Red Hat was recently made aware that in certain Java repositories, we pull and build dependencies over HTTP instead of HTTPS. We recognize that using HTTP when HTTPS is available is less than desirable and are investigating the report. Importantly, using HTTP alone is not sufficient to effect an attack; an attacker needs to be in a position to perform a man-in-the-middle attack in the first place. The security of builds is important to Red Hat, so we will be taking steps to harden the process by changing calls to use HTTPS where possible.

Used by EAP, RHDM, RHPAM, RHDS, RHIPS, AMQ (all for clustering):

• https://www.github.com/jboss-openshift/openshift-ping/blob/master/pom.xml

Also we need to update the libraries:

Upgrade io.undertow:undertow-core to version 1.3.31 or later

• CVE-2017-2666 More information
• CVE-2017-2670 More information

Upgrade org.apache.activemq:activemq-client to version 5.15.9 or later

• CVE-2019-0222 More information
• CVE-2018-11775 More information