[RHSA-2011:0896-01] Moderate: JBoss Enterprise Web Server 1.0.2 update

Thu Jun 23 06:49:58 UTC 2011

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: JBoss Enterprise Web Server 1.0.2 update
Advisory ID:       RHSA-2011:0896-01
Product:           JBoss Enterprise Web Server
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2011-0896.html
Issue date:        2011-06-22
CVE Names:         CVE-2008-7270 CVE-2009-3245 CVE-2009-3560 
                   CVE-2009-3720 CVE-2009-3767 CVE-2010-1157 
                   CVE-2010-1452 CVE-2010-1623 CVE-2010-2068 
                   CVE-2010-3718 CVE-2010-4172 CVE-2010-4180 
                   CVE-2011-0013 CVE-2011-0419 
=====================================================================

1. Summary:

JBoss Enterprise Web Server 1.0.2 is now available from the Red Hat
Customer Portal for Red Hat Enterprise Linux 4, 5 and 6, Solaris, and
Microsoft Windows.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

2. Description:

JBoss Enterprise Web Server is a fully-integrated and certified set of
components for hosting Java web applications.

This is the first release of JBoss Enterprise Web Server for Red Hat
Enterprise Linux 6. For Red Hat Enterprise Linux 4 and 5, Solaris, and
Microsoft Windows, this release serves as a replacement for JBoss
Enterprise Web Server 1.0.1, and includes a number of bug fixes. Refer to
the Release Notes, linked in the References, for more information.

This update corrects security flaws in the following components:

tomcat6:

A cross-site scripting (XSS) flaw was found in the Manager application,
used for managing web applications on Apache Tomcat. If a remote attacker
could trick a user who is logged into the Manager application into visiting
a specially-crafted URL, the attacker could perform Manager application
tasks with the privileges of the logged in user. (CVE-2010-4172)

tomcat5 and tomcat6:

It was found that web applications could modify the location of the Apache
Tomcat host's work directory. As web applications deployed on Tomcat have
read and write access to this directory, a malicious web application could
use this flaw to trick Tomcat into giving it read and write access to an
arbitrary directory on the file system. (CVE-2010-3718)

A second cross-site scripting (XSS) flaw was found in the Manager
application. A malicious web application could use this flaw to conduct an
XSS attack, leading to arbitrary web script execution with the privileges
of victims who are logged into and viewing Manager application web pages.
(CVE-2011-0013)

A possible minor information leak was found in the way Apache Tomcat
generated HTTP BASIC and DIGEST authentication requests. For configurations
where a realm name was not specified and Tomcat was accessed via a proxy,
the default generated realm contained the hostname and port used by the
proxy to send requests to the Tomcat server. (CVE-2010-1157)

httpd:

A flaw was found in the way the mod_dav module of the Apache HTTP Server
handled certain requests. If a remote attacker were to send a carefully
crafted request to the server, it could cause the httpd child process to
crash. (CVE-2010-1452)

A flaw was discovered in the way the mod_proxy_http module of the Apache
HTTP Server handled the timeouts of requests forwarded by a reverse proxy
to the back-end server. In some configurations, the proxy could return
a response intended for another user under certain timeout conditions,
possibly leading to information disclosure. Note: This issue only affected
httpd running on the Windows operating system. (CVE-2010-2068)

apr:

It was found that the apr_fnmatch() function used an unconstrained
recursion when processing patterns with the '*' wildcard. An attacker could
use this flaw to cause an application using this function, which also
accepted untrusted input as a pattern for matching (such as an httpd server
using the mod_autoindex module), to exhaust all stack memory or use an
excessive amount of CPU time when performing matching. (CVE-2011-0419)

apr-util:

It was found that certain input could cause the apr-util library to
allocate more memory than intended in the apr_brigade_split_line()
function. An attacker able to provide input in small chunks to an
application using the apr-util library (such as httpd) could possibly use
this flaw to trigger high memory consumption. (CVE-2010-1623)

The following flaws were corrected in the packages for Solaris and Windows.
Updates for Red Hat Enterprise Linux can be downloaded from the Red Hat
Network.

Multiple flaws in OpenSSL, which could possibly cause a crash, code
execution, or a change of session parameters, have been corrected.
(CVE-2009-3245, CVE-2010-4180, CVE-2008-7270)

Two denial of service flaws were corrected in Expat. (CVE-2009-3560,
CVE-2009-3720)

An X.509 certificate verification flaw was corrected in OpenLDAP.
(CVE-2009-3767)

More information about these flaws is available from the CVE links in the
References.

3. Solution:

All users of JBoss Enterprise Web Server 1.0.1 as provided from the Red Hat
Customer Portal are advised to upgrade to JBoss Enterprise Web Server
1.0.2, which corrects these issues.

The References section of this erratum contains a download link (you must
log in to download the update). Before installing the update, backup your
existing JBoss Enterprise Web Server installation (including all
applications and configuration files). Apache Tomcat and the Apache HTTP
Server must be restarted for the update to take effect.

4. Bugs fixed (http://bugzilla.redhat.com/):

530715 - CVE-2009-3767 OpenLDAP: Doesn't properly handle NULL character in subject Common Name
531697 - CVE-2009-3720 expat: buffer over-read and crash on XML with malformed UTF-8 sequences
533174 - CVE-2009-3560 expat: buffer over-read and crash in big2_toUtf8() on XML with malformed UTF-8 sequences
570924 - CVE-2009-3245 openssl: missing bn_wexpand return value checks
585331 - CVE-2010-1157 tomcat: information disclosure in authentication headers
618189 - CVE-2010-1452 httpd mod_cache, mod_dav: DoS (httpd child process crash) by parsing URI structure with missing path segments
632994 - CVE-2010-2068 httpd (mod_proxy): Sensitive response disclosure due improper handling of timeouts
640281 - CVE-2010-1623 apr-util: high memory consumption in apr_brigade_split_line()
656246 - CVE-2010-4172 tomcat: cross-site-scripting vulnerability in the manager application
659462 - CVE-2010-4180 openssl: NETSCAPE_REUSE_CIPHER_CHANGE_BUG ciphersuite downgrade attack
660650 - CVE-2008-7270 openssl: NETSCAPE_REUSE_CIPHER_CHANGE_BUG downgrade-to-disabled ciphersuite attack
675786 - CVE-2011-0013 tomcat: XSS vulnerability in HTML Manager interface
675792 - CVE-2010-3718 tomcat: file permission bypass flaw
703390 - CVE-2011-0419 apr: unconstrained recursion in apr_fnmatch

5. References:

https://www.redhat.com/security/data/cve/CVE-2008-7270.html
https://www.redhat.com/security/data/cve/CVE-2009-3245.html
https://www.redhat.com/security/data/cve/CVE-2009-3560.html
https://www.redhat.com/security/data/cve/CVE-2009-3720.html
https://www.redhat.com/security/data/cve/CVE-2009-3767.html
https://www.redhat.com/security/data/cve/CVE-2010-1157.html
https://www.redhat.com/security/data/cve/CVE-2010-1452.html
https://www.redhat.com/security/data/cve/CVE-2010-1623.html
https://www.redhat.com/security/data/cve/CVE-2010-2068.html
https://www.redhat.com/security/data/cve/CVE-2010-3718.html
https://www.redhat.com/security/data/cve/CVE-2010-4172.html
https://www.redhat.com/security/data/cve/CVE-2010-4180.html
https://www.redhat.com/security/data/cve/CVE-2011-0013.html
https://www.redhat.com/security/data/cve/CVE-2011-0419.html
https://access.redhat.com/security/updates/classification/#moderate
http://docs.redhat.com/docs/en-US/JBoss_Enterprise_Web_Server/1.0/html-single/Release_Notes_1.0.2/index.html
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=webserver&version=1.0.2

6. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2011 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFOAuGhXlSAg2UNWIIRAqmMAJ4r9f3dvSqtXd7MjjpO8g90BsEongCgmhEo
/GsGpZfcRmJUiJiwYZJk5fU=
=KiZb
-----END PGP SIGNATURE-----