From bugzilla at redhat.com Tue Dec 1 19:13:44 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 1 Dec 2015 19:13:44 +0000 Subject: [RHSA-2015:2534-01] Critical: Red Hat JBoss Data Virtualization 6.0.0, 6.1.0, and 6.2.0 security update Message-ID: <201512011913.tB1JDiTJ032681@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: Red Hat JBoss Data Virtualization 6.0.0, 6.1.0, and 6.2.0 security update Advisory ID: RHSA-2015:2534-01 Product: Red Hat JBoss Data Virtualization Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2534.html Issue date: 2015-12-01 CVE Names: CVE-2015-7501 ===================================================================== 1. Summary: An update for the Apache Commons Collections component that fixes one security issue is now available from the Red Hat Customer Portal for Red Hat JBoss Data Virtualization 6.0.0, 6.1.0 and 6.2.0. Red Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: Apache Commons Collections is a library built upon Java JDK classes by providing new interfaces, implementations and utilities. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) Further information about this security flaw may be found at: https://access.redhat.com/solutions/2045023 All users of Red Hat JBoss Data Virtualization 6.0.0, 6.1.0 and 6.2.0 as provided from the Red Hat Customer Portal are advised to apply this security update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the updates). Before applying the updates, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. It is recommended to halt the server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the server by starting the JBoss Application Server process. 4. Bugs fixed (https://bugzilla.redhat.com/): 1279330 - CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation 5. References: https://access.redhat.com/security/cve/CVE-2015-7501 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform&downloadType=securityPatches&version=6.0.0 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform&downloadType=securityPatches&version=6.1.0 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform&downloadType=securityPatches&version=6.2.0 https://access.redhat.com/solutions/2045023 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWXfFLXlSAg2UNWIIRAr+RAKC3jY9lH0MaElk9ZsjXU6XV5ZdVGQCgrmF7 uVK5BxP5x6/Sb9YTHu2um3U= =sbzt -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Dec 1 20:46:13 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 1 Dec 2015 15:46:13 -0500 Subject: [RHSA-2015:2535-01] Critical: Red Hat JBoss Enterprise Application Platform 5.2 security update Message-ID: <201512012046.tB1KkDHc020338@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: Red Hat JBoss Enterprise Application Platform 5.2 security update Advisory ID: RHSA-2015:2535-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2535.html Issue date: 2015-12-01 CVE Names: CVE-2015-7501 ===================================================================== 1. Summary: Updated packages for the Apache commons-collections library for Red Hat JBoss Enterprise Application Platform 5.2, which fix one security issue, are now available for Red Hat Enterprise Linux 4, 5, and 6. Red Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS - noarch Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES - noarch Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server - noarch Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 5 is a platform for Java applications based on JBoss Application Server 6. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) Further information about this security flaw may be found at: https://access.redhat.com/solutions/2045023 All users of Red Hat JBoss Enterprise Application Platform 5.2 on Red Hat Enterprise Linux 4, 5, and 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1279330 - CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation 6. Package List: Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS: Source: jakarta-commons-collections-3.2.1-5.ep5.el4.src.rpm noarch: jakarta-commons-collections-3.2.1-5.ep5.el4.noarch.rpm jakarta-commons-collections-tomcat5-3.2.1-5.ep5.el4.noarch.rpm Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES: Source: jakarta-commons-collections-3.2.1-5.ep5.el4.src.rpm noarch: jakarta-commons-collections-3.2.1-5.ep5.el4.noarch.rpm jakarta-commons-collections-tomcat5-3.2.1-5.ep5.el4.noarch.rpm Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server: Source: jakarta-commons-collections-3.2.1-5.ep5.el5.src.rpm noarch: jakarta-commons-collections-3.2.1-5.ep5.el5.noarch.rpm jakarta-commons-collections-tomcat5-3.2.1-5.ep5.el5.noarch.rpm Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server: Source: jakarta-commons-collections-3.2.1-5.ep5.el6.src.rpm noarch: jakarta-commons-collections-3.2.1-5.ep5.el6.noarch.rpm jakarta-commons-collections-tomcat5-3.2.1-5.ep5.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-7501 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/solutions/2045023 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWXgcTXlSAg2UNWIIRAi2gAKC1mbSBj06VJ1FRjaA/1R3GrD14zQCdENwO pAL/AfJ4pfcN+tK0Zx+bu2U= =BdYh -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Dec 1 20:46:25 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 1 Dec 2015 15:46:25 -0500 Subject: [RHSA-2015:2536-01] Critical: Red Hat JBoss Enterprise Application Platform 6.3 security update Message-ID: <201512012046.tB1KkPPw010966@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: Red Hat JBoss Enterprise Application Platform 6.3 security update Advisory ID: RHSA-2015:2536-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2536.html Issue date: 2015-12-01 CVE Names: CVE-2015-7501 ===================================================================== 1. Summary: Updated packages that fix one security issue for the Apache commons-collections library for Red Hat JBoss Enterprise Application Platform 6.3 are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 6.3 for RHEL 5 - noarch Red Hat JBoss EAP 6.3 for RHEL 6 - noarch Red Hat JBoss Enterprise Application Platform 6 for RHEL 7 Server - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) Further information about this security flaw may be found at: https://access.redhat.com/solutions/2045023 All users of Red Hat JBoss Enterprise Application Platform 6.3 on Red Hat Enterprise Linux 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1279330 - CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation 6. Package List: Red Hat JBoss EAP 6.3 for RHEL 5: Source: apache-commons-collections-eap6-3.2.1-16.redhat_5.1.ep6.el5.src.rpm noarch: apache-commons-collections-eap6-3.2.1-16.redhat_5.1.ep6.el5.noarch.rpm Red Hat JBoss EAP 6.3 for RHEL 6: Source: apache-commons-collections-eap6-3.2.1-16.redhat_5.1.ep6.el6.src.rpm noarch: apache-commons-collections-eap6-3.2.1-16.redhat_5.1.ep6.el6.noarch.rpm Red Hat JBoss Enterprise Application Platform 6 for RHEL 7 Server: Source: apache-commons-collections-eap6-3.2.1-16.redhat_5.1.ep6.el7.src.rpm noarch: apache-commons-collections-eap6-3.2.1-16.redhat_5.1.ep6.el7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-7501 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/solutions/2045023 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWXgcgXlSAg2UNWIIRAmmGAKCP06ah8TZbITkqrsui4UnvFUZZ8wCgnOH4 8zWBcDcVNm1/GrNFw8rfhPI= =rqCd -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Dec 1 20:46:33 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 1 Dec 2015 15:46:33 -0500 Subject: [RHSA-2015:2537-01] Critical: Red Hat JBoss Portal 6.2.0 commons-collections security update Message-ID: <201512012046.tB1KkXLC029822@int-mx13.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: Red Hat JBoss Portal 6.2.0 commons-collections security update Advisory ID: RHSA-2015:2537-01 Product: Red Hat JBoss Portal Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2537.html Issue date: 2015-12-01 CVE Names: CVE-2015-7501 ===================================================================== 1. Summary: An updated package for the apache commons-collections library, fixing one security issue, is now available for Red Hat JBoss Portal 6.2.0 from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss Portal is the open source implementation of the Java EE suite of services and Portal services running atop Red Hat JBoss Enterprise Application Platform. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) Further information about this security flaw can be found at: https://access.redhat.com/solutions/2045023 All users of Red Hat JBoss Portal 6.2.0 as provided from the Red Hat Customer Portal are advised to install this security patch. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up all applications deployed on JBoss Enterprise Portal Platform, along with all databases, database settings, and customized configuration files. 4. Bugs fixed (https://bugzilla.redhat.com/): 1279330 - CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation 5. References: https://access.redhat.com/security/cve/CVE-2015-7501 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal&downloadType=securityPatches&version=6.2.0 https://access.redhat.com/solutions/2045023 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWXgcoXlSAg2UNWIIRAmE3AJ9qfnfZ1aCLmFfHzkEMnNasFkcbtQCeJhMr L7cJGAMVQ65/p7ARoYLYlCY= =YLtm -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Dec 2 18:03:10 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 2 Dec 2015 13:03:10 -0500 Subject: [RHSA-2015:2538-01] Critical: Red Hat JBoss Enterprise Application Platform 6.4.5 update Message-ID: <201512021803.tB2I3A4V005071@int-mx14.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: Red Hat JBoss Enterprise Application Platform 6.4.5 update Advisory ID: RHSA-2015:2538-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2538.html Issue date: 2015-12-02 CVE Names: CVE-2015-5304 CVE-2015-7501 ===================================================================== 1. Summary: Updated packages that provide Red Hat JBoss Enterprise Application Platform 6.4.5 and fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 6.4 for RHEL 5 - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) Further information about the commons-collections flaw may be found at: https://access.redhat.com/solutions/2045023 It was found that JBoss EAP did not properly authorize a user performing a shut down. A remote user with the Monitor, Deployer, or Auditor role could use this flaw to shut down the EAP server, which is an action restricted to admin users. (CVE-2015-5304) The CVE-2015-5304 issue was discovered by Ladislav Thon of Red Hat Middleware Quality Engineering. This release serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.4, and includes bug fixes and enhancements. Documentation for these changes is available from the link in the References section. All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 5 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1275288 - RHEL5 RPMs: Upgrade hibernate4-eap6 to 4.2.21.Final-redhat-1 1275300 - RHEL5 RPMs: Upgrade picketbox to 4.1.2.Final-redhat-1 1275307 - RHEL5 RPMs: Upgrade ironjacamar-eap6 to 1.0.34.Final-redhat-1 1275310 - RHEL5 RPMs: Upgrade jboss-ejb-client to 1.0.32.redhat-1 1275313 - RHEL5 RPMs: Upgrade jboss-remoting3 to 3.3.6.Final-redhat-1 1275316 - RHEL5 RPMs: Upgrade jbossweb to 7.5.12.Final-redhat-1 1275319 - RHEL5 RPMs: Upgrade jboss-xnio-base to 3.0.15.GA-redhat-1 1275330 - RHEL5 RPMs: Upgrade jboss-as-console to 2.5.11.Final-redhat-1 1275683 - RHEL5 RPMs: Upgrade jboss-hal to 2.5.11.Final-redhat-1 1275690 - RHEL5 RPMs: Upgrade jboss-security-negotiation to 2.3.10.Final-redhat-1 1279330 - CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation 1279593 - RHEL5 RPMs: Upgrade hornetq to 2.3.25.SP6-redhat-1 6. Package List: Red Hat JBoss EAP 6.4 for RHEL 5: Source: apache-commons-collections-eap6-3.2.1-18.redhat_7.1.ep6.el5.src.rpm hibernate4-eap6-4.2.21-1.Final_redhat_1.1.ep6.el5.src.rpm hornetq-2.3.25-7.SP6_redhat_1.1.ep6.el5.src.rpm ironjacamar-eap6-1.0.34-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-appclient-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-cli-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-client-all-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-clustering-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-cmp-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-configadmin-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-connector-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-console-2.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-controller-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-controller-client-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-core-security-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-deployment-repository-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-deployment-scanner-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-domain-http-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-domain-management-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-ee-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-ee-deployment-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-ejb3-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-embedded-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-host-controller-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-jacorb-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-jaxr-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-jaxrs-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-jdr-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-jmx-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-jpa-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-jsf-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-jsr77-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-logging-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-mail-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-management-client-content-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-messaging-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-modcluster-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-naming-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-network-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-osgi-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-osgi-configadmin-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-osgi-service-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-picketlink-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-platform-mbean-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-pojo-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-process-controller-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-protocol-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-remoting-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-sar-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-security-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-server-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-system-jmx-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-threads-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-transactions-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-version-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-web-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-webservices-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-weld-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-xts-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jboss-ejb-client-1.0.32-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-hal-2.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-jsf-api_2.1_spec-2.1.28-5.SP1_redhat_1.1.ep6.el5.src.rpm jboss-remoting3-3.3.6-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-security-negotiation-2.3.10-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-xnio-base-3.0.15-1.GA_redhat_1.1.ep6.el5.src.rpm jbossas-appclient-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jbossas-bundles-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jbossas-core-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jbossas-domain-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jbossas-javadocs-7.5.5-3.Final_redhat_3.1.ep6.el5.src.rpm jbossas-modules-eap-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jbossas-product-eap-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jbossas-standalone-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jbossas-welcome-content-eap-7.5.5-2.Final_redhat_3.1.ep6.el5.src.rpm jbossweb-7.5.12-1.Final_redhat_1.1.ep6.el5.src.rpm picketbox-4.1.2-1.Final_redhat_1.1.ep6.el5.src.rpm noarch: apache-commons-collections-eap6-3.2.1-18.redhat_7.1.ep6.el5.noarch.rpm hibernate4-core-eap6-4.2.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm hibernate4-eap6-4.2.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm hibernate4-entitymanager-eap6-4.2.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm hibernate4-envers-eap6-4.2.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm hibernate4-infinispan-eap6-4.2.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm hornetq-2.3.25-7.SP6_redhat_1.1.ep6.el5.noarch.rpm ironjacamar-common-api-eap6-1.0.34-1.Final_redhat_1.1.ep6.el5.noarch.rpm ironjacamar-common-impl-eap6-1.0.34-1.Final_redhat_1.1.ep6.el5.noarch.rpm ironjacamar-common-spi-eap6-1.0.34-1.Final_redhat_1.1.ep6.el5.noarch.rpm ironjacamar-core-api-eap6-1.0.34-1.Final_redhat_1.1.ep6.el5.noarch.rpm ironjacamar-core-impl-eap6-1.0.34-1.Final_redhat_1.1.ep6.el5.noarch.rpm ironjacamar-deployers-common-eap6-1.0.34-1.Final_redhat_1.1.ep6.el5.noarch.rpm ironjacamar-eap6-1.0.34-1.Final_redhat_1.1.ep6.el5.noarch.rpm ironjacamar-jdbc-eap6-1.0.34-1.Final_redhat_1.1.ep6.el5.noarch.rpm ironjacamar-spec-api-eap6-1.0.34-1.Final_redhat_1.1.ep6.el5.noarch.rpm ironjacamar-validator-eap6-1.0.34-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-appclient-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-cli-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-client-all-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-clustering-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-cmp-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-configadmin-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-connector-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-console-2.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-controller-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-controller-client-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-core-security-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-deployment-repository-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-deployment-scanner-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-domain-http-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-domain-management-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-ee-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-ee-deployment-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-ejb3-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-embedded-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-host-controller-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-jacorb-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-jaxr-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-jaxrs-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-jdr-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-jmx-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-jpa-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-jsf-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-jsr77-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-logging-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-mail-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-management-client-content-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-messaging-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-modcluster-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-naming-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-network-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-osgi-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-osgi-configadmin-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-osgi-service-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-picketlink-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-platform-mbean-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-pojo-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-process-controller-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-protocol-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-remoting-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-sar-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-security-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-server-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-system-jmx-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-threads-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-transactions-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-version-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-web-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-webservices-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-weld-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-xts-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-ejb-client-1.0.32-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-hal-2.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-jsf-api_2.1_spec-2.1.28-5.SP1_redhat_1.1.ep6.el5.noarch.rpm jboss-remoting3-3.3.6-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-security-negotiation-2.3.10-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-xnio-base-3.0.15-1.GA_redhat_1.1.ep6.el5.noarch.rpm jbossas-appclient-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jbossas-bundles-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jbossas-core-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jbossas-domain-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jbossas-javadocs-7.5.5-3.Final_redhat_3.1.ep6.el5.noarch.rpm jbossas-modules-eap-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jbossas-product-eap-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jbossas-standalone-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jbossas-welcome-content-eap-7.5.5-2.Final_redhat_3.1.ep6.el5.noarch.rpm jbossweb-7.5.12-1.Final_redhat_1.1.ep6.el5.noarch.rpm picketbox-4.1.2-1.Final_redhat_1.1.ep6.el5.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-5304 https://access.redhat.com/security/cve/CVE-2015-7501 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWXzJcXlSAg2UNWIIRAiewAJ9ixENuQ3gNiQ8T0F+AT/OIfgMGqwCeJTha EGf1w+Vg3RDWwva4vrLUIXM= =ZCAU -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Dec 2 18:04:03 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 2 Dec 2015 13:04:03 -0500 Subject: [RHSA-2015:2539-01] Critical: Red Hat JBoss Enterprise Application Platform 6.4.5 update Message-ID: <201512021804.tB2I43iB015336@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: Red Hat JBoss Enterprise Application Platform 6.4.5 update Advisory ID: RHSA-2015:2539-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2539.html Issue date: 2015-12-02 CVE Names: CVE-2015-5304 CVE-2015-7501 ===================================================================== 1. Summary: Updated packages that provide Red Hat JBoss Enterprise Application Platform 6.4.5 and fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 6.4 for RHEL 6 - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) Further information about the commons-collections flaw may be found at: https://access.redhat.com/solutions/2045023 It was found that JBoss EAP did not properly authorize a user performing a shut down. A remote user with the Monitor, Deployer, or Auditor role could use this flaw to shut down the EAP server, which is an action restricted to admin users. (CVE-2015-5304) The CVE-2015-5304 issue was discovered by Ladislav Thon of Red Hat Middleware Quality Engineering. This release serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.4, and includes bug fixes and enhancements. Documentation for these changes is available from the link in the References section. All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1275287 - RHEL6 RPMs: Upgrade hibernate4-eap6 to 4.2.21.Final-redhat-1 1275299 - RHEL6 RPMs: Upgrade picketbox to 4.1.2.Final-redhat-1 1275306 - RHEL6 RPMs: Upgrade ironjacamar-eap6 to 1.0.34.Final-redhat-1 1275309 - RHEL6 RPMs: Upgrade jboss-ejb-client to 1.0.32.redhat-1 1275312 - RHEL6 RPMs: Upgrade jboss-remoting3 to 3.3.6.Final-redhat-1 1275315 - RHEL6 RPMs: Upgrade jbossweb to 7.5.12.Final-redhat-1 1275318 - RHEL6 RPMs: Upgrade jboss-xnio-base to 3.0.15.GA-redhat-1 1275329 - RHEL6 RPMs: Upgrade jboss-as-console to 2.5.11.Final-redhat-1 1275681 - RHEL6 RPMs: Upgrade jboss-hal to 2.5.11.Final-redhat-1 1275689 - RHEL6 RPMs: Upgrade jboss-security-negotiation to 2.3.10.Final-redhat-1 1279330 - CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation 1279592 - RHEL6 RPMs: Upgrade hornetq to 2.3.25.SP6-redhat-1 6. Package List: Red Hat JBoss EAP 6.4 for RHEL 6: Source: apache-commons-collections-eap6-3.2.1-18.redhat_7.1.ep6.el6.src.rpm hibernate4-eap6-4.2.21-1.Final_redhat_1.1.ep6.el6.src.rpm hornetq-2.3.25-7.SP6_redhat_1.1.ep6.el6.src.rpm ironjacamar-eap6-1.0.34-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-appclient-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-cli-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-client-all-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-clustering-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-cmp-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-configadmin-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-connector-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-console-2.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-controller-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-controller-client-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-core-security-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-deployment-repository-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-deployment-scanner-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-domain-http-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-domain-management-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-ee-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-ee-deployment-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-ejb3-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-embedded-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-host-controller-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-jacorb-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-jaxr-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-jaxrs-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-jdr-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-jmx-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-jpa-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-jsf-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-jsr77-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-logging-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-mail-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-management-client-content-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-messaging-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-modcluster-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-naming-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-network-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-osgi-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-osgi-configadmin-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-osgi-service-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-picketlink-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-platform-mbean-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-pojo-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-process-controller-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-protocol-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-remoting-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-sar-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-security-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-server-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-system-jmx-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-threads-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-transactions-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-version-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-web-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-webservices-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-weld-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-xts-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jboss-ejb-client-1.0.32-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-hal-2.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-jsf-api_2.1_spec-2.1.28-5.SP1_redhat_1.1.ep6.el6.src.rpm jboss-remoting3-3.3.6-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-security-negotiation-2.3.10-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-xnio-base-3.0.15-1.GA_redhat_1.1.ep6.el6.src.rpm jbossas-appclient-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jbossas-bundles-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jbossas-core-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jbossas-domain-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jbossas-javadocs-7.5.5-3.Final_redhat_3.1.ep6.el6.src.rpm jbossas-modules-eap-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jbossas-product-eap-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jbossas-standalone-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jbossas-welcome-content-eap-7.5.5-2.Final_redhat_3.1.ep6.el6.src.rpm jbossweb-7.5.12-1.Final_redhat_1.1.ep6.el6.src.rpm picketbox-4.1.2-1.Final_redhat_1.1.ep6.el6.src.rpm noarch: apache-commons-collections-eap6-3.2.1-18.redhat_7.1.ep6.el6.noarch.rpm hibernate4-core-eap6-4.2.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm hibernate4-eap6-4.2.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm hibernate4-entitymanager-eap6-4.2.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm hibernate4-envers-eap6-4.2.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm hibernate4-infinispan-eap6-4.2.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm hornetq-2.3.25-7.SP6_redhat_1.1.ep6.el6.noarch.rpm ironjacamar-common-api-eap6-1.0.34-1.Final_redhat_1.1.ep6.el6.noarch.rpm ironjacamar-common-impl-eap6-1.0.34-1.Final_redhat_1.1.ep6.el6.noarch.rpm ironjacamar-common-spi-eap6-1.0.34-1.Final_redhat_1.1.ep6.el6.noarch.rpm ironjacamar-core-api-eap6-1.0.34-1.Final_redhat_1.1.ep6.el6.noarch.rpm ironjacamar-core-impl-eap6-1.0.34-1.Final_redhat_1.1.ep6.el6.noarch.rpm ironjacamar-deployers-common-eap6-1.0.34-1.Final_redhat_1.1.ep6.el6.noarch.rpm ironjacamar-eap6-1.0.34-1.Final_redhat_1.1.ep6.el6.noarch.rpm ironjacamar-jdbc-eap6-1.0.34-1.Final_redhat_1.1.ep6.el6.noarch.rpm ironjacamar-spec-api-eap6-1.0.34-1.Final_redhat_1.1.ep6.el6.noarch.rpm ironjacamar-validator-eap6-1.0.34-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-appclient-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-cli-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-client-all-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-clustering-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-cmp-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-configadmin-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-connector-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-console-2.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-controller-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-controller-client-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-core-security-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-deployment-repository-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-deployment-scanner-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-domain-http-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-domain-management-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-ee-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-ee-deployment-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-ejb3-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-embedded-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-host-controller-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-jacorb-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-jaxr-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-jaxrs-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-jdr-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-jmx-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-jpa-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-jsf-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-jsr77-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-logging-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-mail-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-management-client-content-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-messaging-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-modcluster-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-naming-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-network-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-osgi-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-osgi-configadmin-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-osgi-service-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-picketlink-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-platform-mbean-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-pojo-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-process-controller-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-protocol-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-remoting-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-sar-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-security-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-server-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-system-jmx-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-threads-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-transactions-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-version-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-web-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-webservices-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-weld-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-xts-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-ejb-client-1.0.32-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-hal-2.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-jsf-api_2.1_spec-2.1.28-5.SP1_redhat_1.1.ep6.el6.noarch.rpm jboss-remoting3-3.3.6-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-security-negotiation-2.3.10-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-xnio-base-3.0.15-1.GA_redhat_1.1.ep6.el6.noarch.rpm jbossas-appclient-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jbossas-bundles-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jbossas-core-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jbossas-domain-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jbossas-javadocs-7.5.5-3.Final_redhat_3.1.ep6.el6.noarch.rpm jbossas-modules-eap-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jbossas-product-eap-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jbossas-standalone-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jbossas-welcome-content-eap-7.5.5-2.Final_redhat_3.1.ep6.el6.noarch.rpm jbossweb-7.5.12-1.Final_redhat_1.1.ep6.el6.noarch.rpm picketbox-4.1.2-1.Final_redhat_1.1.ep6.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-5304 https://access.redhat.com/security/cve/CVE-2015-7501 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWXzKRXlSAg2UNWIIRAoTdAJ9YXEuvDO6uArpyAAfr5bYH2dTrkACfQ0OL zg/g8g7qaFs+SoJmSJoJNCs= =S7hA -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Dec 2 18:04:50 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 2 Dec 2015 13:04:50 -0500 Subject: [RHSA-2015:2540-01] Critical: Red Hat JBoss Enterprise Application Platform 6.4.5 update Message-ID: <201512021804.tB2I4oND015848@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: Red Hat JBoss Enterprise Application Platform 6.4.5 update Advisory ID: RHSA-2015:2540-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2540.html Issue date: 2015-12-02 CVE Names: CVE-2015-5304 CVE-2015-7501 ===================================================================== 1. Summary: Updated packages that provide Red Hat JBoss Enterprise Application Platform 6.4.5 and fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 6 for RHEL 7 Server - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) Further information about the commons-collections flaw may be found at: https://access.redhat.com/solutions/2045023 It was found that JBoss EAP did not properly authorize a user performing a shut down. A remote user with the Monitor, Deployer, or Auditor role could use this flaw to shut down the EAP server, which is an action restricted to admin users. (CVE-2015-5304) The CVE-2015-5304 issue was discovered by Ladislav Thon of Red Hat Middleware Quality Engineering. This release serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.4, and includes bug fixes and enhancements. Documentation for these changes is available from the link in the References section. All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 7 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1275289 - RHEL7 RPMs: Upgrade hibernate4-eap6 to 4.2.21.Final-redhat-1 1275301 - RHEL7 RPMs: Upgrade picketbox to 4.1.2.Final-redhat-1 1275308 - RHEL7 RPMs: Upgrade ironjacamar-eap6 to 1.0.34.Final-redhat-1 1275311 - RHEL7 RPMs: Upgrade jboss-ejb-client to 1.0.32.redhat-1 1275314 - RHEL7 RPMs: Upgrade jboss-remoting3 to 3.3.6.Final-redhat-1 1275317 - RHEL7 RPMs: Upgrade jbossweb to 7.5.12.Final-redhat-1 1275320 - RHEL7 RPMs: Upgrade jboss-xnio-base to 3.0.15.GA-redhat-1 1275331 - RHEL7 RPMs: Upgrade jboss-as-console to 2.5.11.Final-redhat-1 1275684 - RHEL7 RPMs: Upgrade jboss-hal to 2.5.11.Final-redhat-1 1275691 - RHEL7 RPMs: Upgrade jboss-security-negotiation to 2.3.10.Final-redhat-1 1279330 - CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation 1279594 - RHEL7 RPMs: Upgrade hornetq to 2.3.25.SP6-redhat-1 6. Package List: Red Hat JBoss Enterprise Application Platform 6 for RHEL 7 Server: Source: apache-commons-collections-eap6-3.2.1-18.redhat_7.1.ep6.el7.src.rpm hibernate4-eap6-4.2.21-1.Final_redhat_1.1.ep6.el7.src.rpm hornetq-2.3.25-7.SP6_redhat_1.1.ep6.el7.src.rpm ironjacamar-eap6-1.0.34-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-appclient-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-cli-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-client-all-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-clustering-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-cmp-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-configadmin-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-connector-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-console-2.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-controller-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-controller-client-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-core-security-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-deployment-repository-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-deployment-scanner-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-domain-http-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-domain-management-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-ee-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-ee-deployment-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-ejb3-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-embedded-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-host-controller-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-jacorb-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-jaxr-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-jaxrs-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-jdr-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-jmx-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-jpa-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-jsf-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-jsr77-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-logging-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-mail-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-management-client-content-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-messaging-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-modcluster-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-naming-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-network-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-osgi-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-osgi-configadmin-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-osgi-service-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-picketlink-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-platform-mbean-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-pojo-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-process-controller-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-protocol-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-remoting-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-sar-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-security-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-server-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-system-jmx-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-threads-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-transactions-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-version-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-web-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-webservices-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-weld-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-xts-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jboss-ejb-client-1.0.32-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-hal-2.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-jsf-api_2.1_spec-2.1.28-5.SP1_redhat_1.1.ep6.el7.src.rpm jboss-remoting3-3.3.6-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-security-negotiation-2.3.10-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-xnio-base-3.0.15-1.GA_redhat_1.1.ep6.el7.src.rpm jbossas-appclient-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jbossas-bundles-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jbossas-core-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jbossas-domain-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jbossas-javadocs-7.5.5-3.Final_redhat_3.1.ep6.el7.src.rpm jbossas-modules-eap-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jbossas-product-eap-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jbossas-standalone-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jbossas-welcome-content-eap-7.5.5-2.Final_redhat_3.1.ep6.el7.src.rpm jbossweb-7.5.12-1.Final_redhat_1.1.ep6.el7.src.rpm picketbox-4.1.2-1.Final_redhat_1.1.ep6.el7.src.rpm noarch: apache-commons-collections-eap6-3.2.1-18.redhat_7.1.ep6.el7.noarch.rpm hibernate4-core-eap6-4.2.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm hibernate4-eap6-4.2.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm hibernate4-entitymanager-eap6-4.2.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm hibernate4-envers-eap6-4.2.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm hibernate4-infinispan-eap6-4.2.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm hornetq-2.3.25-7.SP6_redhat_1.1.ep6.el7.noarch.rpm ironjacamar-common-api-eap6-1.0.34-1.Final_redhat_1.1.ep6.el7.noarch.rpm ironjacamar-common-impl-eap6-1.0.34-1.Final_redhat_1.1.ep6.el7.noarch.rpm ironjacamar-common-spi-eap6-1.0.34-1.Final_redhat_1.1.ep6.el7.noarch.rpm ironjacamar-core-api-eap6-1.0.34-1.Final_redhat_1.1.ep6.el7.noarch.rpm ironjacamar-core-impl-eap6-1.0.34-1.Final_redhat_1.1.ep6.el7.noarch.rpm ironjacamar-deployers-common-eap6-1.0.34-1.Final_redhat_1.1.ep6.el7.noarch.rpm ironjacamar-eap6-1.0.34-1.Final_redhat_1.1.ep6.el7.noarch.rpm ironjacamar-jdbc-eap6-1.0.34-1.Final_redhat_1.1.ep6.el7.noarch.rpm ironjacamar-spec-api-eap6-1.0.34-1.Final_redhat_1.1.ep6.el7.noarch.rpm ironjacamar-validator-eap6-1.0.34-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-appclient-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-cli-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-client-all-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-clustering-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-cmp-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-configadmin-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-connector-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-console-2.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-controller-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-controller-client-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-core-security-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-deployment-repository-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-deployment-scanner-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-domain-http-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-domain-management-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-ee-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-ee-deployment-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-ejb3-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-embedded-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-host-controller-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-jacorb-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-jaxr-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-jaxrs-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-jdr-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-jmx-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-jpa-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-jsf-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-jsr77-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-logging-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-mail-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-management-client-content-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-messaging-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-modcluster-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-naming-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-network-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-osgi-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-osgi-configadmin-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-osgi-service-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-picketlink-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-platform-mbean-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-pojo-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-process-controller-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-protocol-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-remoting-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-sar-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-security-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-server-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-system-jmx-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-threads-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-transactions-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-version-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-web-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-webservices-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-weld-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-xts-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-ejb-client-1.0.32-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-hal-2.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-jsf-api_2.1_spec-2.1.28-5.SP1_redhat_1.1.ep6.el7.noarch.rpm jboss-remoting3-3.3.6-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-security-negotiation-2.3.10-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-xnio-base-3.0.15-1.GA_redhat_1.1.ep6.el7.noarch.rpm jbossas-appclient-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jbossas-bundles-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jbossas-core-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jbossas-domain-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jbossas-javadocs-7.5.5-3.Final_redhat_3.1.ep6.el7.noarch.rpm jbossas-modules-eap-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jbossas-product-eap-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jbossas-standalone-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jbossas-welcome-content-eap-7.5.5-2.Final_redhat_3.1.ep6.el7.noarch.rpm jbossweb-7.5.12-1.Final_redhat_1.1.ep6.el7.noarch.rpm picketbox-4.1.2-1.Final_redhat_1.1.ep6.el7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-5304 https://access.redhat.com/security/cve/CVE-2015-7501 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWXzLAXlSAg2UNWIIRAkBRAJ99G+J4xYZnHIqlqR02b5pPSDUf5ACfc5lK 0dWwfpedHOd74HdLi9J6Lhk= =A8zL -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Dec 2 18:04:57 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 2 Dec 2015 13:04:57 -0500 Subject: [RHSA-2015:2541-01] Critical: Red Hat JBoss Enterprise Application Platform 6.4.5 update Message-ID: <201512021804.tB2I4v3x006330@int-mx14.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: Red Hat JBoss Enterprise Application Platform 6.4.5 update Advisory ID: RHSA-2015:2541-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2541.html Issue date: 2015-12-02 CVE Names: CVE-2015-5304 CVE-2015-7501 ===================================================================== 1. Summary: Updated packages that provide Red Hat JBoss Enterprise Application Platform 6.4.5 and fix two security issues, several bugs, and add various enhancements are now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) Further information about the commons-collections flaw may be found at: https://access.redhat.com/solutions/2045023 It was found that JBoss EAP did not properly authorize a user performing a shut down. A remote user with the Monitor, Deployer, or Auditor role could use this flaw to shut down the EAP server, which is an action restricted to admin users. (CVE-2015-5304) The CVE-2015-5304 issue was discovered by Ladislav Thon of Red Hat Middleware Quality Engineering. This release serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.4, and includes bug fixes and enhancements. Documentation for these changes is available from the link in the References section. All users of Red Hat JBoss Enterprise Application Platform 6.4 as provided from the Red Hat Customer Portal are advised to apply this update. The JBoss server process must be restarted for the update to take effect. 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 1275289 - RHEL7 RPMs: Upgrade hibernate4-eap6 to 4.2.21.Final-redhat-1 1275301 - RHEL7 RPMs: Upgrade picketbox to 4.1.2.Final-redhat-1 1275308 - RHEL7 RPMs: Upgrade ironjacamar-eap6 to 1.0.34.Final-redhat-1 1275311 - RHEL7 RPMs: Upgrade jboss-ejb-client to 1.0.32.redhat-1 1275314 - RHEL7 RPMs: Upgrade jboss-remoting3 to 3.3.6.Final-redhat-1 1275317 - RHEL7 RPMs: Upgrade jbossweb to 7.5.12.Final-redhat-1 1275320 - RHEL7 RPMs: Upgrade jboss-xnio-base to 3.0.15.GA-redhat-1 1275331 - RHEL7 RPMs: Upgrade jboss-as-console to 2.5.11.Final-redhat-1 1275684 - RHEL7 RPMs: Upgrade jboss-hal to 2.5.11.Final-redhat-1 1275691 - RHEL7 RPMs: Upgrade jboss-security-negotiation to 2.3.10.Final-redhat-1 1279330 - CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation 1279594 - RHEL7 RPMs: Upgrade hornetq to 2.3.25.SP6-redhat-1 5. References: https://access.redhat.com/security/cve/CVE-2015-5304 https://access.redhat.com/security/cve/CVE-2015-7501 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.4 https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html https://access.redhat.com/solutions/2045023 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWXzLIXlSAg2UNWIIRAm1OAJ0VjAF3PBgbZnJcXekSKnj/u3fZ7QCeImSQ Z+bYtloovCMY0CdQHHqUAes= =6T47 -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Dec 2 18:05:06 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 2 Dec 2015 13:05:06 -0500 Subject: [RHSA-2015:2542-01] Critical: Red Hat JBoss Enterprise Application Platform 6.4.5 jboss-ec2-eap update Message-ID: <201512021805.tB2I56DS008522@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: Red Hat JBoss Enterprise Application Platform 6.4.5 jboss-ec2-eap update Advisory ID: RHSA-2015:2542-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2542.html Issue date: 2015-12-02 CVE Names: CVE-2015-5304 CVE-2015-7501 ===================================================================== 1. Summary: Updated jboss-ec2-eap packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat JBoss Enterprise Application Platform 6.4.4 on Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 6.4 for RHEL 6 - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) Further information about the commons-collections flaw may be found at: https://access.redhat.com/solutions/2045023 It was found that JBoss EAP did not properly authorize a user performing a shut down. A remote user with the Monitor, Deployer, or Auditor role could use this flaw to shut down the EAP server, which is an action restricted to admin users. (CVE-2015-5304) The CVE-2015-5304 issue was discovered by Ladislav Thon of Red Hat Middleware Quality Engineering. The jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). With this update, the packages have been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 6.4.5. Documentation for these changes is available from the link in the References section. All jboss-ec2-eap users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Also, make sure to back up any modified configuration files, deployments, and all user data. After applying the update, restart the instance of Red Hat JBoss Enterprise Application Platform for the changes to take effect. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1279330 - CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation 6. Package List: Red Hat JBoss EAP 6.4 for RHEL 6: Source: jboss-ec2-eap-7.5.5-3.Final_redhat_3.ep6.el6.src.rpm noarch: jboss-ec2-eap-7.5.5-3.Final_redhat_3.ep6.el6.noarch.rpm jboss-ec2-eap-samples-7.5.5-3.Final_redhat_3.ep6.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-5304 https://access.redhat.com/security/cve/CVE-2015-7501 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWXzLRXlSAg2UNWIIRAkJaAJ0Tb7weMjURjLYeBBzu1CGkIysq9wCeMALp mn+3WCNuT11WmSBW+oi27TM= =AdRd -----END PGP SIGNATURE----- From bugzilla at redhat.com Fri Dec 4 17:15:07 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 4 Dec 2015 12:15:07 -0500 Subject: [RHSA-2015:2547-01] Critical: Red Hat JBoss Operations Network 3.2.3 security update Message-ID: <201512041715.tB4HF7Gi019618@int-mx13.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: Red Hat JBoss Operations Network 3.2.3 security update Advisory ID: RHSA-2015:2547-01 Product: Red Hat JBoss Operations Network Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2547.html Issue date: 2015-12-04 CVE Names: CVE-2015-7501 ===================================================================== 1. Summary: An update for Red Hat JBoss Operations Network 3.2.3 that fixes one security issue in the Apache commons-collections library is now available. Red Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: JBoss Operations Network provides an integrated solution for managing JBoss middleware, other network infrastructure, and applications built on Red Hat Enterprise Application Platform (EAP). The Apache Commons Collections library provides new interfaces, implementations, and utilities to extend the features of the Java Collections Framework. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) Further information about this security flaw may be found at: https://access.redhat.com/solutions/2045023 All users of JBoss Operations Network 3.2.3 as provided from the Red Hat Customer Portal are advised to apply this security update. 3. Solution: This is a server patch that contains a single fix and should not be mixed with other server patches. If you already have a server patch, please contact Red Hat Global Support Services for compatibility assessment. You must shutdown the JBoss ON server prior to applying this patch. This patch must be applied to each JBoss ON server in a high-availability (HA) environment. You can apply the patch to each server individually so that only one server is down at a time. To install the patch: 1. Stop the JBoss ON server. 2. Backup and remove the following files: /jbossas/modules/system/layers/base/org/apache/commons/col lections/main/commons-collections-3.2.1-redhat-2.jar /jbossas/modules/system/layers/base/org/apache/commons/col lections/main/module.xml /modules/org/rhq/server-startup/main/deployments/rhq.ear/l ib/commons-collections-3.2.1.jar /modules/org/rhq/server-startup/main/deployments/rhq.ear/r hq-portal.war/WEB-INF/lib/commons-collections-3.2.1.jar /modules/org/rhq/server-startup/main/deployments/rhq.ear/r hq-content_http.war/WEB-INF/lib/commons-collections-3.2.1.jar 3. Extract the patch archive to the JBoss ON server's home directory. For example: unzip -od "${RHQ_SERVER_HOME}" /tmp/BZ1282545.zip Be sure to replace any existing files if prompted. 4. Start the JBoss ON server. Repeat the steps for any remaining JBoss ON servers in a HA environment. To uninstall the patch: 1. Stop the JBoss ON server. 2. Remove the updated files: /jbossas/modules/system/layers/base/org/apache/commons/col lections/main/commons-collections-3.2.1.redhat-3-bz-1281964.jar /jbossas/modules/system/layers/base/org/apache/commons/col lections/main/module.xml /modules/org/rhq/server-startup/main/deployments/rhq.ear/l ib/commons-collections-3.2.1.redhat-3-bz-1281964.jar /modules/org/rhq/server-startup/main/deployments/rhq.ear/r hq-portal.war/WEB-INF/lib/commons-collections-3.2.1.redhat-3-bz-1281964.jar /modules/org/rhq/server-startup/main/deployments/rhq.ear/r hq-content_http.war/WEB-INF/lib/commons-collections-3.2.1.redhat-3-bz-12819 64.jar 3. Restore the following files from the backup created prior to applying this patch: /jbossas/modules/system/layers/base/org/apache/commons/col lections/main/commons-collections-3.2.1-redhat-2.jar /jbossas/modules/system/layers/base/org/apache/commons/col lections/main/module.xml /modules/org/rhq/server-startup/main/deployments/rhq.ear/l ib/commons-collections-3.2.1.jar /modules/org/rhq/server-startup/main/deployments/rhq.ear/r hq-portal.war/WEB-INF/lib/commons-collections-3.2.1.jar /modules/org/rhq/server-startup/main/deployments/rhq.ear/r hq-content_http.war/WEB-INF/lib/commons-collections-3.2.1.jar 4. Start the JBoss ON server. Repeat the steps for any remaining JBoss ON servers in a HA environment. 4. Bugs fixed (https://bugzilla.redhat.com/): 1279330 - CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation 5. References: https://access.redhat.com/security/cve/CVE-2015-7501 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=em&version=3.2.0 https://access.redhat.com/solutions/2045023 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWYcoYXlSAg2UNWIIRAr43AJwKNS2pM7QWHjQ3NVJFDv4Oi9xjWwCfRv7a KkBUc655l24kaw9namLqnUs= =gfYn -----END PGP SIGNATURE----- From bugzilla at redhat.com Fri Dec 4 17:16:41 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 4 Dec 2015 12:16:41 -0500 Subject: [RHSA-2015:2548-01] Critical: Red Hat JBoss Web Server 3.0.1 commons-collections security update Message-ID: <201512041716.tB4HGfxE028900@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: Red Hat JBoss Web Server 3.0.1 commons-collections security update Advisory ID: RHSA-2015:2548-01 Product: Red Hat JBoss Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2548.html Issue date: 2015-12-04 CVE Names: CVE-2015-7501 ===================================================================== 1. Summary: An update for Red Hat JBoss Web Server 3.0.1 that fixes one security issue in the Apache commons-collections library is now available. Red Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. The Apache Commons Collections library provides new interfaces, implementations, and utilities to extend the features of the Java Collections Framework. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) Further information about the commons-collections flaw may be found at: https://access.redhat.com/solutions/2045023 All users of Red Hat JBoss Web Server 3.0.1 are advised to apply this update. The Red Hat JBoss Web Server process must be restarted for the update to take effect. 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied, and back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 1279330 - CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation 5. References: https://access.redhat.com/security/cve/CVE-2015-7501 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=webserver&version=3.0.1 https://access.redhat.com/solutions/2045023 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWYcp4XlSAg2UNWIIRAhaYAJ4j8HXP3iVatPUQbDCWSbz4IwfGBQCaArjy m1nM39Q7LszNvSm04SZ9Hlo= =6+gW -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Dec 7 20:49:18 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 7 Dec 2015 15:49:18 -0500 Subject: [RHSA-2015:2556-01] Important: Red Hat JBoss Fuse 6.2.1 update Message-ID: <201512072049.tB7KnIXe012583@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Fuse 6.2.1 update Advisory ID: RHSA-2015:2556-01 Product: Red Hat JBoss Fuse Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2556.html Issue date: 2015-12-07 CVE Names: CVE-2015-3253 CVE-2015-5181 CVE-2015-7501 ===================================================================== 1. Summary: Red Hat JBoss Fuse 6.2.1, which fixes three security issues, several bugs, and adds various enhancements, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss Fuse 6.2.1 is a micro product release that updates Red Hat JBoss Fuse 6.2.0, and includes several bug fixes and enhancements. Refer to the Release Notes document, available from the link in the References section, for a list of changes. The following security fixes are addressed in this release: It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) Further information about this issue may be found at: https://access.redhat.com/solutions/2045023 A flaw was discovered that when an application uses Groovy (has it on the classpath) and uses the standard Java serialization mechanism, an attacker can bake a special serialized object that executes code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. (CVE-2015-3253) It was found that the JBoss A-MQ console would accept a string containing JavaScript as the name of a new message queue. Execution of the UI would subsequently execute the script. An attacker could use this flaw to access sensitive information or perform other attacks. (CVE-2015-5181) Red Hat would like to thank Naftali Rosenbaum of Comsec Consulting for reporting CVE-2015-5181. All users of Red Hat JBoss Fuse 6.2.0 are advised to apply this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1243934 - CVE-2015-3253 groovy: remote execution of untrusted code in class MethodClosure 1248804 - CVE-2015-5181 A-MQ Console: script injection into queue name 1279330 - CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation 5. JIRA issues fixed (https://issues.jboss.org/): ENTESB-4398 - Arbitrary remote code execution with InvokerTransformer 6. References: https://access.redhat.com/security/cve/CVE-2015-3253 https://access.redhat.com/security/cve/CVE-2015-5181 https://access.redhat.com/security/cve/CVE-2015-7501 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=6.2.1 https://access.redhat.com/solutions/2045023 https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_Fuse/ 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWZfDMXlSAg2UNWIIRAmfiAKCfO/H71Dlcij5D7R1xC0H5CvBlKACfRtIX 9dnbEFEqfTUl8U3zcV369Qw= =m+SP -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Dec 7 20:49:25 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 7 Dec 2015 15:49:25 -0500 Subject: [RHSA-2015:2557-01] Important: Red Hat JBoss A-MQ 6.2.1 update Message-ID: <201512072049.tB7KnPK4020686@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss A-MQ 6.2.1 update Advisory ID: RHSA-2015:2557-01 Product: Red Hat JBoss A-MQ Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2557.html Issue date: 2015-12-07 CVE Names: CVE-2015-3253 CVE-2015-5181 CVE-2015-7501 ===================================================================== 1. Summary: Red Hat JBoss A-MQ 6.2.1, which fixes three security issues, several bugs, and adds various enhancements, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant messaging system that is tailored for use in mission critical applications. Red Hat JBoss A-MQ 6.2.1 is a micro product release that updates Red Hat JBoss A-MQ 6.2.0, and includes several bug fixes and enhancements. Refer to the Release Notes document, available from the link in the References section, for a list of changes. The following security fixes are addressed in this release: It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) Further information about this issue may be found at: https://access.redhat.com/solutions/2045023 A flaw was discovered that when an application uses Groovy (has it on the classpath) and uses the standard Java serialization mechanism, an attacker can bake a special serialized object that executes code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. (CVE-2015-3253) It was found that the JBoss A-MQ console would accept a string containing JavaScript as the name of a new message queue. Execution of the UI would subsequently execute the script. An attacker could use this flaw to access sensitive information or perform other attacks. (CVE-2015-5181) Red Hat would like to thank Naftali Rosenbaum of Comsec Consulting for reporting CVE-2015-5181. All users of Red Hat JBoss A-MQ 6.2.0 as provided from the Red Hat Customer Portal are advised to apply this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1243934 - CVE-2015-3253 groovy: remote execution of untrusted code in class MethodClosure 1248804 - CVE-2015-5181 A-MQ Console: script injection into queue name 1279330 - CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation 5. JIRA issues fixed (https://issues.jboss.org/): ENTESB-4398 - Arbitrary remote code execution with InvokerTransformer 6. References: https://access.redhat.com/security/cve/CVE-2015-3253 https://access.redhat.com/security/cve/CVE-2015-5181 https://access.redhat.com/security/cve/CVE-2015-7501 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq&downloadType=distributions&version=6.2.1 https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_A-MQ/ https://access.redhat.com/solutions/2045023 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWZfDTXlSAg2UNWIIRAqQWAKCpTMbovQc86F5F7S/qYSm7epk/SwCgkRp3 Q/CL1ZUdh8dNmyM/xz89F24= =/MKe -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Dec 7 20:49:31 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 7 Dec 2015 15:49:31 -0500 Subject: [RHSA-2015:2558-01] Important: Red Hat JBoss Fuse Service Works 6.2.1 update Message-ID: <201512072049.tB7KnV3V012850@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Fuse Service Works 6.2.1 update Advisory ID: RHSA-2015:2558-01 Product: Red Hat JBoss Fuse Service Works Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2558.html Issue date: 2015-12-07 CVE Names: CVE-2015-0263 CVE-2015-0264 CVE-2015-3253 ===================================================================== 1. Summary: Red Hat JBoss Fuse Service Works 6.2.1, which fixes three security issues and various bugs, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss Fuse Service Works is the next-generation ESB and business process automation infrastructure. This release of Red Hat JBoss Fuse Service Works 6.2.1 serves as a replacement for Red Hat JBoss Fuse Service Works 6.0.0. It includes various bug fixes, which are listed in the README file included with the patch files. The following security issues are fixed with this release: A flaw was discovered that when an application uses Groovy (has it on the classpath) and uses the standard Java serialization mechanism, an attacker can bake a special serialized object that executes code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. (CVE-2015-3253) It was found that Apache Camel's XML converter performed XML External Entity (XXE) expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. (CVE-2015-0263) It was found that Apache Camel performed XML External Entity (XXE) expansion when evaluating invalid XML Strings or invalid XML GenericFile objects. A remote attacker able to submit a crafted XML message could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. (CVE-2015-0264) All users of Red Hat JBoss Fuse Service Works 6.0.0 as provided from the Red Hat Customer Portal are advised to apply this security update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the updates). Before applying the updates, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. It is recommended to halt the server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the server by starting the JBoss Application Server process. 4. Bugs fixed (https://bugzilla.redhat.com/): 1203341 - CVE-2015-0264 Camel: XXE via XPath expression evaluation 1203344 - CVE-2015-0263 Camel: XXE in via SAXSource expansion 1243934 - CVE-2015-3253 groovy: remote execution of untrusted code in class MethodClosure 5. References: https://access.redhat.com/security/cve/CVE-2015-0263 https://access.redhat.com/security/cve/CVE-2015-0264 https://access.redhat.com/security/cve/CVE-2015-3253 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse.serviceworks&downloadType=distributions&version=6.2.1 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWZfDaXlSAg2UNWIIRAqo4AKCAWdR9+9lWONKC4u22zgWHHyhyjACeMn1R ccS1nUZyXktfSdxuT2KBN6g= =v1JM -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Dec 7 20:49:38 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 7 Dec 2015 15:49:38 -0500 Subject: [RHSA-2015:2559-01] Critical: Red Hat JBoss BRMS 6.2.0 update Message-ID: <201512072049.tB7Knc7n012933@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: Red Hat JBoss BRMS 6.2.0 update Advisory ID: RHSA-2015:2559-01 Product: Red Hat JBoss BRMS Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2559.html Issue date: 2015-12-07 CVE Names: CVE-2015-0250 CVE-2015-6748 CVE-2015-7501 ===================================================================== 1. Summary: Red Hat JBoss BRMS 6.2.0, which fixes three security issues, several bugs, and adds various enhancements, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss BRMS is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules. This release of Red Hat JBoss BRMS 6.2.0 serves as a replacement for Red Hat JBoss BRMS 6.1.2, and includes bug fixes and enhancements. Refer to the Red Hat JBoss BRMS 6.2.0 Release Notes for information on the most significant of these changes. The Release Notes are available at https://access.redhat.com/documentation/en/red-hat-jboss-brms/ The following security issues are also fixed with this release: It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) Further information about this security flaw may be found at: https://access.redhat.com/solutions/2045023 It was found that batik was vulnerable to XML External Entity attacks when parsing SVG files. A remote attacker able to send malicious SVG content to the affected server could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. (CVE-2015-0250) It was found that jsoup did not properly validate user-supplied HTML content; certain HTML snippets could get past the validator without being detected as unsafe. A remote attacker could use a specially crafted HTML snippet to execute arbitrary web script in the user's browser. (CVE-2015-6748) All users of Red Hat JBoss BRMS 6.1.2 as provided from the Red Hat Customer Portal are advised to upgrade to Red Hat JBoss BRMS 6.2.0. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. It is recommended to halt the server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the server by starting the JBoss Application Server process. 4. Bugs fixed (https://bugzilla.redhat.com/): 1203762 - CVE-2015-0250 batik: XML External Entity (XXE) injection in SVG parsing 1258310 - CVE-2015-6748 jsoup: XSS vulnerability related to incomplete tags at EOF 1279330 - CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation 5. References: https://access.redhat.com/security/cve/CVE-2015-0250 https://access.redhat.com/security/cve/CVE-2015-6748 https://access.redhat.com/security/cve/CVE-2015-7501 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=distributions&version=6.2.0 https://access.redhat.com/documentation/en/red-hat-jboss-brms/ https://access.redhat.com/solutions/2045023 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWZfDhXlSAg2UNWIIRAvDKAKClwhyanboC5lO2WQXu6871vyZy8ACfTr4p DEXQISjnuE1tLdAFItUPXcg= =BO5h -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Dec 7 20:49:45 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 7 Dec 2015 15:49:45 -0500 Subject: [RHSA-2015:2560-01] Critical: Red Hat JBoss BPM Suite 6.2.0 update Message-ID: <201512072049.tB7KnjgS032059@int-mx13.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: Red Hat JBoss BPM Suite 6.2.0 update Advisory ID: RHSA-2015:2560-01 Product: Red Hat JBoss BPM Suite Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2560.html Issue date: 2015-12-07 CVE Names: CVE-2015-0250 CVE-2015-6748 CVE-2015-7501 ===================================================================== 1. Summary: Red Hat JBoss BPM Suite 6.2.0, which fixes three security issues, several bugs, and adds various enhancements, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes. This release of Red Hat JBoss BPM Suite 6.2.0 serves as a replacement for Red Hat JBoss BPM Suite 6.1.2, and includes bug fixes and enhancements. Refer to the Red Hat JBoss BPM Suite 6.2.0 Release Notes for information on the most significant of these changes. The Release Notes are available at https://access.redhat.com/documentation/en/red-hat-jboss-brms/ The following security issues are also fixed with this release: It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) Further information about this security flaw may be found at: https://access.redhat.com/solutions/2045023 It was found that batik was vulnerable to XML External Entity attacks when parsing SVG files. A remote attacker able to send malicious SVG content to the affected server could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. (CVE-2015-0250) It was found that jsoup did not properly validate user-supplied HTML content; certain HTML snippets could get past the validator without being detected as unsafe. A remote attacker could use a specially crafted HTML snippet to execute arbitrary web script in the user's browser. (CVE-2015-6748) All users of Red Hat JBoss BPM Suite 6.1.2 as provided from the Red Hat Customer Portal are advised to upgrade to Red Hat JBoss BPM Suite 6.2.0. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. It is recommended to halt the server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the server by starting the JBoss Application Server process. 4. Bugs fixed (https://bugzilla.redhat.com/): 1203762 - CVE-2015-0250 batik: XML External Entity (XXE) injection in SVG parsing 1258310 - CVE-2015-6748 jsoup: XSS vulnerability related to incomplete tags at EOF 1279330 - CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation 5. References: https://access.redhat.com/security/cve/CVE-2015-0250 https://access.redhat.com/security/cve/CVE-2015-6748 https://access.redhat.com/security/cve/CVE-2015-7501 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=distributions&version=6.2.0 https://access.redhat.com/documentation/en/red-hat-jboss-bpm-suite/ https://access.redhat.com/solutions/2045023 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWZfDoXlSAg2UNWIIRAohBAJ9MfGsVH9cga1METwUuBpeAUwl7OACfV8d2 HrTmzDEH6eFp2FkRTOLmFyA= =dypX -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Dec 8 16:30:37 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 8 Dec 2015 11:30:37 -0500 Subject: [RHSA-2015:2578-01] Critical: Red Hat JBoss BRMS 6.1.0 commons-collections security update Message-ID: <201512081630.tB8GUbVV004725@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: Red Hat JBoss BRMS 6.1.0 commons-collections security update Advisory ID: RHSA-2015:2578-01 Product: Red Hat JBoss BRMS Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2578.html Issue date: 2015-12-08 CVE Names: CVE-2015-7501 ===================================================================== 1. Summary: An update for the Apache Commons Collections component that fixes one security issue is now available from the Red Hat Customer Portal for Red Hat JBoss BRMS 6.1.0. Red Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: Apache Commons Collections is a library built upon Java JDK classes by providing new interfaces, implementations and utilities. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) Further information about this security flaw may be found at: https://access.redhat.com/solutions/2045023 All users of Red Hat JBoss BRMS 6.1.0 as provided from the Red Hat Customer Portal are advised to apply this security update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing Red Hat JBoss BRMS installation (including its databases, applications, configuration files, and so on). Note that it is recommended to halt the Red Hat JBoss BRMS server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the Red Hat JBoss BRMS server by starting the JBoss Application Server process. 4. Bugs fixed (https://bugzilla.redhat.com/): 1279330 - CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation 5. References: https://access.redhat.com/security/cve/CVE-2015-7501 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=securityPatches&version=6.1.0 https://access.redhat.com/solutions/2045023 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWZwWqXlSAg2UNWIIRAl+fAKCAamYbdraGefGdtASv5Lzv+ke+bQCcCwVn wdk2v8XTiYbC/Q2KtCEoJu0= =zsgL -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Dec 8 16:30:44 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 8 Dec 2015 11:30:44 -0500 Subject: [RHSA-2015:2579-01] Critical: Red Hat JBoss BPM Suite 6.1.0 commons-collections security update Message-ID: <201512081630.tB8GUiDU004938@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: Red Hat JBoss BPM Suite 6.1.0 commons-collections security update Advisory ID: RHSA-2015:2579-01 Product: Red Hat JBoss BPM Suite Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2579.html Issue date: 2015-12-08 CVE Names: CVE-2015-7501 ===================================================================== 1. Summary: An update for the Apache Commons Collections component that fixes one security issue is now available from the Red Hat Customer Portal for Red Hat JBoss BPM Suite 6.1.0. Red Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: Apache Commons Collections is a library built upon Java JDK classes by providing new interfaces, implementations and utilities. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) Further information about this security flaw may be found at: https://access.redhat.com/solutions/2045023 All users of Red Hat JBoss BPM Suite 6.1.0 as provided from the Red Hat Customer Portal are advised to apply this security update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the updates). Before applying the updates, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. It is recommended to halt the server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the server by starting the JBoss Application Server process. 4. Bugs fixed (https://bugzilla.redhat.com/): 1279330 - CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation 5. References: https://access.redhat.com/security/cve/CVE-2015-7501 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=securityPatches&version=6.1.0 https://access.redhat.com/solutions/2045023 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWZwWzXlSAg2UNWIIRAhsCAJ9BAOTYmn8+udZv1Ryq0omwh+6RlACfclA+ nMKxxUG7eTn6USg7vmG8fs4= =DsUG -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Dec 16 18:23:43 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 16 Dec 2015 13:23:43 -0500 Subject: [RHSA-2015:2659-01] Moderate: Red Hat JBoss Web Server 3.0.2 security update Message-ID: <201512161823.tBGINhbp008842@int-mx13.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Web Server 3.0.2 security update Advisory ID: RHSA-2015:2659-01 Product: Red Hat JBoss Web Server Advisory URL: https://access.redhat.com/errata/RHSA-2015:2659 Issue date: 2015-12-16 CVE Names: CVE-2013-5704 CVE-2014-0230 CVE-2015-3183 ===================================================================== 1. Summary: Updated Red Hat JBoss Web Server 3.0.2 packages are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat JBoss Web Server 3.0 for RHEL 6 - i386, noarch, x86_64 3. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. It was found that Tomcat would keep connections open after processing requests with a large enough request body. A remote attacker could potentially use this flaw to exhaust the pool of available connections and prevent further, legitimate connections to the Tomcat server. (CVE-2014-0230) A flaw was found in the way httpd handled HTTP Trailer headers when processing requests using chunked encoding. A malicious client could use Trailer headers to set additional HTTP headers after header processing was performed by other modules. This could, for example, lead to a bypass of header restrictions defined with mod_headers. (CVE-2013-5704) Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks. (CVE-2015-3183) * This enhancement update adds the Red Hat JBoss Web Server 3.0.2 packages to Red Hat Enterprise Linux 6. These packages provide a number of enhancements over the previous version of Red Hat JBoss Web Server. (JIRA#JWS-228) Users of Red Hat JBoss Web Server are advised to upgrade to these updated packages, which add this enhancement. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1082903 - CVE-2013-5704 httpd: bypass of mod_headers rules via chunked requests 1191200 - CVE-2014-0230 tomcat: non-persistent DoS attack by feeding data by aborting an upload 1243887 - CVE-2015-3183 httpd: HTTP request smuggling attack against chunked request parser 1263879 - JWS3.0.2 tracker for RHEL6 6. JIRA issues fixed (https://issues.jboss.org/): JWS-219 - CVE-2014-0230 tomcat8: non-persistent DoS attack by feeding data by aborting an upload JWS-220 - CVE-2014-0230 tomcat7: non-persistent DoS attack by feeding data by aborting an upload JWS-228 - RHEL 6 Errata Jira 7. Package List: Red Hat JBoss Web Server 3.0 for RHEL 6: Source: apache-commons-collections-eap6-3.2.1-18.redhat_7.1.ep6.el6.src.rpm httpd24-2.4.6-59.ep7.el6.src.rpm mod_bmx-0.9.5-7.GA.ep7.el6.src.rpm mod_cluster-native-1.3.1-6.Final_redhat_2.ep7.el6.src.rpm tomcat-vault-1.0.8-4.Final_redhat_4.1.ep7.el6.src.rpm tomcat7-7.0.59-42_patch_01.ep7.el6.src.rpm tomcat8-8.0.18-52_patch_01.ep7.el6.src.rpm i386: httpd24-2.4.6-59.ep7.el6.i686.rpm httpd24-debuginfo-2.4.6-59.ep7.el6.i686.rpm httpd24-devel-2.4.6-59.ep7.el6.i686.rpm httpd24-tools-2.4.6-59.ep7.el6.i686.rpm mod_bmx-0.9.5-7.GA.ep7.el6.i686.rpm mod_bmx-debuginfo-0.9.5-7.GA.ep7.el6.i686.rpm mod_cluster-native-1.3.1-6.Final_redhat_2.ep7.el6.i686.rpm mod_cluster-native-debuginfo-1.3.1-6.Final_redhat_2.ep7.el6.i686.rpm mod_ldap24-2.4.6-59.ep7.el6.i686.rpm mod_proxy24_html-2.4.6-59.ep7.el6.i686.rpm mod_session24-2.4.6-59.ep7.el6.i686.rpm mod_ssl24-2.4.6-59.ep7.el6.i686.rpm noarch: apache-commons-collections-eap6-3.2.1-18.redhat_7.1.ep6.el6.noarch.rpm apache-commons-collections-tomcat-eap6-3.2.1-18.redhat_7.1.ep6.el6.noarch.rpm httpd24-manual-2.4.6-59.ep7.el6.noarch.rpm tomcat-vault-1.0.8-4.Final_redhat_4.1.ep7.el6.noarch.rpm tomcat7-7.0.59-42_patch_01.ep7.el6.noarch.rpm tomcat7-admin-webapps-7.0.59-42_patch_01.ep7.el6.noarch.rpm tomcat7-docs-webapp-7.0.59-42_patch_01.ep7.el6.noarch.rpm tomcat7-el-2.2-api-7.0.59-42_patch_01.ep7.el6.noarch.rpm tomcat7-javadoc-7.0.59-42_patch_01.ep7.el6.noarch.rpm tomcat7-jsp-2.2-api-7.0.59-42_patch_01.ep7.el6.noarch.rpm tomcat7-lib-7.0.59-42_patch_01.ep7.el6.noarch.rpm tomcat7-log4j-7.0.59-42_patch_01.ep7.el6.noarch.rpm tomcat7-servlet-3.0-api-7.0.59-42_patch_01.ep7.el6.noarch.rpm tomcat7-webapps-7.0.59-42_patch_01.ep7.el6.noarch.rpm tomcat8-8.0.18-52_patch_01.ep7.el6.noarch.rpm tomcat8-admin-webapps-8.0.18-52_patch_01.ep7.el6.noarch.rpm tomcat8-docs-webapp-8.0.18-52_patch_01.ep7.el6.noarch.rpm tomcat8-el-2.2-api-8.0.18-52_patch_01.ep7.el6.noarch.rpm tomcat8-javadoc-8.0.18-52_patch_01.ep7.el6.noarch.rpm tomcat8-jsp-2.3-api-8.0.18-52_patch_01.ep7.el6.noarch.rpm tomcat8-lib-8.0.18-52_patch_01.ep7.el6.noarch.rpm tomcat8-log4j-8.0.18-52_patch_01.ep7.el6.noarch.rpm tomcat8-servlet-3.1-api-8.0.18-52_patch_01.ep7.el6.noarch.rpm tomcat8-webapps-8.0.18-52_patch_01.ep7.el6.noarch.rpm x86_64: httpd24-2.4.6-59.ep7.el6.x86_64.rpm httpd24-debuginfo-2.4.6-59.ep7.el6.x86_64.rpm httpd24-devel-2.4.6-59.ep7.el6.x86_64.rpm httpd24-tools-2.4.6-59.ep7.el6.x86_64.rpm mod_bmx-0.9.5-7.GA.ep7.el6.x86_64.rpm mod_bmx-debuginfo-0.9.5-7.GA.ep7.el6.x86_64.rpm mod_cluster-native-1.3.1-6.Final_redhat_2.ep7.el6.x86_64.rpm mod_cluster-native-debuginfo-1.3.1-6.Final_redhat_2.ep7.el6.x86_64.rpm mod_ldap24-2.4.6-59.ep7.el6.x86_64.rpm mod_proxy24_html-2.4.6-59.ep7.el6.x86_64.rpm mod_session24-2.4.6-59.ep7.el6.x86_64.rpm mod_ssl24-2.4.6-59.ep7.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2013-5704 https://access.redhat.com/security/cve/CVE-2014-0230 https://access.redhat.com/security/cve/CVE-2015-3183 https://access.redhat.com/security/updates/classification/#moderate 9. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWcawtXlSAg2UNWIIRAiEGAJoD8qtM0cjYAJfsgfOGNMAidqkJVwCfcowY FzKvh5TVYCMJMxYjSnAjFdM= =4So+ -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Dec 16 18:23:51 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 16 Dec 2015 13:23:51 -0500 Subject: [RHSA-2015:2660-01] Moderate: Red Hat JBoss Web Server 3.0.2 security update Message-ID: <201512161823.tBGINpUE008905@int-mx13.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Web Server 3.0.2 security update Advisory ID: RHSA-2015:2660-01 Product: Red Hat JBoss Web Server Advisory URL: https://access.redhat.com/errata/RHSA-2015:2660 Issue date: 2015-12-16 CVE Names: CVE-2013-5704 CVE-2014-0230 CVE-2015-3183 ===================================================================== 1. Summary: Updated Red Hat JBoss Web Server 3.0.2 packages are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat JBoss Web Server 3.0 for RHEL 7 - noarch, x86_64 3. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. It was found that Tomcat would keep connections open after processing requests with a large enough request body. A remote attacker could potentially use this flaw to exhaust the pool of available connections and prevent further, legitimate connections to the Tomcat server. (CVE-2014-0230) A flaw was found in the way httpd handled HTTP Trailer headers when processing requests using chunked encoding. A malicious client could use Trailer headers to set additional HTTP headers after header processing was performed by other modules. This could, for example, lead to a bypass of header restrictions defined with mod_headers. (CVE-2013-5704) Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks. (CVE-2015-3183) * This enhancement update adds the Red Hat JBoss Web Server 3.0.2 packages to Red Hat Enterprise Linux 7. These packages provide a number of enhancements over the previous version of Red Hat JBoss Web Server. (JIRA#JWS-229) Users of Red Hat JBoss Web Server are advised to upgrade to these updated packages, which add this enhancement. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1082903 - CVE-2013-5704 httpd: bypass of mod_headers rules via chunked requests 1191200 - CVE-2014-0230 tomcat: non-persistent DoS attack by feeding data by aborting an upload 1243887 - CVE-2015-3183 httpd: HTTP request smuggling attack against chunked request parser 1263884 - JWS3.0.2 tracker for RHEL7 6. JIRA issues fixed (https://issues.jboss.org/): JWS-219 - CVE-2014-0230 tomcat8: non-persistent DoS attack by feeding data by aborting an upload JWS-220 - CVE-2014-0230 tomcat7: non-persistent DoS attack by feeding data by aborting an upload JWS-229 - RHEL 7 Errata Jira 7. Package List: Red Hat JBoss Web Server 3.0 for RHEL 7: Source: apache-commons-collections-eap6-3.2.1-18.redhat_7.1.ep6.el7.src.rpm httpd24-2.4.6-59.ep7.el7.src.rpm mod_bmx-0.9.5-7.GA.ep7.el7.src.rpm mod_cluster-native-1.3.1-6.Final_redhat_2.ep7.el7.src.rpm tomcat-vault-1.0.8-4.Final_redhat_4.1.ep7.el7.src.rpm tomcat7-7.0.59-42_patch_01.ep7.el7.src.rpm tomcat8-8.0.18-52_patch_01.ep7.el7.src.rpm noarch: apache-commons-collections-eap6-3.2.1-18.redhat_7.1.ep6.el7.noarch.rpm apache-commons-collections-tomcat-eap6-3.2.1-18.redhat_7.1.ep6.el7.noarch.rpm httpd24-manual-2.4.6-59.ep7.el7.noarch.rpm tomcat-vault-1.0.8-4.Final_redhat_4.1.ep7.el7.noarch.rpm tomcat7-7.0.59-42_patch_01.ep7.el7.noarch.rpm tomcat7-admin-webapps-7.0.59-42_patch_01.ep7.el7.noarch.rpm tomcat7-docs-webapp-7.0.59-42_patch_01.ep7.el7.noarch.rpm tomcat7-el-2.2-api-7.0.59-42_patch_01.ep7.el7.noarch.rpm tomcat7-javadoc-7.0.59-42_patch_01.ep7.el7.noarch.rpm tomcat7-jsp-2.2-api-7.0.59-42_patch_01.ep7.el7.noarch.rpm tomcat7-lib-7.0.59-42_patch_01.ep7.el7.noarch.rpm tomcat7-log4j-7.0.59-42_patch_01.ep7.el7.noarch.rpm tomcat7-servlet-3.0-api-7.0.59-42_patch_01.ep7.el7.noarch.rpm tomcat7-webapps-7.0.59-42_patch_01.ep7.el7.noarch.rpm tomcat8-8.0.18-52_patch_01.ep7.el7.noarch.rpm tomcat8-admin-webapps-8.0.18-52_patch_01.ep7.el7.noarch.rpm tomcat8-docs-webapp-8.0.18-52_patch_01.ep7.el7.noarch.rpm tomcat8-el-2.2-api-8.0.18-52_patch_01.ep7.el7.noarch.rpm tomcat8-javadoc-8.0.18-52_patch_01.ep7.el7.noarch.rpm tomcat8-jsp-2.3-api-8.0.18-52_patch_01.ep7.el7.noarch.rpm tomcat8-lib-8.0.18-52_patch_01.ep7.el7.noarch.rpm tomcat8-log4j-8.0.18-52_patch_01.ep7.el7.noarch.rpm tomcat8-servlet-3.1-api-8.0.18-52_patch_01.ep7.el7.noarch.rpm tomcat8-webapps-8.0.18-52_patch_01.ep7.el7.noarch.rpm x86_64: httpd24-2.4.6-59.ep7.el7.x86_64.rpm httpd24-debuginfo-2.4.6-59.ep7.el7.x86_64.rpm httpd24-devel-2.4.6-59.ep7.el7.x86_64.rpm httpd24-tools-2.4.6-59.ep7.el7.x86_64.rpm mod_bmx-0.9.5-7.GA.ep7.el7.x86_64.rpm mod_bmx-debuginfo-0.9.5-7.GA.ep7.el7.x86_64.rpm mod_cluster-native-1.3.1-6.Final_redhat_2.ep7.el7.x86_64.rpm mod_cluster-native-debuginfo-1.3.1-6.Final_redhat_2.ep7.el7.x86_64.rpm mod_ldap24-2.4.6-59.ep7.el7.x86_64.rpm mod_proxy24_html-2.4.6-59.ep7.el7.x86_64.rpm mod_session24-2.4.6-59.ep7.el7.x86_64.rpm mod_ssl24-2.4.6-59.ep7.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2013-5704 https://access.redhat.com/security/cve/CVE-2014-0230 https://access.redhat.com/security/cve/CVE-2015-3183 https://access.redhat.com/security/updates/classification/#moderate 9. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWcaw1XlSAg2UNWIIRAvIHAJkBzpbal/rAYvXYCzw5G7IlbsFt+gCgju8L HocWr62uwBIiA509XSYTYJQ= =UN1P -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Dec 16 18:23:57 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 16 Dec 2015 13:23:57 -0500 Subject: [RHSA-2015:2661-01] Moderate: Red Hat JBoss Web Server 3.0.2 security update Message-ID: <201512161823.tBGINvp7021467@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Web Server 3.0.2 security update Advisory ID: RHSA-2015:2661-01 Product: Red Hat JBoss Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2661.html Issue date: 2015-12-16 CVE Names: CVE-2013-5704 CVE-2014-0230 CVE-2015-3183 ===================================================================== 1. Summary: Updated Red Hat JBoss Web Server 3.0.2 packages are now available for Red Hat Enterprise Linux 6 and 7, Solaris, and Microsoft Windows. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. It was found that Tomcat would keep connections open after processing requests with a large enough request body. A remote attacker could potentially use this flaw to exhaust the pool of available connections and prevent further, legitimate connections to the Tomcat server. (CVE-2014-0230) A flaw was found in the way httpd handled HTTP Trailer headers when processing requests using chunked encoding. A malicious client could use Trailer headers to set additional HTTP headers after header processing was performed by other modules. This could, for example, lead to a bypass of header restrictions defined with mod_headers. (CVE-2013-5704) Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks. (CVE-2015-3183) * This enhancement update adds the Red Hat JBoss Web Server 3.0.2 packages to Red Hat Enterprise Linux 7. These packages provide a number of enhancements over the previous version of Red Hat JBoss Web Server. (JIRA#JWS-229) Users of Red Hat JBoss Web Server are advised to upgrade to these updated packages, which add this enhancement. 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied and back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 1082903 - CVE-2013-5704 httpd: bypass of mod_headers rules via chunked requests 1191200 - CVE-2014-0230 tomcat: non-persistent DoS attack by feeding data by aborting an upload 1243887 - CVE-2015-3183 httpd: HTTP request smuggling attack against chunked request parser 1263884 - JWS3.0.2 tracker for RHEL7 5. JIRA issues fixed (https://issues.jboss.org/): JWS-219 - CVE-2014-0230 tomcat8: non-persistent DoS attack by feeding data by aborting an upload JWS-220 - CVE-2014-0230 tomcat7: non-persistent DoS attack by feeding data by aborting an upload JWS-229 - RHEL 7 Errata Jira 6. References: https://access.redhat.com/security/cve/CVE-2013-5704 https://access.redhat.com/security/cve/CVE-2014-0230 https://access.redhat.com/security/cve/CVE-2015-3183 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=distributions&version=3.0.2 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWcaw8XlSAg2UNWIIRAtVIAJ9ZsavkVF4t5Y0Ov8BjdWPVnFiawACdE1Nq SfRroDK7kZRAneqPqZKnB20= =gLeh -----END PGP SIGNATURE----- From bugzilla at redhat.com Fri Dec 18 21:27:32 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 18 Dec 2015 21:27:32 +0000 Subject: [RHSA-2015:2670-01] Critical: Red Hat JBoss BRMS 5.3.1 commons-collections security update Message-ID: <201512182127.tBILRXVE002830@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: Red Hat JBoss BRMS 5.3.1 commons-collections security update Advisory ID: RHSA-2015:2670-01 Product: Red Hat JBoss BRMS Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2670.html Issue date: 2015-12-18 CVE Names: CVE-2015-7501 ===================================================================== 1. Summary: An update for the Apache Commons Collections component that fixes one security issue is now available from the Red Hat Customer Portal for Red Hat JBoss BRMS 5.3.1. Red Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: Apache Commons Collections is a library built upon Java JDK classes by providing new interfaces, implementations and utilities. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) Further information about this security flaw may be found at: https://access.redhat.com/solutions/2045023 All users of Red Hat JBoss BRMS 5.3.1 as provided from the Red Hat Customer Portal are advised to apply this security update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing Red Hat JBoss BRMS installation (including its databases, applications, configuration files, and so on). Note that it is recommended to halt the Red Hat JBoss BRMS server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the Red Hat JBoss BRMS server by starting the JBoss Application Server process. 4. Bugs fixed (https://bugzilla.redhat.com/): 1279330 - CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation 5. References: https://access.redhat.com/security/cve/CVE-2015-7501 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=securityPatches&version=5.3.1 https://access.redhat.com/solutions/2045023 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWdHohXlSAg2UNWIIRAgv1AKCQDMIpc7h31Rm90YfPKfo+XM3/GQCcCxSb PJ2ryXEo0E+x8aJXkEVyiHI= =uQhk -----END PGP SIGNATURE-----