-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP9 security update
Advisory ID:       RHSA-2021:3746-01
Product:           Red Hat JBoss Core Services
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:3746
Issue date:        2021-10-07
CVE Names:         CVE-2021-40438 
====================================================================
1. Summary:

Updated packages that provide Red Hat JBoss Core Services Apache HTTP
Server 2.4.37 Service Pack 9, and fix an important security issue, are now
available for Red Hat Enterprise Linux 7 and Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat JBoss Core Services on RHEL 7 Server - noarch, ppc64, x86_64
Red Hat JBoss Core Services on RHEL 8 - noarch, x86_64

3. Description:

This release adds the new Apache HTTP Server 2.4.37 Service Pack 9 packages
that are part of the JBoss Core Services offering.

This release serves as a replacement for Red Hat JBoss Core Services Apache
HTTP Server 2.4.37 Service Pack 8 and includes an important security
update. Refer to the Release Notes for information on the security fix
included in this release.

Security Fix(es):

* httpd: mod_proxy: SSRF via a crafted request uri-path (CVE-2021-40438)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2005117 - CVE-2021-40438 httpd: mod_proxy: SSRF via a crafted request uri-path containing "unix:"

6. Package List:

Red Hat JBoss Core Services on RHEL 7 Server:

Source:
jbcs-httpd24-httpd-2.4.37-76.jbcs.el7.src.rpm
jbcs-httpd24-mod_cluster-native-1.3.16-7.Final_redhat_2.jbcs.el7.src.rpm
jbcs-httpd24-mod_http2-1.15.7-19.jbcs.el7.src.rpm
jbcs-httpd24-mod_jk-1.2.48-18.redhat_1.jbcs.el7.src.rpm
jbcs-httpd24-mod_md-2.0.8-38.jbcs.el7.src.rpm
jbcs-httpd24-mod_security-2.9.2-65.GA.jbcs.el7.src.rpm

noarch:
jbcs-httpd24-httpd-manual-2.4.37-76.jbcs.el7.noarch.rpm

ppc64:
jbcs-httpd24-mod_http2-1.15.7-19.jbcs.el7.ppc64.rpm
jbcs-httpd24-mod_http2-debuginfo-1.15.7-19.jbcs.el7.ppc64.rpm
jbcs-httpd24-mod_md-2.0.8-38.jbcs.el7.ppc64.rpm
jbcs-httpd24-mod_md-debuginfo-2.0.8-38.jbcs.el7.ppc64.rpm

x86_64:
jbcs-httpd24-httpd-2.4.37-76.jbcs.el7.x86_64.rpm
jbcs-httpd24-httpd-debuginfo-2.4.37-76.jbcs.el7.x86_64.rpm
jbcs-httpd24-httpd-devel-2.4.37-76.jbcs.el7.x86_64.rpm
jbcs-httpd24-httpd-selinux-2.4.37-76.jbcs.el7.x86_64.rpm
jbcs-httpd24-httpd-tools-2.4.37-76.jbcs.el7.x86_64.rpm
jbcs-httpd24-mod_cluster-native-1.3.16-7.Final_redhat_2.jbcs.el7.x86_64.rpm
jbcs-httpd24-mod_cluster-native-debuginfo-1.3.16-7.Final_redhat_2.jbcs.el7.x86_64.rpm
jbcs-httpd24-mod_http2-1.15.7-19.jbcs.el7.x86_64.rpm
jbcs-httpd24-mod_http2-debuginfo-1.15.7-19.jbcs.el7.x86_64.rpm
jbcs-httpd24-mod_jk-ap24-1.2.48-18.redhat_1.jbcs.el7.x86_64.rpm
jbcs-httpd24-mod_jk-debuginfo-1.2.48-18.redhat_1.jbcs.el7.x86_64.rpm
jbcs-httpd24-mod_jk-manual-1.2.48-18.redhat_1.jbcs.el7.x86_64.rpm
jbcs-httpd24-mod_ldap-2.4.37-76.jbcs.el7.x86_64.rpm
jbcs-httpd24-mod_md-2.0.8-38.jbcs.el7.x86_64.rpm
jbcs-httpd24-mod_md-debuginfo-2.0.8-38.jbcs.el7.x86_64.rpm
jbcs-httpd24-mod_proxy_html-2.4.37-76.jbcs.el7.x86_64.rpm
jbcs-httpd24-mod_security-2.9.2-65.GA.jbcs.el7.x86_64.rpm
jbcs-httpd24-mod_security-debuginfo-2.9.2-65.GA.jbcs.el7.x86_64.rpm
jbcs-httpd24-mod_session-2.4.37-76.jbcs.el7.x86_64.rpm
jbcs-httpd24-mod_ssl-2.4.37-76.jbcs.el7.x86_64.rpm

Red Hat JBoss Core Services on RHEL 8:

Source:
jbcs-httpd24-httpd-2.4.37-76.el8jbcs.src.rpm
jbcs-httpd24-mod_cluster-native-1.3.16-7.Final_redhat_2.el8jbcs.src.rpm
jbcs-httpd24-mod_http2-1.15.7-19.el8jbcs.src.rpm
jbcs-httpd24-mod_jk-1.2.48-18.redhat_1.el8jbcs.src.rpm
jbcs-httpd24-mod_md-2.0.8-38.el8jbcs.src.rpm
jbcs-httpd24-mod_security-2.9.2-65.GA.el8jbcs.src.rpm

noarch:
jbcs-httpd24-httpd-manual-2.4.37-76.el8jbcs.noarch.rpm

x86_64:
jbcs-httpd24-httpd-2.4.37-76.el8jbcs.x86_64.rpm
jbcs-httpd24-httpd-debuginfo-2.4.37-76.el8jbcs.x86_64.rpm
jbcs-httpd24-httpd-devel-2.4.37-76.el8jbcs.x86_64.rpm
jbcs-httpd24-httpd-selinux-2.4.37-76.el8jbcs.x86_64.rpm
jbcs-httpd24-httpd-tools-2.4.37-76.el8jbcs.x86_64.rpm
jbcs-httpd24-httpd-tools-debuginfo-2.4.37-76.el8jbcs.x86_64.rpm
jbcs-httpd24-mod_cluster-native-1.3.16-7.Final_redhat_2.el8jbcs.x86_64.rpm
jbcs-httpd24-mod_cluster-native-debuginfo-1.3.16-7.Final_redhat_2.el8jbcs.x86_64.rpm
jbcs-httpd24-mod_http2-1.15.7-19.el8jbcs.x86_64.rpm
jbcs-httpd24-mod_http2-debuginfo-1.15.7-19.el8jbcs.x86_64.rpm
jbcs-httpd24-mod_jk-ap24-1.2.48-18.redhat_1.el8jbcs.x86_64.rpm
jbcs-httpd24-mod_jk-ap24-debuginfo-1.2.48-18.redhat_1.el8jbcs.x86_64.rpm
jbcs-httpd24-mod_jk-manual-1.2.48-18.redhat_1.el8jbcs.x86_64.rpm
jbcs-httpd24-mod_ldap-2.4.37-76.el8jbcs.x86_64.rpm
jbcs-httpd24-mod_ldap-debuginfo-2.4.37-76.el8jbcs.x86_64.rpm
jbcs-httpd24-mod_md-2.0.8-38.el8jbcs.x86_64.rpm
jbcs-httpd24-mod_md-debuginfo-2.0.8-38.el8jbcs.x86_64.rpm
jbcs-httpd24-mod_proxy_html-2.4.37-76.el8jbcs.x86_64.rpm
jbcs-httpd24-mod_proxy_html-debuginfo-2.4.37-76.el8jbcs.x86_64.rpm
jbcs-httpd24-mod_security-2.9.2-65.GA.el8jbcs.x86_64.rpm
jbcs-httpd24-mod_security-debuginfo-2.9.2-65.GA.el8jbcs.x86_64.rpm
jbcs-httpd24-mod_session-2.4.37-76.el8jbcs.x86_64.rpm
jbcs-httpd24-mod_session-debuginfo-2.4.37-76.el8jbcs.x86_64.rpm
jbcs-httpd24-mod_ssl-2.4.37-76.el8jbcs.x86_64.rpm
jbcs-httpd24-mod_ssl-debuginfo-2.4.37-76.el8jbcs.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-40438
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYV76ldzjgjWX9erEAQjKFxAAnTILw8Rpd17eKPeRK2qPZroieoBGxGyK
/zzHmKCPbke3AzvHAXuGVQJlUhlTZtfVGUBNzpqV6n1C7PwvuSIOhfpxFMXkHfla
qvZjwNA7gyAyhLw0Zq+pVF40SpIS1fJNn9ahaHJwICANaeW/+yALuXzQT9UrA7dF
7YcoYOLyNQ7BY+xBuhEGbBXqxPRs3CGk1j3scLvI62+USQOgYxt6Z63q2i9CEtKw
O0KxFgxjA5GH7g0H4aHHK8eKBihuYxecuLPnMC6aerz2JIVuuS++otzOz8oXB7tp
D46rbY7oWk9zFrznan7GW6+8I17UknPd/nMUjV/a9twO148PKlLtBhIN7uOfuc0u
wp7WE0qTY8iFoRrD5Z5oDzntgBRiEeBi200ld/gVSSnxZlK37qrl1+sNelDRt8Ez
Xtpp/napYZ31ds5fYlgDKmgLirdPDPI3I6fSZ2B4YwR0TtfBXyizl7RWnBDTRm7x
DVZl/oTqFn+m+mFmUYckuHsiztmhtDrQlHX04Xpvztwk2vd7HGPhl3MY+t9Kpo+2
bpt8qTm04gicCo+gR3zEAxLpl2/W8DIgAiL6VOBC0AiFUqy3Cqg2mtPNn89A+x1d
K2SWm7wd5NY0aivFoXbdSF4yfMDgneZWPlr50dMlQwJMo3ORlMTTcIRweCgvVezt
Y/wXefOE+3g=WLsH
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2021-3746:01 Important: Red Hat JBoss Core Services Apache

Updated packages that provide Red Hat JBoss Core Services Apache HTTP Server 2.4.37 Service Pack 9, and fix an important security issue, are now available for Red Hat Enterprise Li...

Summary

This release adds the new Apache HTTP Server 2.4.37 Service Pack 9 packages that are part of the JBoss Core Services offering.
This release serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.37 Service Pack 8 and includes an important security update. Refer to the Release Notes for information on the security fix included in this release.
Security Fix(es):
* httpd: mod_proxy: SSRF via a crafted request uri-path (CVE-2021-40438)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2021-40438 https://access.redhat.com/security/updates/classification/#important

Package List

Red Hat JBoss Core Services on RHEL 7 Server:
Source: jbcs-httpd24-httpd-2.4.37-76.jbcs.el7.src.rpm jbcs-httpd24-mod_cluster-native-1.3.16-7.Final_redhat_2.jbcs.el7.src.rpm jbcs-httpd24-mod_http2-1.15.7-19.jbcs.el7.src.rpm jbcs-httpd24-mod_jk-1.2.48-18.redhat_1.jbcs.el7.src.rpm jbcs-httpd24-mod_md-2.0.8-38.jbcs.el7.src.rpm jbcs-httpd24-mod_security-2.9.2-65.GA.jbcs.el7.src.rpm
noarch: jbcs-httpd24-httpd-manual-2.4.37-76.jbcs.el7.noarch.rpm
ppc64: jbcs-httpd24-mod_http2-1.15.7-19.jbcs.el7.ppc64.rpm jbcs-httpd24-mod_http2-debuginfo-1.15.7-19.jbcs.el7.ppc64.rpm jbcs-httpd24-mod_md-2.0.8-38.jbcs.el7.ppc64.rpm jbcs-httpd24-mod_md-debuginfo-2.0.8-38.jbcs.el7.ppc64.rpm
x86_64: jbcs-httpd24-httpd-2.4.37-76.jbcs.el7.x86_64.rpm jbcs-httpd24-httpd-debuginfo-2.4.37-76.jbcs.el7.x86_64.rpm jbcs-httpd24-httpd-devel-2.4.37-76.jbcs.el7.x86_64.rpm jbcs-httpd24-httpd-selinux-2.4.37-76.jbcs.el7.x86_64.rpm jbcs-httpd24-httpd-tools-2.4.37-76.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_cluster-native-1.3.16-7.Final_redhat_2.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_cluster-native-debuginfo-1.3.16-7.Final_redhat_2.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_http2-1.15.7-19.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_http2-debuginfo-1.15.7-19.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_jk-ap24-1.2.48-18.redhat_1.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_jk-debuginfo-1.2.48-18.redhat_1.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_jk-manual-1.2.48-18.redhat_1.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_ldap-2.4.37-76.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_md-2.0.8-38.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_md-debuginfo-2.0.8-38.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_proxy_html-2.4.37-76.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_security-2.9.2-65.GA.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_security-debuginfo-2.9.2-65.GA.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_session-2.4.37-76.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_ssl-2.4.37-76.jbcs.el7.x86_64.rpm
Red Hat JBoss Core Services on RHEL 8:
Source: jbcs-httpd24-httpd-2.4.37-76.el8jbcs.src.rpm jbcs-httpd24-mod_cluster-native-1.3.16-7.Final_redhat_2.el8jbcs.src.rpm jbcs-httpd24-mod_http2-1.15.7-19.el8jbcs.src.rpm jbcs-httpd24-mod_jk-1.2.48-18.redhat_1.el8jbcs.src.rpm jbcs-httpd24-mod_md-2.0.8-38.el8jbcs.src.rpm jbcs-httpd24-mod_security-2.9.2-65.GA.el8jbcs.src.rpm
noarch: jbcs-httpd24-httpd-manual-2.4.37-76.el8jbcs.noarch.rpm
x86_64: jbcs-httpd24-httpd-2.4.37-76.el8jbcs.x86_64.rpm jbcs-httpd24-httpd-debuginfo-2.4.37-76.el8jbcs.x86_64.rpm jbcs-httpd24-httpd-devel-2.4.37-76.el8jbcs.x86_64.rpm jbcs-httpd24-httpd-selinux-2.4.37-76.el8jbcs.x86_64.rpm jbcs-httpd24-httpd-tools-2.4.37-76.el8jbcs.x86_64.rpm jbcs-httpd24-httpd-tools-debuginfo-2.4.37-76.el8jbcs.x86_64.rpm jbcs-httpd24-mod_cluster-native-1.3.16-7.Final_redhat_2.el8jbcs.x86_64.rpm jbcs-httpd24-mod_cluster-native-debuginfo-1.3.16-7.Final_redhat_2.el8jbcs.x86_64.rpm jbcs-httpd24-mod_http2-1.15.7-19.el8jbcs.x86_64.rpm jbcs-httpd24-mod_http2-debuginfo-1.15.7-19.el8jbcs.x86_64.rpm jbcs-httpd24-mod_jk-ap24-1.2.48-18.redhat_1.el8jbcs.x86_64.rpm jbcs-httpd24-mod_jk-ap24-debuginfo-1.2.48-18.redhat_1.el8jbcs.x86_64.rpm jbcs-httpd24-mod_jk-manual-1.2.48-18.redhat_1.el8jbcs.x86_64.rpm jbcs-httpd24-mod_ldap-2.4.37-76.el8jbcs.x86_64.rpm jbcs-httpd24-mod_ldap-debuginfo-2.4.37-76.el8jbcs.x86_64.rpm jbcs-httpd24-mod_md-2.0.8-38.el8jbcs.x86_64.rpm jbcs-httpd24-mod_md-debuginfo-2.0.8-38.el8jbcs.x86_64.rpm jbcs-httpd24-mod_proxy_html-2.4.37-76.el8jbcs.x86_64.rpm jbcs-httpd24-mod_proxy_html-debuginfo-2.4.37-76.el8jbcs.x86_64.rpm jbcs-httpd24-mod_security-2.9.2-65.GA.el8jbcs.x86_64.rpm jbcs-httpd24-mod_security-debuginfo-2.9.2-65.GA.el8jbcs.x86_64.rpm jbcs-httpd24-mod_session-2.4.37-76.el8jbcs.x86_64.rpm jbcs-httpd24-mod_session-debuginfo-2.4.37-76.el8jbcs.x86_64.rpm jbcs-httpd24-mod_ssl-2.4.37-76.el8jbcs.x86_64.rpm jbcs-httpd24-mod_ssl-debuginfo-2.4.37-76.el8jbcs.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/


Severity
Advisory ID: RHSA-2021:3746-01
Product: Red Hat JBoss Core Services
Advisory URL: https://access.redhat.com/errata/RHSA-2021:3746
Issued Date: : 2021-10-07
CVE Names: CVE-2021-40438

Topic

Updated packages that provide Red Hat JBoss Core Services Apache HTTPServer 2.4.37 Service Pack 9, and fix an important security issue, are nowavailable for Red Hat Enterprise Linux 7 and Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures

Red Hat JBoss Core Services on RHEL 7 Server - noarch, ppc64, x86_64

Red Hat JBoss Core Services on RHEL 8 - noarch, x86_64


Bugs Fixed

2005117 - CVE-2021-40438 httpd: mod_proxy: SSRF via a crafted request uri-path containing "unix:"


Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved