[RHSA-2011:0334-01] Important: JBoss Enterprise Portal Platform 4.3.CP06 and 5.1.0 security update
bugzilla at redhat.com
bugzilla at redhat.com
Wed Mar 9 18:52:26 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: JBoss Enterprise Portal Platform 4.3.CP06 and 5.1.0 security update
Advisory ID: RHSA-2011:0334-01
Product: JBoss Enterprise Middleware
Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-0334.html
Issue date: 2011-03-09
CVE Names: CVE-2010-4476
=====================================================================
1. Summary:
Updated jbossweb-2.0.0.jar and jbossweb-2.1.10.jar files for JBoss
Enterprise Portal Platform 4.3.CP06 and 5.1.0 that fix one security issue
are now available from the Red Hat Customer Portal.
The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.
2. Description:
JBoss Enterprise Portal Platform is the open source implementation of the
Java EE suite of services and Portal services running atop JBoss Enterprise
Application Platform. It comprises a set of offerings for enterprise
customers who are looking for pre-configured profiles of JBoss Enterprise
Middleware components that have been tested and certified together to
provide an integrated experience.
A denial of service flaw was found in the way certain strings were
converted to Double objects. A remote attacker could use this flaw to cause
JBoss Web Server to hang via a specially-crafted HTTP request.
(CVE-2010-4476)
All users of JBoss Enterprise Portal Platform 4.3.CP06 and 5.1.0 as
provided from the Red Hat Customer Portal are advised to install this
update. Refer to the Solution section of this erratum for update
instructions.
3. Solution:
Updated jbossweb-2.0.0.jar (for 4.3.CP06) and jbossweb-2.1.10.jar (for
5.1.0) files that fix CVE-2010-4476 for JBoss Enterprise Portal Platform
4.3.CP06 and 5.1.0 are available from the Red Hat Customer Portal. To
download and install the updated files:
1) Log into the Customer Portal: https://access.redhat.com/login
2) Navigate to
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html
3) On the left-hand side menu, under "JBoss Enterprise Platforms" click
"Portal Platform". Then, using the "Version:" drop down menu, select the
Portal Platform version you are using, such as "4.3 CP06" or "5.1.0".
4) From the "Security Advisories" tab, click the "CVE-2010-4476 JBossweb
update fixing JDK double bug..." link in the "Download File" column. The
"Software Details" page is displayed, where you can download the update
and view installation instructions.
5) Backup your existing jbossweb.jar file (refer to the "Software Details"
page, from step 4, for the location of this file).
6) After downloading the update, ensure you backed up your existing
jbossweb.jar file as per step 5, and then follow the manual installation
step on the "Software Details" page. After installing the update, the JBoss
server process must be restarted for the update to take effect.
4. Bugs fixed (http://bugzilla.redhat.com/):
674336 - CVE-2010-4476 JDK Double.parseDouble Denial-Of-Service
5. References:
https://www.redhat.com/security/data/cve/CVE-2010-4476.html
https://access.redhat.com/security/updates/classification/#important
6. Contact:
The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://www.redhat.com/security/team/contact/
Copyright 2011 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFNd8xgXlSAg2UNWIIRAkdNAJ0eNQgkzirlBS96ib6BQdAAaRctiACgp3+E
m50w1bwvbnGwVE/cFdccDa8=
=Yujf
-----END PGP SIGNATURE-----
More information about the Jboss-watch-list
mailing list