From bugzilla at redhat.com Tue May 17 16:32:08 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 17 May 2016 12:32:08 -0400 Subject: [RHSA-2016:1087-01] Moderate: Red Hat JBoss Web Server 3.0.3 update Message-ID: <201605171632.u4HGW8la019986@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Web Server 3.0.3 update Advisory ID: RHSA-2016:1087-01 Product: Red Hat JBoss Web Server Advisory URL: https://access.redhat.com/errata/RHSA-2016:1087 Issue date: 2016-05-17 CVE Names: CVE-2015-5345 CVE-2015-5346 CVE-2015-5351 CVE-2016-0706 CVE-2016-0714 CVE-2016-0763 ===================================================================== 1. Summary: Red Hat JBoss Web Server 3.0.3 is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Web Server 3.0 for RHEL 6 - i386, noarch, x86_64 3. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.0.3 serves as a replacement for Red Hat JBoss Web Server 3.0.2, and includes bug fixes and enhancements, which are documented in the Release Notes documented linked to in the References. Security Fix(es): * A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346) * A CSRF flaw was found in Tomcat's the index pages for the Manager and Host Manager applications. These applications included a valid CSRF token when issuing a redirect as a result of an unauthenticated request to the root of the web application. This token could then be used by an attacker to perform a CSRF attack. (CVE-2015-5351) * It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session. (CVE-2016-0714) * A security manager bypass flaw was found in Tomcat that could allow remote, authenticated users to access arbitrary application data, potentially resulting in a denial of service. (CVE-2016-0763) * It was found that Tomcat could reveal the presence of a directory even when that directory was protected by a security constraint. A user could make a request to a directory via a URL not ending with a slash and, depending on whether Tomcat redirected that request, could confirm whether that directory existed. (CVE-2015-5345) * It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs. (CVE-2016-0706) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the updated packages, the httpd daemon will be restarted automatically. 5. Bugs fixed (https://bugzilla.redhat.com/): 1311076 - CVE-2015-5351 tomcat: CSRF token leak 1311082 - CVE-2016-0714 tomcat: Security Manager bypass via persistence mechanisms 1311085 - CVE-2015-5346 tomcat: Session fixation 1311087 - CVE-2016-0706 tomcat: security manager bypass via StatusManagerServlet 1311089 - CVE-2015-5345 tomcat: directory disclosure 1311093 - CVE-2016-0763 tomcat: security manager bypass via setGlobalContext() 6. JIRA issues fixed (https://issues.jboss.org/): JWS-271 - User submitted session ID JWS-272 - User submitted session ID JWS-276 - Welcome File processing refactoring - CVE-2015-5345 low JWS-277 - Welcome File processing refactoring - CVE-2015-5345 low JWS-303 - Avoid useless session creation for manager webapps - CVE-2015-5351 moderate JWS-304 - Restrict another manager servlet - CVE-2016-0706 low JWS-309 - Rhel 6 Errata JWS-349 - Session serialization safety - CVE-2016-0714 moderate JWS-350 - Protect ResourceLinkFactory.setGlobalContext() - CVE-2016-0763 moderate 7. Package List: Red Hat JBoss Web Server 3.0 for RHEL 6: Source: httpd24-2.4.6-61.ep7.el6.src.rpm mod_security-jws3-2.8.0-7.GA.ep7.el6.src.rpm tomcat7-7.0.59-50_patch_01.ep7.el6.src.rpm tomcat8-8.0.18-61_patch_01.ep7.el6.src.rpm i386: httpd24-2.4.6-61.ep7.el6.i686.rpm httpd24-debuginfo-2.4.6-61.ep7.el6.i686.rpm httpd24-devel-2.4.6-61.ep7.el6.i686.rpm httpd24-tools-2.4.6-61.ep7.el6.i686.rpm mod_ldap24-2.4.6-61.ep7.el6.i686.rpm mod_proxy24_html-2.4.6-61.ep7.el6.i686.rpm mod_security-jws3-2.8.0-7.GA.ep7.el6.i686.rpm mod_security-jws3-debuginfo-2.8.0-7.GA.ep7.el6.i686.rpm mod_session24-2.4.6-61.ep7.el6.i686.rpm mod_ssl24-2.4.6-61.ep7.el6.i686.rpm noarch: httpd24-manual-2.4.6-61.ep7.el6.noarch.rpm tomcat7-7.0.59-50_patch_01.ep7.el6.noarch.rpm tomcat7-admin-webapps-7.0.59-50_patch_01.ep7.el6.noarch.rpm tomcat7-docs-webapp-7.0.59-50_patch_01.ep7.el6.noarch.rpm tomcat7-el-2.2-api-7.0.59-50_patch_01.ep7.el6.noarch.rpm tomcat7-javadoc-7.0.59-50_patch_01.ep7.el6.noarch.rpm tomcat7-jsp-2.2-api-7.0.59-50_patch_01.ep7.el6.noarch.rpm tomcat7-lib-7.0.59-50_patch_01.ep7.el6.noarch.rpm tomcat7-log4j-7.0.59-50_patch_01.ep7.el6.noarch.rpm tomcat7-servlet-3.0-api-7.0.59-50_patch_01.ep7.el6.noarch.rpm tomcat7-webapps-7.0.59-50_patch_01.ep7.el6.noarch.rpm tomcat8-8.0.18-61_patch_01.ep7.el6.noarch.rpm tomcat8-admin-webapps-8.0.18-61_patch_01.ep7.el6.noarch.rpm tomcat8-docs-webapp-8.0.18-61_patch_01.ep7.el6.noarch.rpm tomcat8-el-2.2-api-8.0.18-61_patch_01.ep7.el6.noarch.rpm tomcat8-javadoc-8.0.18-61_patch_01.ep7.el6.noarch.rpm tomcat8-jsp-2.3-api-8.0.18-61_patch_01.ep7.el6.noarch.rpm tomcat8-lib-8.0.18-61_patch_01.ep7.el6.noarch.rpm tomcat8-log4j-8.0.18-61_patch_01.ep7.el6.noarch.rpm tomcat8-servlet-3.1-api-8.0.18-61_patch_01.ep7.el6.noarch.rpm tomcat8-webapps-8.0.18-61_patch_01.ep7.el6.noarch.rpm x86_64: httpd24-2.4.6-61.ep7.el6.x86_64.rpm httpd24-debuginfo-2.4.6-61.ep7.el6.x86_64.rpm httpd24-devel-2.4.6-61.ep7.el6.x86_64.rpm httpd24-tools-2.4.6-61.ep7.el6.x86_64.rpm mod_ldap24-2.4.6-61.ep7.el6.x86_64.rpm mod_proxy24_html-2.4.6-61.ep7.el6.x86_64.rpm mod_security-jws3-2.8.0-7.GA.ep7.el6.x86_64.rpm mod_security-jws3-debuginfo-2.8.0-7.GA.ep7.el6.x86_64.rpm mod_session24-2.4.6-61.ep7.el6.x86_64.rpm mod_ssl24-2.4.6-61.ep7.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2015-5345 https://access.redhat.com/security/cve/CVE-2015-5346 https://access.redhat.com/security/cve/CVE-2015-5351 https://access.redhat.com/security/cve/CVE-2016-0706 https://access.redhat.com/security/cve/CVE-2016-0714 https://access.redhat.com/security/cve/CVE-2016-0763 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Web_Server/3/html-single/3.0.3_Release_Notes/index.html 9. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFXO0eGXlSAg2UNWIIRAtphAJwJm7aIrhuG4w1cvO75qAAKb2NuewCeMTk4 X1Zmqy0SSoiUM+LufY6sxsI= =uRGj -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue May 17 16:32:16 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 17 May 2016 12:32:16 -0400 Subject: [RHSA-2016:1088-01] Moderate: Red Hat JBoss Web Server 3.0.3 update Message-ID: <201605171632.u4HGWGaF014586@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Web Server 3.0.3 update Advisory ID: RHSA-2016:1088-01 Product: Red Hat JBoss Web Server Advisory URL: https://access.redhat.com/errata/RHSA-2016:1088 Issue date: 2016-05-17 CVE Names: CVE-2015-5345 CVE-2015-5346 CVE-2015-5351 CVE-2016-0706 CVE-2016-0714 CVE-2016-0763 ===================================================================== 1. Summary: Red Hat JBoss Web Server 3.0.3 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Web Server 3.0 for RHEL 7 - noarch, x86_64 3. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.0.3 serves as a replacement for Red Hat JBoss Web Server 3.0.2, and includes bug fixes and enhancements, which are documented in the Release Notes documented linked to in the References. Security Fix(es): * A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346) * A CSRF flaw was found in Tomcat's the index pages for the Manager and Host Manager applications. These applications included a valid CSRF token when issuing a redirect as a result of an unauthenticated request to the root of the web application. This token could then be used by an attacker to perform a CSRF attack. (CVE-2015-5351) * It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session. (CVE-2016-0714) * A security manager bypass flaw was found in Tomcat that could allow remote, authenticated users to access arbitrary application data, potentially resulting in a denial of service. (CVE-2016-0763) * It was found that Tomcat could reveal the presence of a directory even when that directory was protected by a security constraint. A user could make a request to a directory via a URL not ending with a slash and, depending on whether Tomcat redirected that request, could confirm whether that directory existed. (CVE-2015-5345) * It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs. (CVE-2016-0706) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the updated packages, the httpd daemon will be restarted automatically. 5. Bugs fixed (https://bugzilla.redhat.com/): 1311076 - CVE-2015-5351 tomcat: CSRF token leak 1311082 - CVE-2016-0714 tomcat: Security Manager bypass via persistence mechanisms 1311085 - CVE-2015-5346 tomcat: Session fixation 1311087 - CVE-2016-0706 tomcat: security manager bypass via StatusManagerServlet 1311089 - CVE-2015-5345 tomcat: directory disclosure 1311093 - CVE-2016-0763 tomcat: security manager bypass via setGlobalContext() 6. JIRA issues fixed (https://issues.jboss.org/): JWS-271 - User submitted session ID JWS-272 - User submitted session ID JWS-276 - Welcome File processing refactoring - CVE-2015-5345 low JWS-277 - Welcome File processing refactoring - CVE-2015-5345 low JWS-303 - Avoid useless session creation for manager webapps - CVE-2015-5351 moderate JWS-304 - Restrict another manager servlet - CVE-2016-0706 low JWS-310 - Rhel 7 Errata JWS-349 - Session serialization safety - CVE-2016-0714 moderate JWS-350 - Protect ResourceLinkFactory.setGlobalContext() - CVE-2016-0763 moderate 7. Package List: Red Hat JBoss Web Server 3.0 for RHEL 7: Source: httpd24-2.4.6-61.ep7.el7.src.rpm mod_security-jws3-2.8.0-7.GA.ep7.el7.src.rpm tomcat7-7.0.59-50_patch_01.ep7.el7.src.rpm tomcat8-8.0.18-61_patch_01.ep7.el7.src.rpm noarch: httpd24-manual-2.4.6-61.ep7.el7.noarch.rpm tomcat7-7.0.59-50_patch_01.ep7.el7.noarch.rpm tomcat7-admin-webapps-7.0.59-50_patch_01.ep7.el7.noarch.rpm tomcat7-docs-webapp-7.0.59-50_patch_01.ep7.el7.noarch.rpm tomcat7-el-2.2-api-7.0.59-50_patch_01.ep7.el7.noarch.rpm tomcat7-javadoc-7.0.59-50_patch_01.ep7.el7.noarch.rpm tomcat7-jsp-2.2-api-7.0.59-50_patch_01.ep7.el7.noarch.rpm tomcat7-lib-7.0.59-50_patch_01.ep7.el7.noarch.rpm tomcat7-log4j-7.0.59-50_patch_01.ep7.el7.noarch.rpm tomcat7-servlet-3.0-api-7.0.59-50_patch_01.ep7.el7.noarch.rpm tomcat7-webapps-7.0.59-50_patch_01.ep7.el7.noarch.rpm tomcat8-8.0.18-61_patch_01.ep7.el7.noarch.rpm tomcat8-admin-webapps-8.0.18-61_patch_01.ep7.el7.noarch.rpm tomcat8-docs-webapp-8.0.18-61_patch_01.ep7.el7.noarch.rpm tomcat8-el-2.2-api-8.0.18-61_patch_01.ep7.el7.noarch.rpm tomcat8-javadoc-8.0.18-61_patch_01.ep7.el7.noarch.rpm tomcat8-jsp-2.3-api-8.0.18-61_patch_01.ep7.el7.noarch.rpm tomcat8-lib-8.0.18-61_patch_01.ep7.el7.noarch.rpm tomcat8-log4j-8.0.18-61_patch_01.ep7.el7.noarch.rpm tomcat8-servlet-3.1-api-8.0.18-61_patch_01.ep7.el7.noarch.rpm tomcat8-webapps-8.0.18-61_patch_01.ep7.el7.noarch.rpm x86_64: httpd24-2.4.6-61.ep7.el7.x86_64.rpm httpd24-debuginfo-2.4.6-61.ep7.el7.x86_64.rpm httpd24-devel-2.4.6-61.ep7.el7.x86_64.rpm httpd24-tools-2.4.6-61.ep7.el7.x86_64.rpm mod_ldap24-2.4.6-61.ep7.el7.x86_64.rpm mod_proxy24_html-2.4.6-61.ep7.el7.x86_64.rpm mod_security-jws3-2.8.0-7.GA.ep7.el7.x86_64.rpm mod_security-jws3-debuginfo-2.8.0-7.GA.ep7.el7.x86_64.rpm mod_session24-2.4.6-61.ep7.el7.x86_64.rpm mod_ssl24-2.4.6-61.ep7.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2015-5345 https://access.redhat.com/security/cve/CVE-2015-5346 https://access.redhat.com/security/cve/CVE-2015-5351 https://access.redhat.com/security/cve/CVE-2016-0706 https://access.redhat.com/security/cve/CVE-2016-0714 https://access.redhat.com/security/cve/CVE-2016-0763 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Web_Server/3/html-single/3.0.3_Release_Notes/index.html 9. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFXO0eOXlSAg2UNWIIRAi6kAJ0XL+4d641CxfXVlyicymlY0d1zAgCglaVw PkE1h2DujHG3g4xYL5HAy8k= =2fPt -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue May 17 16:32:24 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 17 May 2016 12:32:24 -0400 Subject: [RHSA-2016:1089-01] Moderate: Red Hat JBoss Web Server 3.0.3 security update Message-ID: <201605171632.u4HGWOcq020173@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Web Server 3.0.3 security update Advisory ID: RHSA-2016:1089-01 Product: Red Hat JBoss Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-1089.html Issue date: 2016-05-17 CVE Names: CVE-2015-0209 CVE-2015-5312 CVE-2015-5345 CVE-2015-5346 CVE-2015-5351 CVE-2015-7497 CVE-2015-7498 CVE-2015-7499 CVE-2015-7500 CVE-2015-7941 CVE-2015-7942 CVE-2015-8035 CVE-2015-8241 CVE-2015-8242 CVE-2015-8317 CVE-2015-8710 CVE-2016-0706 CVE-2016-0714 CVE-2016-0763 ===================================================================== 1. Summary: Red Hat JBoss Web Server 3.0.3 is now available for Red Hat Enterprise Linux 6 and 7, Solaris, and Microsoft Windows from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.0.3 serves as a replacement for Red Hat JBoss Web Server 3.0.2, and includes bug fixes and enhancements, which are documented in the Release Notes documented linked to in the References. Security Fix(es): * Several denial of service flaws were found in libxml2, a library providing support for reading, modifying, and writing XML and HTML files. A remote attacker could provide a specially crafted XML or HTML file that, when processed by an application using libxml2, would cause that application to use an excessive amount of CPU, leak potentially sensitive information, or in certain cases crash the application. (CVE-2015-5312, CVE-2015-7497, CVE-2015-7498, CVE-2015-7499, CVE-2015-7500, CVE-2015-7942, CVE-2015-8035, CVE-2015-8710, CVE-2015-7941, CVE-2015-8241, CVE-2015-8242, CVE-2015-8317) * A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346) * A CSRF flaw was found in Tomcat's the index pages for the Manager and Host Manager applications. These applications included a valid CSRF token when issuing a redirect as a result of an unauthenticated request to the root of the web application. This token could then be used by an attacker to perform a CSRF attack. (CVE-2015-5351) * It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session. (CVE-2016-0714) * A security manager bypass flaw was found in Tomcat that could allow remote, authenticated users to access arbitrary application data, potentially resulting in a denial of service. (CVE-2016-0763) * A use-after-free flaw was found in the way OpenSSL imported malformed Elliptic Curve private keys. A specially crafted key file could cause an application using OpenSSL to crash when imported. (CVE-2015-0209) * It was found that Tomcat could reveal the presence of a directory even when that directory was protected by a security constraint. A user could make a request to a directory via a URL not ending with a slash and, depending on whether Tomcat redirected that request, could confirm whether that directory existed. (CVE-2015-5345) * It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs. (CVE-2016-0706) Red Hat would like to thank the GNOME project for reporting CVE-2015-7497, CVE-2015-7498, CVE-2015-7499, CVE-2015-7500, CVE-2015-8241, CVE-2015-8242, and CVE-2015-8317. Upstream acknowledges Kostya Serebryany as the original reporter of CVE-2015-7497, CVE-2015-7498, CVE-2015-7499, and CVE-2015-7500; Hugh Davenport as the original reporter of CVE-2015-8241 and CVE-2015-8242; and Hanno Boeck as the original reporter of CVE-2015-8317. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). After installing the updated packages, the httpd daemon will be restarted automatically. 4. Bugs fixed (https://bugzilla.redhat.com/): 1196737 - CVE-2015-0209 openssl: use-after-free on invalid EC private key import 1213957 - CVE-2015-8710 libxml2: out-of-bounds memory access when parsing an unclosed HTML comment 1274222 - CVE-2015-7941 libxml2: Out-of-bounds memory access 1276297 - CVE-2015-7942 libxml2: heap-based buffer overflow in xmlParseConditionalSections() 1276693 - CVE-2015-5312 libxml2: CPU exhaustion when processing specially crafted XML input 1277146 - CVE-2015-8035 libxml2: DoS when parsing specially crafted XML document if XZ support is enabled 1281862 - CVE-2015-7497 libxml2: Heap-based buffer overflow in xmlDictComputeFastQKey 1281879 - CVE-2015-7498 libxml2: Heap-based buffer overflow in xmlParseXmlDecl 1281925 - CVE-2015-7499 libxml2: Heap-based buffer overflow in xmlGROW 1281930 - CVE-2015-8317 libxml2: Out-of-bounds heap read when parsing file with unfinished xml declaration 1281936 - CVE-2015-8241 libxml2: Buffer overread with XML parser in xmlNextChar 1281943 - CVE-2015-7500 libxml2: Heap buffer overflow in xmlParseMisc 1281950 - CVE-2015-8242 libxml2: Buffer overread with HTML parser in push mode in xmlSAX2TextNode 1311076 - CVE-2015-5351 tomcat: CSRF token leak 1311082 - CVE-2016-0714 tomcat: Security Manager bypass via persistence mechanisms 1311085 - CVE-2015-5346 tomcat: Session fixation 1311087 - CVE-2016-0706 tomcat: security manager bypass via StatusManagerServlet 1311089 - CVE-2015-5345 tomcat: directory disclosure 1311093 - CVE-2016-0763 tomcat: security manager bypass via setGlobalContext() 5. JIRA issues fixed (https://issues.jboss.org/): JWS-271 - User submitted session ID JWS-272 - User submitted session ID JWS-276 - Welcome File processing refactoring - CVE-2015-5345 low JWS-277 - Welcome File processing refactoring - CVE-2015-5345 low JWS-303 - Avoid useless session creation for manager webapps - CVE-2015-5351 moderate JWS-304 - Restrict another manager servlet - CVE-2016-0706 low JWS-349 - Session serialization safety - CVE-2016-0714 moderate JWS-350 - Protect ResourceLinkFactory.setGlobalContext() - CVE-2016-0763 moderate 6. References: https://access.redhat.com/security/cve/CVE-2015-0209 https://access.redhat.com/security/cve/CVE-2015-5312 https://access.redhat.com/security/cve/CVE-2015-5345 https://access.redhat.com/security/cve/CVE-2015-5346 https://access.redhat.com/security/cve/CVE-2015-5351 https://access.redhat.com/security/cve/CVE-2015-7497 https://access.redhat.com/security/cve/CVE-2015-7498 https://access.redhat.com/security/cve/CVE-2015-7499 https://access.redhat.com/security/cve/CVE-2015-7500 https://access.redhat.com/security/cve/CVE-2015-7941 https://access.redhat.com/security/cve/CVE-2015-7942 https://access.redhat.com/security/cve/CVE-2015-8035 https://access.redhat.com/security/cve/CVE-2015-8241 https://access.redhat.com/security/cve/CVE-2015-8242 https://access.redhat.com/security/cve/CVE-2015-8317 https://access.redhat.com/security/cve/CVE-2015-8710 https://access.redhat.com/security/cve/CVE-2016-0706 https://access.redhat.com/security/cve/CVE-2016-0714 https://access.redhat.com/security/cve/CVE-2016-0763 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Web_Server/3/html-single/3.0.3_Release_Notes/index.html https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=webserver&version=3.0.3 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFXO0eWXlSAg2UNWIIRAjqoAJ9kJfUdG/dzrjc6CPe+Ah1NIaqvsACfZE1q 9d1Ta2CX5a+zVXOqLprEvM0= =ByHT -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu May 26 21:46:17 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 26 May 2016 17:46:17 -0400 Subject: [RHSA-2016:1135-01] Important: Red Hat JBoss Data Virtualization security and bug fix update Message-ID: <201605262146.u4QLkHca020641@int-mx14.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Data Virtualization security and bug fix update Advisory ID: RHSA-2016:1135-01 Product: Red Hat JBoss Data Virtualization Advisory URL: https://access.redhat.com/errata/RHSA-2016:1135 Issue date: 2016-05-26 CVE Names: CVE-2014-9527 CVE-2016-2510 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Data Virtualization. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Data Virtualization is a lean data integration solution that provides easy, real-time, and unified data access across disparate sources to multiple applications and users. JBoss Data Virtualization makes data spread across physically distinct systems - such as multiple databases, XML files, and even Hadoop systems - appear as a set of tables in a local database. Security Fix(es): * A deserialization flaw allowing remote code execution was found in the BeanShell library. If BeanShell was on the classpath, it could permit code execution if another part of the application deserialized objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the BeanShell library. (CVE-2016-2510) * A denial of service flaw was found in the way the HSLFSlideShow class implementation in Apache POI handled certain PPT files. A remote attacker could submit a specially crafted PPT file that would cause Apache POI to hang indefinitely. (CVE-2014-9527) All users of Red Hat JBoss Data Virtualization 6.2.0 as provided from the Red Hat Customer Portal are advised to apply this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing Red Hat JBoss Data Virtualization installation (including its databases, applications, configuration files, and so on). Note that it is recommended to halt the Red Hat JBoss Data Virtualization server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the Red Hat JBoss Data Virtualization server by starting the JBoss Application Server process. 4. Bugs fixed (https://bugzilla.redhat.com/): 1181223 - CVE-2014-9527 apache-poi: denial of service in HSLFSlideShow via corrupted PPT file 1310647 - CVE-2016-2510 bsh2: remote code execution via deserialization 5. References: https://access.redhat.com/security/cve/CVE-2014-9527 https://access.redhat.com/security/cve/CVE-2016-2510 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform&downloadType=securityPatches&version=6.2.0 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFXR26nXlSAg2UNWIIRAgktAJ9U5/FHD18dUAFggbiiNtyVrG7f4QCfZSgO XhTkb7wkWzwudtsGcTq7OGI= =N7Rm -----END PGP SIGNATURE-----