations Network 3", "fix_state" : "Out of support scope", "package_name" : "netty", "cpe" : "cpe:/a:redhat:jboss_operations_network:3" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Will not fix", "package_name" : "openshift3/ose-logging-elasticsearch5", "cpe" : "cpe:/a:redhat:openshift:3.11", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4/ose-logging-elasticsearch5", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "moderate" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Will not fix", "package_name" : "candlepin", "cpe" : "cpe:/a:redhat:satellite:6", "impact" : "low" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-20445\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-20445" ], "name" : "CVE-2019-20445", "mitigation" : { "value" : "* Use HTTP/2 instead (clear boundaries between requests)\n* Disable reuse of backend connections eg. ```http-reuse never``` in HAProxy or whatever equivalent LB settings", "lang" : "en:us" }, "csaw" : false }