From bugzilla at redhat.com Thu Nov 6 17:22:11 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 6 Nov 2014 17:22:11 +0000 Subject: [RHSA-2014:1818-01] Moderate: Red Hat JBoss Enterprise Application Platform 6.3.2 update Message-ID: <201411061722.sA6HMBRQ029028@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 6.3.2 update Advisory ID: RHSA-2014:1818-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1818.html Issue date: 2014-11-06 CVE Names: CVE-2013-4002 ===================================================================== 1. Summary: Updated packages that provide Red Hat JBoss Enterprise Application Platform 6.3.2 and fix one security issue, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 6.3 for RHEL 6 - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. A resource consumption issue was found in the way Xerces-J handled XML declarations. A remote attacker could use an XML document with a specially crafted declaration using a long pseudo-attribute name that, when parsed by an application using Xerces-J, would cause that application to use an excessive amount of CPU. (CVE-2013-4002) This release of JBoss Enterprise Application Platform also includes bug fixes and enhancements. A list of these changes is available from the JBoss Enterprise Application Platform 6.3.2 Downloads page on the Customer Portal. All users of Red Hat JBoss Enterprise Application Platform 6.3 on Red Hat Enterprise Linux 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Also, back up any customized Red Hat JBoss Enterprise Application Platform 6 configuration files. On update, the configuration files that have been locally modified will not be updated. The updated version of such files will be stored as the rpmnew files. Make sure to locate any such files after the update and merge any changes manually. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1019176 - CVE-2013-4002 Xerces-J2 OpenJDK: XML parsing Denial of Service (JAXP, 8017298) 1147622 - RHEL6 RPMs: Upgrade apache-cxf-xjc-utils to 2.6.2.redhat-1 1147628 - RHEL6 RPMs: Upgrade xml-security to 1.5.7.redhat-1 1149797 - RHEL6 RPMs: Upgrade wss4j to 1.6.16.redhat-2 1149800 - RHEL6 RPMs: Upgrade jbossws-cxf to 4.3.1.Final-redhat-1 1149803 - RHEL6 RPMs: Upgrade jbossws-common to 2.3.1.Final-redhat-1 1149814 - RHEL6 RPMs: Upgrade netty to 3.6.10.Final-redhat-1 1149817 - RHEL6 RPMs: Upgrade apache-cxf to 2.7.12.SP1-redhat-1 1149820 - RHEL6 RPMs: Upgrade jboss-hal to 2.2.11.Final-redhat-1 1149823 - RHEL6 RPMs: Upgrade jboss-remoting3-jmx to 1.1.3.Final-redhat-2 1149826 - RHEL6 RPMs: Upgrade jboss-xnio-base to 3.0.11.GA-redhat-2 1150704 - RHEL6 RPMs: Upgrade hibernate4-eap6 to 4.2.14.SP4-redhat-1 1150894 - RHEL6 RPMs: Upgrade ironjacamar-eap6 to 1.0.28.Final-redhat-1 1151605 - RHEL6 RPMs: Upgrade weld-core to 1.1.25.Final-redhat-2 1151609 - RHEL6 RPMs: Upgrade jboss-metadata to 7.1.2.Final-redhat-1 1151612 - RHEL6 RPMs: Upgrade jboss-as-console to 2.2.11.Final-redhat-1 6. Package List: Red Hat JBoss EAP 6.3 for RHEL 6: Source: apache-cxf-2.7.12-1.SP1_redhat_1.1.ep6.el6.src.rpm apache-cxf-xjc-utils-2.6.2-3.redhat_1.1.ep6.el6.src.rpm hibernate4-eap6-4.2.14-9.SP4_redhat_1.1.ep6.el6.src.rpm ironjacamar-eap6-1.0.28-1.Final_redhat_1.1.ep6.el6.src.rpm javassist-eap6-3.18.1-5.GA_redhat_1.1.ep6.el6.src.rpm jboss-as-appclient-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-cli-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-client-all-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-clustering-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-cmp-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-configadmin-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-connector-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-console-2.2.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-controller-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-controller-client-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-core-security-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-deployment-repository-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-deployment-scanner-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-domain-http-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-domain-management-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-ee-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-ee-deployment-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-ejb3-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-embedded-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-host-controller-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-jacorb-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-jaxr-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-jaxrs-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-jdr-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-jmx-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-jpa-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-jsf-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-jsr77-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-logging-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-mail-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-management-client-content-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-messaging-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-modcluster-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-naming-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-network-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-osgi-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-osgi-configadmin-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-osgi-service-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-picketlink-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-platform-mbean-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-pojo-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-process-controller-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-protocol-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-remoting-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-sar-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-security-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-server-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-system-jmx-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-threads-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-transactions-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-version-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-web-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-webservices-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-weld-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-xts-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jboss-hal-2.2.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-logmanager-1.5.2-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-metadata-7.1.2-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-remoting3-jmx-1.1.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-xnio-base-3.0.11-1.GA_redhat_2.1.ep6.el6.src.rpm jbossas-appclient-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jbossas-bundles-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jbossas-core-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jbossas-domain-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jbossas-javadocs-7.4.2-2.Final_redhat_2.1.ep6.el6.src.rpm jbossas-modules-eap-7.4.2-2.Final_redhat_2.1.ep6.el6.src.rpm jbossas-product-eap-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jbossas-standalone-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jbossas-welcome-content-eap-7.4.2-3.Final_redhat_2.1.ep6.el6.src.rpm jbossws-common-2.3.1-1.Final_redhat_1.1.ep6.el6.src.rpm jbossws-cxf-4.3.1-1.Final_redhat_1.1.ep6.el6.src.rpm netty-3.6.10-1.Final_redhat_1.1.ep6.el6.src.rpm picketlink-bindings-2.5.3-11.SP12_redhat_1.1.ep6.el6.src.rpm picketlink-federation-2.5.3-12.SP12_redhat_1.1.ep6.el6.src.rpm resteasy-2.3.8-10.SP3_redhat_2.1.ep6.el6.src.rpm weld-core-1.1.25-1.Final_redhat_2.1.ep6.el6.src.rpm wss4j-1.6.16-1.redhat_2.1.ep6.el6.src.rpm xerces-j2-eap6-2.9.1-17.redhat_6.1.ep6.el6.src.rpm xml-security-1.5.7-2.redhat_1.1.ep6.el6.src.rpm noarch: apache-cxf-2.7.12-1.SP1_redhat_1.1.ep6.el6.noarch.rpm apache-cxf-xjc-utils-2.6.2-3.redhat_1.1.ep6.el6.noarch.rpm cxf-xjc-boolean-2.6.2-3.redhat_1.1.ep6.el6.noarch.rpm cxf-xjc-dv-2.6.2-3.redhat_1.1.ep6.el6.noarch.rpm cxf-xjc-ts-2.6.2-3.redhat_1.1.ep6.el6.noarch.rpm hibernate4-core-eap6-4.2.14-9.SP4_redhat_1.1.ep6.el6.noarch.rpm hibernate4-eap6-4.2.14-9.SP4_redhat_1.1.ep6.el6.noarch.rpm hibernate4-entitymanager-eap6-4.2.14-9.SP4_redhat_1.1.ep6.el6.noarch.rpm hibernate4-envers-eap6-4.2.14-9.SP4_redhat_1.1.ep6.el6.noarch.rpm hibernate4-infinispan-eap6-4.2.14-9.SP4_redhat_1.1.ep6.el6.noarch.rpm ironjacamar-common-api-eap6-1.0.28-1.Final_redhat_1.1.ep6.el6.noarch.rpm ironjacamar-common-impl-eap6-1.0.28-1.Final_redhat_1.1.ep6.el6.noarch.rpm ironjacamar-common-spi-eap6-1.0.28-1.Final_redhat_1.1.ep6.el6.noarch.rpm ironjacamar-core-api-eap6-1.0.28-1.Final_redhat_1.1.ep6.el6.noarch.rpm ironjacamar-core-impl-eap6-1.0.28-1.Final_redhat_1.1.ep6.el6.noarch.rpm ironjacamar-deployers-common-eap6-1.0.28-1.Final_redhat_1.1.ep6.el6.noarch.rpm ironjacamar-eap6-1.0.28-1.Final_redhat_1.1.ep6.el6.noarch.rpm ironjacamar-jdbc-eap6-1.0.28-1.Final_redhat_1.1.ep6.el6.noarch.rpm ironjacamar-spec-api-eap6-1.0.28-1.Final_redhat_1.1.ep6.el6.noarch.rpm ironjacamar-validator-eap6-1.0.28-1.Final_redhat_1.1.ep6.el6.noarch.rpm javassist-eap6-3.18.1-5.GA_redhat_1.1.ep6.el6.noarch.rpm jboss-as-appclient-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-cli-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-client-all-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-clustering-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-cmp-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-configadmin-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-connector-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-console-2.2.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-controller-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-controller-client-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-core-security-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-deployment-repository-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-deployment-scanner-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-domain-http-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-domain-management-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-ee-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-ee-deployment-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-ejb3-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-embedded-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-host-controller-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-jacorb-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-jaxr-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-jaxrs-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-jdr-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-jmx-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-jpa-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-jsf-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-jsr77-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-logging-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-mail-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-management-client-content-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-messaging-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-modcluster-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-naming-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-network-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-osgi-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-osgi-configadmin-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-osgi-service-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-picketlink-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-platform-mbean-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-pojo-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-process-controller-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-protocol-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-remoting-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-sar-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-security-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-server-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-system-jmx-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-threads-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-transactions-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-version-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-web-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-webservices-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-weld-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-xts-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-hal-2.2.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-logmanager-1.5.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-metadata-7.1.2-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-metadata-appclient-7.1.2-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-metadata-common-7.1.2-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-metadata-ear-7.1.2-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-metadata-ejb-7.1.2-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-metadata-web-7.1.2-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-remoting3-jmx-1.1.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-xnio-base-3.0.11-1.GA_redhat_2.1.ep6.el6.noarch.rpm jbossas-appclient-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jbossas-bundles-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jbossas-core-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jbossas-domain-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jbossas-javadocs-7.4.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm jbossas-modules-eap-7.4.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm jbossas-product-eap-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jbossas-standalone-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jbossas-welcome-content-eap-7.4.2-3.Final_redhat_2.1.ep6.el6.noarch.rpm jbossws-common-2.3.1-1.Final_redhat_1.1.ep6.el6.noarch.rpm jbossws-cxf-4.3.1-1.Final_redhat_1.1.ep6.el6.noarch.rpm netty-3.6.10-1.Final_redhat_1.1.ep6.el6.noarch.rpm picketlink-bindings-2.5.3-11.SP12_redhat_1.1.ep6.el6.noarch.rpm picketlink-federation-2.5.3-12.SP12_redhat_1.1.ep6.el6.noarch.rpm resteasy-2.3.8-10.SP3_redhat_2.1.ep6.el6.noarch.rpm weld-core-1.1.25-1.Final_redhat_2.1.ep6.el6.noarch.rpm wss4j-1.6.16-1.redhat_2.1.ep6.el6.noarch.rpm xerces-j2-eap6-2.9.1-17.redhat_6.1.ep6.el6.noarch.rpm xjc-utils-2.6.2-3.redhat_1.1.ep6.el6.noarch.rpm xml-security-1.5.7-2.redhat_1.1.ep6.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2013-4002 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFUW64xXlSAg2UNWIIRAvzyAKC/hCAx4HvaLM0H0U0KGkZfvDhWfQCfUFcV dHAMipnsWr6x1EIgWCX1o2U= =Vak9 -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 6 17:23:29 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 6 Nov 2014 17:23:29 +0000 Subject: [RHSA-2014:1821-01] Moderate: Red Hat JBoss Enterprise Application Platform 6.3.2 update Message-ID: <201411061723.sA6HNTfW029933@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 6.3.2 update Advisory ID: RHSA-2014:1821-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1821.html Issue date: 2014-11-06 CVE Names: CVE-2013-4002 ===================================================================== 1. Summary: Updated packages that provide Red Hat JBoss Enterprise Application Platform 6.3.2 and fix one security issue, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 6.3 for RHEL 5 - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. A resource consumption issue was found in the way Xerces-J handled XML declarations. A remote attacker could use an XML document with a specially crafted declaration using a long pseudo-attribute name that, when parsed by an application using Xerces-J, would cause that application to use an excessive amount of CPU. (CVE-2013-4002) This release of JBoss Enterprise Application Platform also includes bug fixes and enhancements. A list of these changes is available from the JBoss Enterprise Application Platform 6.3.2 Downloads page on the Customer Portal. All users of Red Hat JBoss Enterprise Application Platform 6.3 on Red Hat Enterprise Linux 5 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Also, back up any customized Red Hat JBoss Enterprise Application Platform 6 configuration files. On update, the configuration files that have been locally modified will not be updated. The updated version of such files will be stored as the rpmnew files. Make sure to locate any such files after the update and merge any changes manually. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1019176 - CVE-2013-4002 Xerces-J2 OpenJDK: XML parsing Denial of Service (JAXP, 8017298) 1147623 - RHEL5 RPMs: Upgrade apache-cxf-xjc-utils to 2.6.2.redhat-1 1147629 - RHEL5 RPMs: Upgrade xml-security to 1.5.7.redhat-1 1149798 - RHEL5 RPMs: Upgrade wss4j to 1.6.16.redhat-2 1149801 - RHEL5 RPMs: Upgrade jbossws-cxf to 4.3.1.Final-redhat-1 1149804 - RHEL5 RPMs: Upgrade jbossws-common to 2.3.1.Final-redhat-1 1149815 - RHEL5 RPMs: Upgrade netty to 3.6.10.Final-redhat-1 1149818 - RHEL5 RPMs: Upgrade apache-cxf to 2.7.12.SP1-redhat-1 1149821 - RHEL5 RPMs: Upgrade jboss-hal to 2.2.11.Final-redhat-1 1149824 - RHEL5 RPMs: Upgrade jboss-remoting3-jmx to 1.1.3.Final-redhat-2 1149827 - RHEL5 RPMs: Upgrade jboss-xnio-base to 3.0.11.GA-redhat-2 1150705 - RHEL5 RPMs: Upgrade hibernate4-eap6 to 4.2.14.SP4-redhat-1 1150895 - RHEL5 RPMs: Upgrade ironjacamar-eap6 to 1.0.28.Final-redhat-1 1151607 - RHEL5 RPMs: Upgrade weld-core to 1.1.25.Final-redhat-2 1151610 - RHEL5 RPMs: Upgrade jboss-metadata to 7.1.2.Final-redhat-1 1151613 - RHEL5 RPMs: Upgrade jboss-as-console to 2.2.11.Final-redhat-1 6. Package List: Red Hat JBoss EAP 6.3 for RHEL 5: Source: apache-cxf-2.7.12-1.SP1_redhat_1.1.ep6.el5.src.rpm apache-cxf-xjc-utils-2.6.2-3.redhat_1.1.ep6.el5.src.rpm hibernate4-eap6-4.2.14-9.SP4_redhat_1.1.ep6.el5.src.rpm ironjacamar-eap6-1.0.28-1.Final_redhat_1.1.ep6.el5.src.rpm javassist-eap6-3.18.1-5.GA_redhat_1.1.ep6.el5.src.rpm jboss-as-appclient-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-cli-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-client-all-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-clustering-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-cmp-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-configadmin-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-connector-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-console-2.2.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-controller-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-controller-client-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-core-security-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-deployment-repository-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-deployment-scanner-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-domain-http-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-domain-management-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-ee-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-ee-deployment-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-ejb3-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-embedded-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-host-controller-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-jacorb-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-jaxr-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-jaxrs-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-jdr-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-jmx-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-jpa-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-jsf-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-jsr77-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-logging-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-mail-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-management-client-content-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-messaging-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-modcluster-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-naming-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-network-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-osgi-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-osgi-configadmin-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-osgi-service-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-picketlink-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-platform-mbean-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-pojo-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-process-controller-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-protocol-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-remoting-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-sar-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-security-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-server-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-system-jmx-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-threads-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-transactions-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-version-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-web-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-webservices-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-weld-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-xts-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jboss-hal-2.2.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-logmanager-1.5.2-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-metadata-7.1.2-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-remoting3-jmx-1.1.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-xnio-base-3.0.11-1.GA_redhat_2.1.ep6.el5.src.rpm jbossas-appclient-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jbossas-bundles-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jbossas-core-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jbossas-domain-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jbossas-javadocs-7.4.2-2.Final_redhat_2.1.ep6.el5.src.rpm jbossas-modules-eap-7.4.2-2.Final_redhat_2.1.ep6.el5.src.rpm jbossas-product-eap-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jbossas-standalone-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jbossas-welcome-content-eap-7.4.2-3.Final_redhat_2.1.ep6.el5.src.rpm jbossws-common-2.3.1-1.Final_redhat_1.1.ep6.el5.src.rpm jbossws-cxf-4.3.1-1.Final_redhat_1.1.ep6.el5.src.rpm netty-3.6.10-1.Final_redhat_1.1.ep6.el5.src.rpm picketlink-bindings-2.5.3-11.SP12_redhat_1.1.ep6.el5.src.rpm picketlink-federation-2.5.3-12.SP12_redhat_1.1.ep6.el5.src.rpm resteasy-2.3.8-10.SP3_redhat_2.1.ep6.el5.src.rpm weld-core-1.1.25-1.Final_redhat_2.1.ep6.el5.src.rpm wss4j-1.6.16-1.redhat_2.1.ep6.el5.src.rpm xerces-j2-eap6-2.9.1-17.redhat_6.1.ep6.el5.src.rpm xml-security-1.5.7-2.redhat_1.1.ep6.el5.src.rpm noarch: apache-cxf-2.7.12-1.SP1_redhat_1.1.ep6.el5.noarch.rpm apache-cxf-xjc-utils-2.6.2-3.redhat_1.1.ep6.el5.noarch.rpm cxf-xjc-boolean-2.6.2-3.redhat_1.1.ep6.el5.noarch.rpm cxf-xjc-dv-2.6.2-3.redhat_1.1.ep6.el5.noarch.rpm cxf-xjc-ts-2.6.2-3.redhat_1.1.ep6.el5.noarch.rpm hibernate4-core-eap6-4.2.14-9.SP4_redhat_1.1.ep6.el5.noarch.rpm hibernate4-eap6-4.2.14-9.SP4_redhat_1.1.ep6.el5.noarch.rpm hibernate4-entitymanager-eap6-4.2.14-9.SP4_redhat_1.1.ep6.el5.noarch.rpm hibernate4-envers-eap6-4.2.14-9.SP4_redhat_1.1.ep6.el5.noarch.rpm hibernate4-infinispan-eap6-4.2.14-9.SP4_redhat_1.1.ep6.el5.noarch.rpm ironjacamar-common-api-eap6-1.0.28-1.Final_redhat_1.1.ep6.el5.noarch.rpm ironjacamar-common-impl-eap6-1.0.28-1.Final_redhat_1.1.ep6.el5.noarch.rpm ironjacamar-common-spi-eap6-1.0.28-1.Final_redhat_1.1.ep6.el5.noarch.rpm ironjacamar-core-api-eap6-1.0.28-1.Final_redhat_1.1.ep6.el5.noarch.rpm ironjacamar-core-impl-eap6-1.0.28-1.Final_redhat_1.1.ep6.el5.noarch.rpm ironjacamar-deployers-common-eap6-1.0.28-1.Final_redhat_1.1.ep6.el5.noarch.rpm ironjacamar-eap6-1.0.28-1.Final_redhat_1.1.ep6.el5.noarch.rpm ironjacamar-jdbc-eap6-1.0.28-1.Final_redhat_1.1.ep6.el5.noarch.rpm ironjacamar-spec-api-eap6-1.0.28-1.Final_redhat_1.1.ep6.el5.noarch.rpm ironjacamar-validator-eap6-1.0.28-1.Final_redhat_1.1.ep6.el5.noarch.rpm javassist-eap6-3.18.1-5.GA_redhat_1.1.ep6.el5.noarch.rpm jboss-as-appclient-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-cli-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-client-all-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-clustering-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-cmp-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-configadmin-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-connector-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-console-2.2.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-controller-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-controller-client-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-core-security-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-deployment-repository-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-deployment-scanner-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-domain-http-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-domain-management-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-ee-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-ee-deployment-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-ejb3-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-embedded-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-host-controller-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-jacorb-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-jaxr-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-jaxrs-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-jdr-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-jmx-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-jpa-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-jsf-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-jsr77-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-logging-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-mail-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-management-client-content-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-messaging-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-modcluster-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-naming-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-network-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-osgi-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-osgi-configadmin-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-osgi-service-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-picketlink-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-platform-mbean-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-pojo-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-process-controller-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-protocol-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-remoting-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-sar-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-security-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-server-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-system-jmx-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-threads-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-transactions-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-version-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-web-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-webservices-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-weld-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-xts-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-hal-2.2.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-logmanager-1.5.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-metadata-7.1.2-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-metadata-appclient-7.1.2-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-metadata-common-7.1.2-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-metadata-ear-7.1.2-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-metadata-ejb-7.1.2-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-metadata-web-7.1.2-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-remoting3-jmx-1.1.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-xnio-base-3.0.11-1.GA_redhat_2.1.ep6.el5.noarch.rpm jbossas-appclient-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jbossas-bundles-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jbossas-core-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jbossas-domain-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jbossas-javadocs-7.4.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm jbossas-modules-eap-7.4.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm jbossas-product-eap-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jbossas-standalone-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jbossas-welcome-content-eap-7.4.2-3.Final_redhat_2.1.ep6.el5.noarch.rpm jbossws-common-2.3.1-1.Final_redhat_1.1.ep6.el5.noarch.rpm jbossws-cxf-4.3.1-1.Final_redhat_1.1.ep6.el5.noarch.rpm netty-3.6.10-1.Final_redhat_1.1.ep6.el5.noarch.rpm picketlink-bindings-2.5.3-11.SP12_redhat_1.1.ep6.el5.noarch.rpm picketlink-federation-2.5.3-12.SP12_redhat_1.1.ep6.el5.noarch.rpm resteasy-2.3.8-10.SP3_redhat_2.1.ep6.el5.noarch.rpm weld-core-1.1.25-1.Final_redhat_2.1.ep6.el5.noarch.rpm wss4j-1.6.16-1.redhat_2.1.ep6.el5.noarch.rpm xerces-j2-eap6-2.9.1-17.redhat_6.1.ep6.el5.noarch.rpm xjc-utils-2.6.2-3.redhat_1.1.ep6.el5.noarch.rpm xml-security-1.5.7-2.redhat_1.1.ep6.el5.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2013-4002 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFUW65lXlSAg2UNWIIRAkvzAJ9zqSRckYzkLgy+rC5UgiY5yFsgdACfQ/0B K9rZAm7Lcq7oYuT4/GeR4XA= =OeIf -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 6 17:25:22 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 6 Nov 2014 17:25:22 +0000 Subject: [RHSA-2014:1822-01] Moderate: Red Hat JBoss Enterprise Application Platform 6.3.2 update Message-ID: <201411061725.sA6HPMIA028518@int-mx14.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 6.3.2 update Advisory ID: RHSA-2014:1822-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1822.html Issue date: 2014-11-06 CVE Names: CVE-2013-4002 ===================================================================== 1. Summary: Updated packages that provide Red Hat JBoss Enterprise Application Platform 6.3.2 and fix one security issue, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 6.3 for RHEL 7 - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. A resource consumption issue was found in the way Xerces-J handled XML declarations. A remote attacker could use an XML document with a specially crafted declaration using a long pseudo-attribute name that, when parsed by an application using Xerces-J, would cause that application to use an excessive amount of CPU. (CVE-2013-4002) This release of JBoss Enterprise Application Platform also includes bug fixes and enhancements. A list of these changes is available from the JBoss Enterprise Application Platform 6.3.2 Downloads page on the Customer Portal. All users of Red Hat JBoss Enterprise Application Platform 6.3 on Red Hat Enterprise Linux 7 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Also, back up any customized Red Hat JBoss Enterprise Application Platform 6 configuration files. On update, the configuration files that have been locally modified will not be updated. The updated version of such files will be stored as the rpmnew files. Make sure to locate any such files after the update and merge any changes manually. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1019176 - CVE-2013-4002 Xerces-J2 OpenJDK: XML parsing Denial of Service (JAXP, 8017298) 1147624 - RHEL7 RPMs: Upgrade apache-cxf-xjc-utils to 2.6.2.redhat-1 1147630 - RHEL7 RPMs: Upgrade xml-security to 1.5.7.redhat-1 1149799 - RHEL7 RPMs: Upgrade wss4j to 1.6.16.redhat-2 1149802 - RHEL7 RPMs: Upgrade jbossws-cxf to 4.3.1.Final-redhat-1 1149805 - RHEL7 RPMs: Upgrade jbossws-common to 2.3.1.Final-redhat-1 1149816 - RHEL7 RPMs: Upgrade netty to 3.6.10.Final-redhat-1 1149819 - RHEL7 RPMs: Upgrade apache-cxf to 2.7.12.SP1-redhat-1 1149822 - RHEL7 RPMs: Upgrade jboss-hal to 2.2.11.Final-redhat-1 1149825 - RHEL7 RPMs: Upgrade jboss-remoting3-jmx to 1.1.3.Final-redhat-2 1149828 - RHEL7 RPMs: Upgrade jboss-xnio-base to 3.0.11.GA-redhat-2 1150706 - RHEL7 RPMs: Upgrade hibernate4-eap6 to 4.2.14.SP4-redhat-1 1150896 - RHEL7 RPMs: Upgrade ironjacamar-eap6 to 1.0.28.Final-redhat-1 1151608 - RHEL7 RPMs: Upgrade weld-core to 1.1.25.Final-redhat-2 1151611 - RHEL7 RPMs: Upgrade jboss-metadata to 7.1.2.Final-redhat-1 1151614 - RHEL7 RPMs: Upgrade jboss-as-console to 2.2.11.Final-redhat-1 6. Package List: Red Hat JBoss EAP 6.3 for RHEL 7: Source: apache-cxf-2.7.12-1.SP1_redhat_1.1.ep6.el7.src.rpm apache-cxf-xjc-utils-2.6.2-3.redhat_1.1.ep6.el7.src.rpm hibernate4-eap6-4.2.14-9.SP4_redhat_1.1.ep6.el7.src.rpm ironjacamar-eap6-1.0.28-1.Final_redhat_1.1.ep6.el7.src.rpm javassist-eap6-3.18.1-5.GA_redhat_1.1.ep6.el7.src.rpm jboss-as-appclient-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-cli-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-client-all-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-clustering-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-cmp-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-configadmin-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-connector-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-console-2.2.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-controller-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-controller-client-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-core-security-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-deployment-repository-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-deployment-scanner-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-domain-http-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-domain-management-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-ee-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-ee-deployment-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-ejb3-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-embedded-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-host-controller-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-jacorb-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-jaxr-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-jaxrs-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-jdr-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-jmx-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-jpa-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-jsf-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-jsr77-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-logging-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-mail-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-management-client-content-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-messaging-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-modcluster-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-naming-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-network-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-osgi-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-osgi-configadmin-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-osgi-service-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-picketlink-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-platform-mbean-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-pojo-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-process-controller-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-protocol-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-remoting-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-sar-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-security-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-server-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-system-jmx-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-threads-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-transactions-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-version-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-web-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-webservices-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-weld-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-xts-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jboss-hal-2.2.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-logmanager-1.5.2-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-metadata-7.1.2-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-remoting3-jmx-1.1.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-xnio-base-3.0.11-1.GA_redhat_2.1.ep6.el7.src.rpm jbossas-appclient-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jbossas-bundles-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jbossas-core-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jbossas-domain-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jbossas-javadocs-7.4.2-2.Final_redhat_2.1.ep6.el7.src.rpm jbossas-modules-eap-7.4.2-2.Final_redhat_2.1.ep6.el7.src.rpm jbossas-product-eap-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jbossas-standalone-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jbossas-welcome-content-eap-7.4.2-3.Final_redhat_2.1.ep6.el7.src.rpm jbossws-common-2.3.1-1.Final_redhat_1.1.ep6.el7.src.rpm jbossws-cxf-4.3.1-1.Final_redhat_1.1.ep6.el7.src.rpm netty-3.6.10-1.Final_redhat_1.1.ep6.el7.src.rpm picketlink-bindings-2.5.3-11.SP12_redhat_1.1.ep6.el7.src.rpm picketlink-federation-2.5.3-12.SP12_redhat_1.1.ep6.el7.src.rpm resteasy-2.3.8-10.SP3_redhat_2.1.ep6.el7.src.rpm weld-core-1.1.25-1.Final_redhat_2.1.ep6.el7.src.rpm wss4j-1.6.16-1.redhat_2.1.ep6.el7.src.rpm xerces-j2-eap6-2.9.1-17.redhat_6.1.ep6.el7.src.rpm xml-security-1.5.7-2.redhat_1.1.ep6.el7.src.rpm noarch: apache-cxf-2.7.12-1.SP1_redhat_1.1.ep6.el7.noarch.rpm apache-cxf-xjc-utils-2.6.2-3.redhat_1.1.ep6.el7.noarch.rpm cxf-xjc-boolean-2.6.2-3.redhat_1.1.ep6.el7.noarch.rpm cxf-xjc-dv-2.6.2-3.redhat_1.1.ep6.el7.noarch.rpm cxf-xjc-ts-2.6.2-3.redhat_1.1.ep6.el7.noarch.rpm hibernate4-core-eap6-4.2.14-9.SP4_redhat_1.1.ep6.el7.noarch.rpm hibernate4-eap6-4.2.14-9.SP4_redhat_1.1.ep6.el7.noarch.rpm hibernate4-entitymanager-eap6-4.2.14-9.SP4_redhat_1.1.ep6.el7.noarch.rpm hibernate4-envers-eap6-4.2.14-9.SP4_redhat_1.1.ep6.el7.noarch.rpm hibernate4-infinispan-eap6-4.2.14-9.SP4_redhat_1.1.ep6.el7.noarch.rpm ironjacamar-common-api-eap6-1.0.28-1.Final_redhat_1.1.ep6.el7.noarch.rpm ironjacamar-common-impl-eap6-1.0.28-1.Final_redhat_1.1.ep6.el7.noarch.rpm ironjacamar-common-spi-eap6-1.0.28-1.Final_redhat_1.1.ep6.el7.noarch.rpm ironjacamar-core-api-eap6-1.0.28-1.Final_redhat_1.1.ep6.el7.noarch.rpm ironjacamar-core-impl-eap6-1.0.28-1.Final_redhat_1.1.ep6.el7.noarch.rpm ironjacamar-deployers-common-eap6-1.0.28-1.Final_redhat_1.1.ep6.el7.noarch.rpm ironjacamar-eap6-1.0.28-1.Final_redhat_1.1.ep6.el7.noarch.rpm ironjacamar-jdbc-eap6-1.0.28-1.Final_redhat_1.1.ep6.el7.noarch.rpm ironjacamar-spec-api-eap6-1.0.28-1.Final_redhat_1.1.ep6.el7.noarch.rpm ironjacamar-validator-eap6-1.0.28-1.Final_redhat_1.1.ep6.el7.noarch.rpm javassist-eap6-3.18.1-5.GA_redhat_1.1.ep6.el7.noarch.rpm jboss-as-appclient-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-cli-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-client-all-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-clustering-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-cmp-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-configadmin-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-connector-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-console-2.2.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-controller-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-controller-client-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-core-security-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-deployment-repository-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-deployment-scanner-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-domain-http-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-domain-management-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-ee-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-ee-deployment-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-ejb3-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-embedded-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-host-controller-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-jacorb-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-jaxr-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-jaxrs-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-jdr-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-jmx-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-jpa-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-jsf-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-jsr77-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-logging-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-mail-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-management-client-content-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-messaging-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-modcluster-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-naming-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-network-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-osgi-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-osgi-configadmin-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-osgi-service-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-picketlink-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-platform-mbean-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-pojo-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-process-controller-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-protocol-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-remoting-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-sar-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-security-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-server-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-system-jmx-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-threads-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-transactions-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-version-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-web-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-webservices-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-weld-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-xts-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-hal-2.2.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-logmanager-1.5.2-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-metadata-7.1.2-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-metadata-appclient-7.1.2-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-metadata-common-7.1.2-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-metadata-ear-7.1.2-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-metadata-ejb-7.1.2-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-metadata-web-7.1.2-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-remoting3-jmx-1.1.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-xnio-base-3.0.11-1.GA_redhat_2.1.ep6.el7.noarch.rpm jbossas-appclient-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jbossas-bundles-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jbossas-core-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jbossas-domain-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jbossas-javadocs-7.4.2-2.Final_redhat_2.1.ep6.el7.noarch.rpm jbossas-modules-eap-7.4.2-2.Final_redhat_2.1.ep6.el7.noarch.rpm jbossas-product-eap-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jbossas-standalone-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jbossas-welcome-content-eap-7.4.2-3.Final_redhat_2.1.ep6.el7.noarch.rpm jbossws-common-2.3.1-1.Final_redhat_1.1.ep6.el7.noarch.rpm jbossws-cxf-4.3.1-1.Final_redhat_1.1.ep6.el7.noarch.rpm netty-3.6.10-1.Final_redhat_1.1.ep6.el7.noarch.rpm picketlink-bindings-2.5.3-11.SP12_redhat_1.1.ep6.el7.noarch.rpm picketlink-federation-2.5.3-12.SP12_redhat_1.1.ep6.el7.noarch.rpm resteasy-2.3.8-10.SP3_redhat_2.1.ep6.el7.noarch.rpm weld-core-1.1.25-1.Final_redhat_2.1.ep6.el7.noarch.rpm wss4j-1.6.16-1.redhat_2.1.ep6.el7.noarch.rpm xerces-j2-eap6-2.9.1-17.redhat_6.1.ep6.el7.noarch.rpm xjc-utils-2.6.2-3.redhat_1.1.ep6.el7.noarch.rpm xml-security-1.5.7-2.redhat_1.1.ep6.el7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2013-4002 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFUW660XlSAg2UNWIIRApw9AKCdJiMGSN4DzYlJReAifjDxadU9UgCfbDwU IUzmnmvV0ixremdwRy7Il5c= =4MgE -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 6 17:26:06 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 6 Nov 2014 17:26:06 +0000 Subject: [RHSA-2014:1823-01] Moderate: Red Hat JBoss Enterprise Application Platform 6.3.2 update Message-ID: <201411061726.sA6HQ6sp001240@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 6.3.2 update Advisory ID: RHSA-2014:1823-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1823.html Issue date: 2014-11-06 CVE Names: CVE-2013-4002 ===================================================================== 1. Summary: Updated packages that provide Red Hat JBoss Enterprise Application Platform 6.3.2 and fix one security issue, several bugs, and add various enhancements are now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. A resource consumption issue was found in the way Xerces-J handled XML declarations. A remote attacker could use an XML document with a specially crafted declaration using a long pseudo-attribute name that, when parsed by an application using Xerces-J, would cause that application to use an excessive amount of CPU. (CVE-2013-4002) This release of JBoss Enterprise Application Platform also includes bug fixes and enhancements. A list of these changes is available from the JBoss Enterprise Application Platform 6.3.2 Downloads page on the Customer Portal. All users of Red Hat JBoss Enterprise Application Platform 6.3 as provided from the Red Hat Customer Portal are advised to apply this update. The JBoss server process must be restarted for the update to take effect. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. 4. Bugs fixed (https://bugzilla.redhat.com/): 1019176 - CVE-2013-4002 Xerces-J2 OpenJDK: XML parsing Denial of Service (JAXP, 8017298) 5. References: https://access.redhat.com/security/cve/CVE-2013-4002 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=distributions&version=6.3 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFUW68IXlSAg2UNWIIRAqYVAJ92MIQWF1QZxmtNhBC4d28L7FGFzgCgrUEC Y1G3ZpLoy23ryegMYfWQB2c= =Fi5F -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Nov 10 19:35:57 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 10 Nov 2014 19:35:57 +0000 Subject: [RHSA-2014:1833-01] Important: Red Hat JBoss Enterprise Web Platform 5.2.0 security update Message-ID: <201411101935.sAAJZw9s026338@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Web Platform 5.2.0 security update Advisory ID: RHSA-2014:1833-01 Product: Red Hat JBoss Web Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1833.html Issue date: 2014-11-10 CVE Names: CVE-2012-6153 CVE-2014-3577 ===================================================================== 1. Summary: Updated packages for Red Hat JBoss Enterprise Web Platform 5.2.0 that fix two security issues are now available for Red Hat Enterprise Linux 4, 5, and 6. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat JBoss Web Platform 5 for RHEL 4 AS - noarch Red Hat JBoss Web Platform 5 for RHEL 4 ES - noarch Red Hat JBoss Web Platform 5 for RHEL 5 Server - noarch Red Hat JBoss Web Platform 5 for RHEL 6 Server - noarch 3. Description: Red Hat JBoss Enterprise Web Platform is a platform for Java applications, which integrates the JBoss Web Server with JBoss Hibernate and JBoss Seam. It was discovered that the HttpClient incorrectly extracted host name from an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. (CVE-2012-6153, CVE-2014-3577) The CVE-2012-6153 issue was discovered by Florian Weimer of Red Hat Product Security. For additional information on these flaws, refer to the Knowledgebase article in the References section. All users of Red Hat JBoss Enterprise Web Platform 5.2.0 on Red Hat Enterprise Linux 4, 5, and 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing Red Hat JBoss Enterprise Web Platform 5 installation (including all applications and configuration files). This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1129074 - CVE-2014-3577 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-6153 fix 1129916 - CVE-2012-6153 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-5783 fix 6. Package List: Red Hat JBoss Web Platform 5 for RHEL 4 AS: Source: apache-cxf-2.2.12-14.patch_09.ep5.el4.src.rpm noarch: apache-cxf-2.2.12-14.patch_09.ep5.el4.noarch.rpm Red Hat JBoss Web Platform 5 for RHEL 4 ES: Source: apache-cxf-2.2.12-14.patch_09.ep5.el4.src.rpm noarch: apache-cxf-2.2.12-14.patch_09.ep5.el4.noarch.rpm Red Hat JBoss Web Platform 5 for RHEL 5 Server: Source: apache-cxf-2.2.12-14.patch_09.ep5.el5.src.rpm noarch: apache-cxf-2.2.12-14.patch_09.ep5.el5.noarch.rpm Red Hat JBoss Web Platform 5 for RHEL 6 Server: Source: apache-cxf-2.2.12-14.patch_09.el6.src.rpm noarch: apache-cxf-2.2.12-14.patch_09.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2012-6153 https://access.redhat.com/security/cve/CVE-2014-3577 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/solutions/1165533 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFUYROIXlSAg2UNWIIRAuG8AJ9+JErVQXGYwkJiHK4MmuvKUPe8agCaAn4R vSj3kCG7drK2bMMjSscD8Bc= =Tecd -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Nov 10 19:38:05 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 10 Nov 2014 19:38:05 +0000 Subject: [RHSA-2014:1834-01] Important: Red Hat JBoss Enterprise Application Platform 5.2.0 security update Message-ID: <201411101938.sAAJc5AN027407@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 5.2.0 security update Advisory ID: RHSA-2014:1834-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1834.html Issue date: 2014-11-10 CVE Names: CVE-2012-6153 CVE-2014-3577 ===================================================================== 1. Summary: Updated packages for Red Hat JBoss Enterprise Application Platform 5.2.0 that fix two security issues are now available for Red Hat Enterprise Linux 4, 5, and 6. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS - noarch Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES - noarch Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server - noarch Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server - noarch 3. Description: Red Hat JBoss Enterprise Application Platform is a platform for Java applications, which integrates the JBoss Application Server with JBoss Hibernate and JBoss Seam. It was discovered that the HttpClient incorrectly extracted host name from an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. (CVE-2012-6153, CVE-2014-3577) The CVE-2012-6153 issue was discovered by Florian Weimer of Red Hat Product Security. For additional information on these flaws, refer to the Knowledgebase article in the References section. All users of Red Hat JBoss Enterprise Application Platform 5.2.0 on Red Hat Enterprise Linux 4, 5, and 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing Red Hat JBoss Enterprise Application Platform 5 installation (including all applications and configuration files). This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1129074 - CVE-2014-3577 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-6153 fix 1129916 - CVE-2012-6153 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-5783 fix 6. Package List: Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS: Source: apache-cxf-2.2.12-14.patch_09.ep5.el4.src.rpm noarch: apache-cxf-2.2.12-14.patch_09.ep5.el4.noarch.rpm Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES: Source: apache-cxf-2.2.12-14.patch_09.ep5.el4.src.rpm noarch: apache-cxf-2.2.12-14.patch_09.ep5.el4.noarch.rpm Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server: Source: apache-cxf-2.2.12-14.patch_09.ep5.el5.src.rpm noarch: apache-cxf-2.2.12-14.patch_09.ep5.el5.noarch.rpm Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server: Source: apache-cxf-2.2.12-14.patch_09.el6.src.rpm noarch: apache-cxf-2.2.12-14.patch_09.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2012-6153 https://access.redhat.com/security/cve/CVE-2014-3577 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/solutions/1165533 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFUYRP+XlSAg2UNWIIRAtigAKCb9Y7HYg7cza4/10MiOVlw+RxyfACfbSMo p2XmBT4Oqr5c0UyyRgvz0vI= =WT1c -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Nov 10 19:38:42 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 10 Nov 2014 19:38:42 +0000 Subject: [RHSA-2014:1835-01] Important: Red Hat JBoss Enterprise Web Platform 5.2.0 security update Message-ID: <201411101938.sAAJcgoD023023@int-mx14.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Web Platform 5.2.0 security update Advisory ID: RHSA-2014:1835-01 Product: Red Hat JBoss Web Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1835.html Issue date: 2014-11-10 CVE Names: CVE-2012-6153 CVE-2014-3577 ===================================================================== 1. Summary: An update for Red Hat JBoss Enterprise Web Platform 5.2.0 that fixes two security issues is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss Enterprise Web Platform is a platform for Java applications, which integrates the JBoss Web Server with JBoss Hibernate and JBoss Seam. It was discovered that the HttpClient incorrectly extracted host name from an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. (CVE-2012-6153, CVE-2014-3577) The CVE-2012-6153 issue was discovered by Florian Weimer of Red Hat Product Security. For additional information on these flaws, refer to the Knowledgebase article in the References section. All users of Red Hat JBoss Enterprise Web Platform 5.2.0 as provided from the Red Hat Customer Portal are advised to apply this update. The JBoss server process must be restarted for this update to take effect. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise Web Platform installation (including all applications and configuration files). 4. Bugs fixed (https://bugzilla.redhat.com/): 1129074 - CVE-2014-3577 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-6153 fix 1129916 - CVE-2012-6153 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-5783 fix 5. References: https://access.redhat.com/security/cve/CVE-2012-6153 https://access.redhat.com/security/cve/CVE-2014-3577 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=enterpriseweb.platform&downloadType=securityPatches&version=5.2.0 https://access.redhat.com/solutions/1165533 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFUYRQtXlSAg2UNWIIRArP/AKCQaOzZHdIxcnL5OmGfBrpjJGEVSACfRxNL hQvhhPLd5O2buHd0cMpPOkM= =Spe2 -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Nov 10 19:39:09 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 10 Nov 2014 19:39:09 +0000 Subject: [RHSA-2014:1836-01] Important: Red Hat JBoss Enterprise Application Platform 5.2.0 security update Message-ID: <201411101939.sAAJdAte002218@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 5.2.0 security update Advisory ID: RHSA-2014:1836-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1836.html Issue date: 2014-11-10 CVE Names: CVE-2012-6153 CVE-2014-3577 ===================================================================== 1. Summary: An update for Red Hat JBoss Enterprise Application Platform 5.2.0 that fixes two security issues is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss Enterprise Application Platform is a platform for Java applications, which integrates the JBoss Application Server with JBoss Hibernate and JBoss Seam. It was discovered that the HttpClient incorrectly extracted host name from an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. (CVE-2012-6153, CVE-2014-3577) The CVE-2012-6153 issue was discovered by Florian Weimer of Red Hat Product Security. For additional information on these flaws, refer to the Knowledgebase article in the References section. All users of Red Hat JBoss Enterprise Application Platform 5.2.0 as provided from the Red Hat Customer Portal are advised to apply this update. The JBoss server process must be restarted for this update to take effect. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise Application Platform installation (including all applications and configuration files). 4. Bugs fixed (https://bugzilla.redhat.com/): 1129074 - CVE-2014-3577 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-6153 fix 1129916 - CVE-2012-6153 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-5783 fix 5. References: https://access.redhat.com/security/cve/CVE-2012-6153 https://access.redhat.com/security/cve/CVE-2014-3577 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=appplatform&version=5.2.0 https://access.redhat.com/solutions/1165533 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFUYRRPXlSAg2UNWIIRAqAEAJ9ABIXfbiPvVV6m7Pv1v9ITS3MfXgCdFSPR MkkdiVFSqNQpUvavK72uhmE= =cQ7b -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Nov 24 21:05:51 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 24 Nov 2014 21:05:51 +0000 Subject: [RHSA-2014:1891-01] Important: Red Hat JBoss BRMS 6.0.3 security update Message-ID: <201411242105.sAOL5p11023155@int-mx13.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss BRMS 6.0.3 security update Advisory ID: RHSA-2014:1891-01 Product: Red Hat JBoss BRMS Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1891.html Issue date: 2014-11-24 CVE Names: CVE-2012-6153 CVE-2014-3577 ===================================================================== 1. Summary: Red Hat JBoss BRMS 6.0.3 roll up patch 1, which fixes two security issues, several bugs, and adds various enhancements, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss BRMS is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules. This roll up patch serves as a cumulative upgrade for Red Hat JBoss BRMS 6.0.3, and includes bug fixes and enhancements. It includes various bug fixes, which are listed in the README file included with the patch files. The following security issues are fixed with this release: It was discovered that Jakarta Commons HttpClient incorrectly extracted the host name from an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. (CVE-2012-6153, CVE-2014-3577) The CVE-2012-6153 issue was discovered by Florian Weimer of Red Hat Product Security. All users of Red Hat JBoss BRMS 6.0.3 as provided from the Red Hat Customer Portal are advised to apply this roll up patch. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. It is recommended to halt the server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the server by starting the JBoss Application Server process. 4. Bugs fixed (https://bugzilla.redhat.com/): 1129074 - CVE-2014-3577 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-6153 fix 1129916 - CVE-2012-6153 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-5783 fix 5. References: https://access.redhat.com/security/cve/CVE-2012-6153 https://access.redhat.com/security/cve/CVE-2014-3577 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=distributions&version=6.0.3 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFUc5zjXlSAg2UNWIIRApbnAJ9m1IGpTQbyo15LA43OyA16sKyhzQCfbAat tHpa5XKQ3lUNyVvY0gKa9ik= =NGjL -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Nov 24 21:06:08 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 24 Nov 2014 21:06:08 +0000 Subject: [RHSA-2014:1892-01] Important: Red Hat JBoss BPM Suite 6.0.3 update Message-ID: <201411242106.sAOL683e011599@int-mx14.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss BPM Suite 6.0.3 update Advisory ID: RHSA-2014:1892-01 Product: Red Hat JBoss BPM Suite Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1892.html Issue date: 2014-11-24 CVE Names: CVE-2012-6153 CVE-2014-3577 ===================================================================== 1. Summary: Red Hat JBoss BPM Suite 6.0.3 roll up patch 1, which fixes two security issues, several bugs, and adds various enhancements, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes. This roll up patch serves as a cumulative upgrade for Red Hat JBoss BPM Suite 6.0.3, and includes bug fixes and enhancements. It includes various bug fixes, which are listed in the README file included with the patch files. The following security issues are fixed with this release: It was discovered that Jakarta Commons HttpClient incorrectly extracted the host name from an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. (CVE-2012-6153, CVE-2014-3577) The CVE-2012-6153 issue was discovered by Florian Weimer of Red Hat Product Security. All users of Red Hat JBoss BPM Suite 6.0.3 as provided from the Red Hat Customer Portal are advised to apply this roll up patch. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. It is recommended to halt the server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the server by starting the JBoss Application Server process. 4. Bugs fixed (https://bugzilla.redhat.com/): 1129074 - CVE-2014-3577 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-6153 fix 1129916 - CVE-2012-6153 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-5783 fix 5. References: https://access.redhat.com/security/cve/CVE-2012-6153 https://access.redhat.com/security/cve/CVE-2014-3577 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=distributions&version=6.0.3 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFUc525XlSAg2UNWIIRAk63AJ9hKI+ZUW5aoSGNtJ6GZ0RHVZMgMgCaA6vq U14Ojq9a36hdM9hq/stJC50= =0h1v -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Nov 25 16:52:44 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 25 Nov 2014 16:52:44 +0000 Subject: [RHSA-2014:1904-01] Important: Red Hat JBoss Operations Network 3.3.0 update Message-ID: <201411251652.sAPGqiFi013204@int-mx13.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Operations Network 3.3.0 update Advisory ID: RHSA-2014:1904-01 Product: Red Hat JBoss Operations Network Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1904.html Issue date: 2014-11-25 CVE Names: CVE-2012-6153 CVE-2013-2035 CVE-2014-0059 CVE-2014-3481 CVE-2014-3490 CVE-2014-3577 ===================================================================== 1. Summary: Red Hat JBoss Operations Network 3.2.3, which fixes multiple security issues and several bugs, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss Operations Network is a middleware management solution that provides a single point of control to deploy, manage, and monitor JBoss Enterprise Middleware, applications, and services. This JBoss Operations Network 3.3.0 release serves as a replacement for JBoss Operations Network 3.2.3, and includes several bug fixes. Refer to the JBoss Operations Network 3.3.0 Release Notes for information on the most significant of these changes. The Release Notes will be available shortly from https://access.redhat.com/documentation/en-US/ The following security issues are also fixed with this release: It was found that the fix for CVE-2012-5783 was incomplete: the code added to check that the server host name matches the domain name in a subject's Common Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. (CVE-2012-6153, CVE-2014-3577) It was found that the default context parameters as provided to RESTEasy deployments by JBoss EAP did not explicitly disable external entity expansion for RESTEasy. A remote attacker could use this flaw to perform XML External Entity (XXE) attacks on RESTEasy applications accepting XML input. (CVE-2014-3481) It was found that the fix for CVE-2012-0818 was incomplete: external parameter entities were not disabled when the resteasy.document.expand.entity.references parameter was set to false. A remote attacker able to send XML requests to a RESTEasy endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. (CVE-2014-3490) The HawtJNI Library class wrote native libraries to a predictable file name in /tmp when the native libraries were bundled in a JAR file, and no custom library path was specified. A local attacker could overwrite these native libraries with malicious versions during the window between when HawtJNI writes them and when they are executed. (CVE-2013-2035) It was found that the security auditing functionality provided by PicketBox and JBossSX, both security frameworks for Java applications, used a world-readable audit.log file to record sensitive information. A local user could possibly use this flaw to gain access to the sensitive information in the audit.log file. (CVE-2014-0059) The CVE-2013-2035 and CVE-2012-6153 issues were discovered by Florian Weimer of Red Hat Product Security. The CVE-2014-3481 issue was discovered by the Red Hat JBoss Enterprise Application Platform QE team. The CVE-2014-3490 issue was discovered by David Jorm of Red Hat Product Security. All users of JBoss Operations Network 3.2.3 as provided from the Red Hat Customer Portal are advised to upgrade to JBoss Operations Network 3.3.0. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing JBoss Operations Network installation (including its databases, applications, configuration files, the JBoss Operations Network server's file system directory, and so on). Refer to the JBoss Operations Network 3.3.0 Release Notes for installation information. 4. Bugs fixed (https://bugzilla.redhat.com/): 958618 - CVE-2013-2035 HawtJNI: predictable temporary file name leading to local arbitrary code execution 1063642 - CVE-2014-0059 JBossSX/PicketBox: World readable audit.log file 1105242 - CVE-2014-3481 JBoss AS JAX-RS: Information disclosure via XML eXternal Entity (XXE) 1107901 - CVE-2014-3490 RESTEasy: XXE via parameter entities 1129074 - CVE-2014-3577 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-6153 fix 1129916 - CVE-2012-6153 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-5783 fix 5. References: https://access.redhat.com/security/cve/CVE-2012-6153 https://access.redhat.com/security/cve/CVE-2013-2035 https://access.redhat.com/security/cve/CVE-2014-0059 https://access.redhat.com/security/cve/CVE-2014-3481 https://access.redhat.com/security/cve/CVE-2014-3490 https://access.redhat.com/security/cve/CVE-2014-3577 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em&downloadType=securityPatches&version=3.3.0 https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Operations_Network/ 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFUdLOIXlSAg2UNWIIRAuC/AJ91RRT8aw2h4uzdlNu/tu8BK0yALQCggdDX e2x/RBJqZmdvB5ZB0kakl+4= =AIdx -----END PGP SIGNATURE-----