From bugzilla at redhat.com Mon Apr 16 14:44:15 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 16 Apr 2007 10:44:15 -0400 Subject: [RHSA-2007:0151-01] Low: JBoss Application Server security update Message-ID: <200704161444.l3GEiFsb028874@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Low: JBoss Application Server security update Advisory ID: RHSA-2007:0151-01 Advisory URL: https://rhn.redhat.com/errata/RHSA-2007-0151.html Issue date: 2007-04-16 Updated on: 2007-04-16 Product: JBoss Application Server CVE Names: CVE-2007-1354 - --------------------------------------------------------------------- 1. Summary: Updated versions of JBoss Application Server that fix a security issue are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. 2. Problem description: The JBoss Application Server is a powerful J2EE application server. A flaw was found in the JMX Console fine-grained Access Control feature. An administrator with 'Read Mode' privileges to the JMX service could gain additional privileges if another administrator who had 'Write Mode' privileges was logged into and accessed the console at the same time. (CVE-2007-1354) Note: Fine-grained Access Control was first added to JBoss Application Server in June 2006; earlier versions are not affected by this issue. Known vulnerable versions include: JBoss AS 4.0.2.GA_CP02, 4.0.2.GA_CP03, 4.0.2.GA_CP04, 4.0.5.GA, 4.0.5_CP01, and 4.0.5_CP02. This vulnerability is rectified and does not affect JBoss AS releases 5.0.0.Beta2, 4.2.0.GA, 4.0.5.SP1, 3.2.8.SP2, and cumulative patches 4.0.5.GA_CP03, 4.0.2.GA_CP05, 4.0.4.GA_CP06, 4.0.3.SP1_CP05, and 3.2.8.SP1_CP01. Users with an affected installation of JBoss Application Server who rely on granting read-only privileges to the console should upgrade to one of these updated versions. 3. Solution: Updates are available from the JBoss Customer Support Portal (CSP) at https://network.jboss.com/ 4. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1354 http://jira.jboss.com/jira/browse/ASPATCH-172 http://jira.jboss.com/jira/browse/ASPATCH-175 http://wiki.jboss.org/wiki/Wiki.jsp?page=AccessControlForJMXConsole http://www.redhat.com/security/updates/classification/#low 5. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2007 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFGI4uKXlSAg2UNWIIRAhqPAKCFy9r484vOk+k+8H0i7+x0SsvS+gCfXD5Z cjHeqdDe7gkrDmaLRiKDPxc= =d8yl -----END PGP SIGNATURE-----