From bugzilla at redhat.com Wed Feb 1 01:12:38 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 1 Feb 2012 01:12:38 +0000 Subject: [RHSA-2012:0074-01] Important: jbossweb security update Message-ID: <201202010112.q111Cc9W030312@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: jbossweb security update Advisory ID: RHSA-2012:0074-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0074.html Issue date: 2012-01-31 CVE Names: CVE-2011-1184 CVE-2011-2526 CVE-2011-4610 CVE-2011-4858 CVE-2011-5062 CVE-2011-5063 CVE-2011-5064 CVE-2012-0022 ===================================================================== 1. Summary: Updated jbossweb packages that fix multiple security issues are now available for JBoss Enterprise Application Platform 5.1.2 for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: JBoss Enterprise Application Platform 5 for RHEL 4 AS - noarch JBoss Enterprise Application Platform 5 for RHEL 4 ES - noarch JBoss Enterprise Application Platform 5 for RHEL 5 Server - noarch JBoss Enterprise Application Platform 5 for RHEL 6 Server - noarch 3. Description: JBoss Web is the web container, based on Apache Tomcat, in JBoss Enterprise Application Platform. It provides a single deployment platform for the JavaServer Pages (JSP) and Java Servlet technologies. A flaw was found in the way JBoss Web handled UTF-8 surrogate pair characters. If JBoss Web was hosting an application with UTF-8 character encoding enabled, or that included user-supplied UTF-8 strings in a response, a remote attacker could use this flaw to cause a denial of service (infinite loop) on the JBoss Web server. (CVE-2011-4610) It was found that the Java hashCode() method implementation was susceptible to predictable hash collisions. A remote attacker could use this flaw to cause JBoss Web to use an excessive amount of CPU time by sending an HTTP request with a large number of parameters whose names map to the same hash value. This update introduces a limit on the number of parameters and headers processed per request to mitigate this issue. The default limit is 512 for parameters and 128 for headers. These defaults can be changed by setting the org.apache.tomcat.util.http.Parameters.MAX_COUNT and org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties in "jboss-as/server/[PROFILE]/deploy/properties-service.xml". (CVE-2011-4858) It was found that JBoss Web did not handle large numbers of parameters and large parameter values efficiently. A remote attacker could make a JBoss Web server use an excessive amount of CPU time by sending an HTTP request containing a large number of parameters or large parameter values. This update introduces limits on the number of parameters and headers processed per request to address this issue. Refer to the CVE-2011-4858 description for information about the org.apache.tomcat.util.http.Parameters.MAX_COUNT and org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties. (CVE-2012-0022) Multiple flaws were found in the way JBoss Web handled HTTP DIGEST authentication. These flaws weakened the JBoss Web HTTP DIGEST authentication implementation, subjecting it to some of the weaknesses of HTTP BASIC authentication, for example, allowing remote attackers to perform session replay attacks. (CVE-2011-1184, CVE-2011-5062, CVE-2011-5063, CVE-2011-5064) A flaw was found in the way JBoss Web handled sendfile request attributes when using the HTTP APR (Apache Portable Runtime) or NIO (Non-Blocking I/O) connector. A malicious web application running on a JBoss Web instance could use this flaw to bypass security manager restrictions and gain access to files it would otherwise be unable to access, or possibly terminate the Java Virtual Machine (JVM). (CVE-2011-2526) Red Hat would like to thank NTT OSSC for reporting CVE-2011-4610; oCERT for reporting CVE-2011-4858; and the Apache Tomcat project for reporting CVE-2011-2526. oCERT acknowledges Julian W?lde and Alexander Klink as the original reporters of CVE-2011-4858. Warning: Before applying this update, back up your JBoss Enterprise Application Platform's "jboss-as/server/[PROFILE]/deploy/" directory, along with all other customized configuration files. Users of JBoss Enterprise Application Platform 5.1.2 on Red Hat Enterprise Linux 4, 5, and 6 should upgrade to these updated packages, which correct these issues. The JBoss server process must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 720948 - CVE-2011-2526 tomcat: security manager restrictions bypass 741401 - CVE-2011-1184 CVE-2011-5062 CVE-2011-5063 CVE-2011-5064 tomcat: Multiple weaknesses in HTTP DIGEST authentication 750521 - CVE-2011-4858 tomcat: hash table collisions CPU usage DoS (oCERT-2011-003) 767871 - CVE-2011-4610 JBoss Web remote denial of service when surrogate pair character is placed at buffer boundary 783359 - CVE-2012-0022 tomcat: large number of parameters DoS 6. Package List: JBoss Enterprise Application Platform 5 for RHEL 4 AS: Source: ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/jbossweb-2.1.12-3_patch_03.2.ep5.el4.src.rpm noarch: jbossweb-2.1.12-3_patch_03.2.ep5.el4.noarch.rpm jbossweb-el-1.0-api-2.1.12-3_patch_03.2.ep5.el4.noarch.rpm jbossweb-jsp-2.1-api-2.1.12-3_patch_03.2.ep5.el4.noarch.rpm jbossweb-lib-2.1.12-3_patch_03.2.ep5.el4.noarch.rpm jbossweb-servlet-2.5-api-2.1.12-3_patch_03.2.ep5.el4.noarch.rpm JBoss Enterprise Application Platform 5 for RHEL 4 ES: Source: ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/jbossweb-2.1.12-3_patch_03.2.ep5.el4.src.rpm noarch: jbossweb-2.1.12-3_patch_03.2.ep5.el4.noarch.rpm jbossweb-el-1.0-api-2.1.12-3_patch_03.2.ep5.el4.noarch.rpm jbossweb-jsp-2.1-api-2.1.12-3_patch_03.2.ep5.el4.noarch.rpm jbossweb-lib-2.1.12-3_patch_03.2.ep5.el4.noarch.rpm jbossweb-servlet-2.5-api-2.1.12-3_patch_03.2.ep5.el4.noarch.rpm JBoss Enterprise Application Platform 5 for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossweb-2.1.12-3_patch_03.2.ep5.el5.src.rpm noarch: jbossweb-2.1.12-3_patch_03.2.ep5.el5.noarch.rpm jbossweb-el-1.0-api-2.1.12-3_patch_03.2.ep5.el5.noarch.rpm jbossweb-jsp-2.1-api-2.1.12-3_patch_03.2.ep5.el5.noarch.rpm jbossweb-lib-2.1.12-3_patch_03.2.ep5.el5.noarch.rpm jbossweb-servlet-2.5-api-2.1.12-3_patch_03.2.ep5.el5.noarch.rpm JBoss Enterprise Application Platform 5 for RHEL 6 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jbossweb-2.1.12-3_patch_03.2.ep5.el6.src.rpm noarch: jbossweb-2.1.12-3_patch_03.2.ep5.el6.noarch.rpm jbossweb-el-1.0-api-2.1.12-3_patch_03.2.ep5.el6.noarch.rpm jbossweb-jsp-2.1-api-2.1.12-3_patch_03.2.ep5.el6.noarch.rpm jbossweb-lib-2.1.12-3_patch_03.2.ep5.el6.noarch.rpm jbossweb-servlet-2.5-api-2.1.12-3_patch_03.2.ep5.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2011-1184.html https://www.redhat.com/security/data/cve/CVE-2011-2526.html https://www.redhat.com/security/data/cve/CVE-2011-4610.html https://www.redhat.com/security/data/cve/CVE-2011-4858.html https://www.redhat.com/security/data/cve/CVE-2011-5062.html https://www.redhat.com/security/data/cve/CVE-2011-5063.html https://www.redhat.com/security/data/cve/CVE-2011-5064.html https://www.redhat.com/security/data/cve/CVE-2012-0022.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPKJF1XlSAg2UNWIIRAldNAKCxDL3mWh3T2+4k2xWV4oXFuiDWOgCfRfoi rlL0TmGksDtt1fDXXt7u5f4= =NmA1 -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Feb 1 01:13:07 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 1 Feb 2012 01:13:07 +0000 Subject: [RHSA-2012:0075-01] Important: jbossweb security update Message-ID: <201202010113.q111D71m019479@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: jbossweb security update Advisory ID: RHSA-2012:0075-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0075.html Issue date: 2012-01-31 CVE Names: CVE-2011-1184 CVE-2011-2526 CVE-2011-4610 CVE-2011-4858 CVE-2011-5062 CVE-2011-5063 CVE-2011-5064 CVE-2012-0022 ===================================================================== 1. Summary: An update for JBoss Enterprise Application Platform 5.1.2 that fixes multiple security issues is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: JBoss Web is the web container, based on Apache Tomcat, in JBoss Enterprise Application Platform. It provides a single deployment platform for the JavaServer Pages (JSP) and Java Servlet technologies. A flaw was found in the way JBoss Web handled UTF-8 surrogate pair characters. If JBoss Web was hosting an application with UTF-8 character encoding enabled, or that included user-supplied UTF-8 strings in a response, a remote attacker could use this flaw to cause a denial of service (infinite loop) on the JBoss Web server. (CVE-2011-4610) It was found that the Java hashCode() method implementation was susceptible to predictable hash collisions. A remote attacker could use this flaw to cause JBoss Web to use an excessive amount of CPU time by sending an HTTP request with a large number of parameters whose names map to the same hash value. This update introduces a limit on the number of parameters and headers processed per request to mitigate this issue. The default limit is 512 for parameters and 128 for headers. These defaults can be changed by setting the org.apache.tomcat.util.http.Parameters.MAX_COUNT and org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties in "jboss-as/server/[PROFILE]/deploy/properties-service.xml". (CVE-2011-4858) It was found that JBoss Web did not handle large numbers of parameters and large parameter values efficiently. A remote attacker could make a JBoss Web server use an excessive amount of CPU time by sending an HTTP request containing a large number of parameters or large parameter values. This update introduces limits on the number of parameters and headers processed per request to address this issue. Refer to the CVE-2011-4858 description for information about the org.apache.tomcat.util.http.Parameters.MAX_COUNT and org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties. (CVE-2012-0022) Multiple flaws were found in the way JBoss Web handled HTTP DIGEST authentication. These flaws weakened the JBoss Web HTTP DIGEST authentication implementation, subjecting it to some of the weaknesses of HTTP BASIC authentication, for example, allowing remote attackers to perform session replay attacks. (CVE-2011-1184, CVE-2011-5062, CVE-2011-5063, CVE-2011-5064) A flaw was found in the way JBoss Web handled sendfile request attributes when using the HTTP APR (Apache Portable Runtime) or NIO (Non-Blocking I/O) connector. A malicious web application running on a JBoss Web instance could use this flaw to bypass security manager restrictions and gain access to files it would otherwise be unable to access, or possibly terminate the Java Virtual Machine (JVM). (CVE-2011-2526) Red Hat would like to thank NTT OSSC for reporting CVE-2011-4610; oCERT for reporting CVE-2011-4858; and the Apache Tomcat project for reporting CVE-2011-2526. oCERT acknowledges Julian W?lde and Alexander Klink as the original reporters of CVE-2011-4858. Warning: Before applying this update, back up your JBoss Enterprise Application Platform's "jboss-as/server/[PROFILE]/deploy/" directory, along with all other customized configuration files. All users of JBoss Enterprise Application Platform 5.1.2 as provided from the Red Hat Customer Portal are advised to install this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). The JBoss server process must be restarted for this update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 720948 - CVE-2011-2526 tomcat: security manager restrictions bypass 741401 - CVE-2011-1184 CVE-2011-5062 CVE-2011-5063 CVE-2011-5064 tomcat: Multiple weaknesses in HTTP DIGEST authentication 750521 - CVE-2011-4858 tomcat: hash table collisions CPU usage DoS (oCERT-2011-003) 767871 - CVE-2011-4610 JBoss Web remote denial of service when surrogate pair character is placed at buffer boundary 783359 - CVE-2012-0022 tomcat: large number of parameters DoS 5. References: https://www.redhat.com/security/data/cve/CVE-2011-1184.html https://www.redhat.com/security/data/cve/CVE-2011-2526.html https://www.redhat.com/security/data/cve/CVE-2011-4610.html https://www.redhat.com/security/data/cve/CVE-2011-4858.html https://www.redhat.com/security/data/cve/CVE-2011-5062.html https://www.redhat.com/security/data/cve/CVE-2011-5063.html https://www.redhat.com/security/data/cve/CVE-2011-5064.html https://www.redhat.com/security/data/cve/CVE-2012-0022.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=5.1.2 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPKJGQXlSAg2UNWIIRAn0uAKCwvamIzkvNSSD6vLz4MlGZc0XnYQCgkK8c iafM9GusupVWM4htgMnTwj8= =wOjv -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Feb 1 01:14:05 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 1 Feb 2012 01:14:05 +0000 Subject: [RHSA-2012:0076-01] Important: jbossweb security update Message-ID: <201202010114.q111E5TC011651@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: jbossweb security update Advisory ID: RHSA-2012:0076-01 Product: JBoss Enterprise Web Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0076.html Issue date: 2012-01-31 CVE Names: CVE-2011-1184 CVE-2011-2526 CVE-2011-4610 CVE-2011-4858 CVE-2011-5062 CVE-2011-5063 CVE-2011-5064 CVE-2012-0022 ===================================================================== 1. Summary: Updated jbossweb packages that fix multiple security issues are now available for JBoss Enterprise Web Platform 5.1.2 for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: JBoss Enterprise Web Platform 5 for RHEL 4 AS - noarch JBoss Enterprise Web Platform 5 for RHEL 4 ES - noarch JBoss Enterprise Web Platform 5 for RHEL 5 Server - noarch JBoss Enterprise Web Platform 5 for RHEL 6 Server - noarch 3. Description: JBoss Web is a web container based on Apache Tomcat. It provides a single deployment platform for the JavaServer Pages (JSP) and Java Servlet technologies. A flaw was found in the way JBoss Web handled UTF-8 surrogate pair characters. If JBoss Web was hosting an application with UTF-8 character encoding enabled, or that included user-supplied UTF-8 strings in a response, a remote attacker could use this flaw to cause a denial of service (infinite loop) on the JBoss Web server. (CVE-2011-4610) It was found that the Java hashCode() method implementation was susceptible to predictable hash collisions. A remote attacker could use this flaw to cause JBoss Web to use an excessive amount of CPU time by sending an HTTP request with a large number of parameters whose names map to the same hash value. This update introduces a limit on the number of parameters and headers processed per request to mitigate this issue. The default limit is 512 for parameters and 128 for headers. These defaults can be changed by setting the "-Dorg.apache.tomcat.util.http.Parameters.MAX_COUNT=x" and "-Dorg.apache.tomcat.util.http.MimeHeaders.MAX_COUNT=x" system properties as JAVA_OPTS entries in "jboss-as-web/bin/run.conf". (CVE-2011-4858) It was found that JBoss Web did not handle large numbers of parameters and large parameter values efficiently. A remote attacker could make a JBoss Web server use an excessive amount of CPU time by sending an HTTP request containing a large number of parameters or large parameter values. This update introduces limits on the number of parameters and headers processed per request to address this issue. Refer to the CVE-2011-4858 description for information about the org.apache.tomcat.util.http.Parameters.MAX_COUNT and org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties. (CVE-2012-0022) Multiple flaws were found in the way JBoss Web handled HTTP DIGEST authentication. These flaws weakened the JBoss Web HTTP DIGEST authentication implementation, subjecting it to some of the weaknesses of HTTP BASIC authentication, for example, allowing remote attackers to perform session replay attacks. (CVE-2011-1184, CVE-2011-5062, CVE-2011-5063, CVE-2011-5064) A flaw was found in the way JBoss Web handled sendfile request attributes when using the HTTP APR (Apache Portable Runtime) or NIO (Non-Blocking I/O) connector. A malicious web application running on a JBoss Web instance could use this flaw to bypass security manager restrictions and gain access to files it would otherwise be unable to access, or possibly terminate the Java Virtual Machine (JVM). (CVE-2011-2526) Red Hat would like to thank NTT OSSC for reporting CVE-2011-4610; oCERT for reporting CVE-2011-4858; and the Apache Tomcat project for reporting CVE-2011-2526. oCERT acknowledges Julian W?lde and Alexander Klink as the original reporters of CVE-2011-4858. Warning: Before applying this update, back up your JBoss Enterprise Web Platform's "jboss-as-web/server/[PROFILE]/deploy/" directory and any other customized configuration files. Users of JBoss Enterprise Web Platform 5.1.2 on Red Hat Enterprise Linux 4, 5, and 6 should upgrade to these updated packages, which correct these issues. The JBoss server process must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 720948 - CVE-2011-2526 tomcat: security manager restrictions bypass 741401 - CVE-2011-1184 CVE-2011-5062 CVE-2011-5063 CVE-2011-5064 tomcat: Multiple weaknesses in HTTP DIGEST authentication 750521 - CVE-2011-4858 tomcat: hash table collisions CPU usage DoS (oCERT-2011-003) 767871 - CVE-2011-4610 JBoss Web remote denial of service when surrogate pair character is placed at buffer boundary 783359 - CVE-2012-0022 tomcat: large number of parameters DoS 6. Package List: JBoss Enterprise Web Platform 5 for RHEL 4 AS: Source: jbossweb-2.1.12-3_patch_03.2.ep5.el4.src.rpm noarch: jbossweb-2.1.12-3_patch_03.2.ep5.el4.noarch.rpm jbossweb-el-1.0-api-2.1.12-3_patch_03.2.ep5.el4.noarch.rpm jbossweb-jsp-2.1-api-2.1.12-3_patch_03.2.ep5.el4.noarch.rpm jbossweb-lib-2.1.12-3_patch_03.2.ep5.el4.noarch.rpm jbossweb-servlet-2.5-api-2.1.12-3_patch_03.2.ep5.el4.noarch.rpm JBoss Enterprise Web Platform 5 for RHEL 4 ES: Source: jbossweb-2.1.12-3_patch_03.2.ep5.el4.src.rpm noarch: jbossweb-2.1.12-3_patch_03.2.ep5.el4.noarch.rpm jbossweb-el-1.0-api-2.1.12-3_patch_03.2.ep5.el4.noarch.rpm jbossweb-jsp-2.1-api-2.1.12-3_patch_03.2.ep5.el4.noarch.rpm jbossweb-lib-2.1.12-3_patch_03.2.ep5.el4.noarch.rpm jbossweb-servlet-2.5-api-2.1.12-3_patch_03.2.ep5.el4.noarch.rpm JBoss Enterprise Web Platform 5 for RHEL 5 Server: Source: jbossweb-2.1.12-3_patch_03.2.ep5.el5.src.rpm noarch: jbossweb-2.1.12-3_patch_03.2.ep5.el5.noarch.rpm jbossweb-el-1.0-api-2.1.12-3_patch_03.2.ep5.el5.noarch.rpm jbossweb-jsp-2.1-api-2.1.12-3_patch_03.2.ep5.el5.noarch.rpm jbossweb-lib-2.1.12-3_patch_03.2.ep5.el5.noarch.rpm jbossweb-servlet-2.5-api-2.1.12-3_patch_03.2.ep5.el5.noarch.rpm JBoss Enterprise Web Platform 5 for RHEL 6 Server: Source: jbossweb-2.1.12-3_patch_03.2.ep5.el6.src.rpm noarch: jbossweb-2.1.12-3_patch_03.2.ep5.el6.noarch.rpm jbossweb-el-1.0-api-2.1.12-3_patch_03.2.ep5.el6.noarch.rpm jbossweb-jsp-2.1-api-2.1.12-3_patch_03.2.ep5.el6.noarch.rpm jbossweb-lib-2.1.12-3_patch_03.2.ep5.el6.noarch.rpm jbossweb-servlet-2.5-api-2.1.12-3_patch_03.2.ep5.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2011-1184.html https://www.redhat.com/security/data/cve/CVE-2011-2526.html https://www.redhat.com/security/data/cve/CVE-2011-4610.html https://www.redhat.com/security/data/cve/CVE-2011-4858.html https://www.redhat.com/security/data/cve/CVE-2011-5062.html https://www.redhat.com/security/data/cve/CVE-2011-5063.html https://www.redhat.com/security/data/cve/CVE-2011-5064.html https://www.redhat.com/security/data/cve/CVE-2012-0022.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPKJHPXlSAg2UNWIIRAoaYAKCKpkBy6N14QV/iwTLa5Odim0GfRACfXL/i u9b26w5HvkY3Es8u5U4WEi0= =ZNQE -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Feb 1 01:14:32 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 1 Feb 2012 01:14:32 +0000 Subject: [RHSA-2012:0077-01] Important: jbossweb security update Message-ID: <201202010114.q111EWn5019631@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: jbossweb security update Advisory ID: RHSA-2012:0077-01 Product: JBoss Enterprise Web Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0077.html Issue date: 2012-01-31 CVE Names: CVE-2011-1184 CVE-2011-2526 CVE-2011-4610 CVE-2011-4858 CVE-2011-5062 CVE-2011-5063 CVE-2011-5064 CVE-2012-0022 ===================================================================== 1. Summary: An update for JBoss Enterprise Web Platform 5.1.2 that fixes multiple security issues is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: JBoss Web is a web container based on Apache Tomcat. It provides a single deployment platform for the JavaServer Pages (JSP) and Java Servlet technologies. A flaw was found in the way JBoss Web handled UTF-8 surrogate pair characters. If JBoss Web was hosting an application with UTF-8 character encoding enabled, or that included user-supplied UTF-8 strings in a response, a remote attacker could use this flaw to cause a denial of service (infinite loop) on the JBoss Web server. (CVE-2011-4610) It was found that the Java hashCode() method implementation was susceptible to predictable hash collisions. A remote attacker could use this flaw to cause JBoss Web to use an excessive amount of CPU time by sending an HTTP request with a large number of parameters whose names map to the same hash value. This update introduces a limit on the number of parameters and headers processed per request to mitigate this issue. The default limit is 512 for parameters and 128 for headers. These defaults can be changed by setting the "-Dorg.apache.tomcat.util.http.Parameters.MAX_COUNT=x" and "-Dorg.apache.tomcat.util.http.MimeHeaders.MAX_COUNT=x" system properties as JAVA_OPTS entries in "jboss-as-web/bin/run.conf". (CVE-2011-4858) It was found that JBoss Web did not handle large numbers of parameters and large parameter values efficiently. A remote attacker could make a JBoss Web server use an excessive amount of CPU time by sending an HTTP request containing a large number of parameters or large parameter values. This update introduces limits on the number of parameters and headers processed per request to address this issue. Refer to the CVE-2011-4858 description for information about the org.apache.tomcat.util.http.Parameters.MAX_COUNT and org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties. (CVE-2012-0022) Multiple flaws were found in the way JBoss Web handled HTTP DIGEST authentication. These flaws weakened the JBoss Web HTTP DIGEST authentication implementation, subjecting it to some of the weaknesses of HTTP BASIC authentication, for example, allowing remote attackers to perform session replay attacks. (CVE-2011-1184, CVE-2011-5062, CVE-2011-5063, CVE-2011-5064) A flaw was found in the way JBoss Web handled sendfile request attributes when using the HTTP APR (Apache Portable Runtime) or NIO (Non-Blocking I/O) connector. A malicious web application running on a JBoss Web instance could use this flaw to bypass security manager restrictions and gain access to files it would otherwise be unable to access, or possibly terminate the Java Virtual Machine (JVM). (CVE-2011-2526) Red Hat would like to thank NTT OSSC for reporting CVE-2011-4610; oCERT for reporting CVE-2011-4858; and the Apache Tomcat project for reporting CVE-2011-2526. oCERT acknowledges Julian W?lde and Alexander Klink as the original reporters of CVE-2011-4858. Warning: Before applying this update, back up your JBoss Enterprise Web Platform's "jboss-as-web/server/[PROFILE]/deploy/" directory and any other customized configuration files. All users of JBoss Enterprise Web Platform 5.1.2 as provided from the Red Hat Customer Portal are advised to install this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). The JBoss server process must be restarted for this update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 720948 - CVE-2011-2526 tomcat: security manager restrictions bypass 741401 - CVE-2011-1184 CVE-2011-5062 CVE-2011-5063 CVE-2011-5064 tomcat: Multiple weaknesses in HTTP DIGEST authentication 750521 - CVE-2011-4858 tomcat: hash table collisions CPU usage DoS (oCERT-2011-003) 767871 - CVE-2011-4610 JBoss Web remote denial of service when surrogate pair character is placed at buffer boundary 783359 - CVE-2012-0022 tomcat: large number of parameters DoS 5. References: https://www.redhat.com/security/data/cve/CVE-2011-1184.html https://www.redhat.com/security/data/cve/CVE-2011-2526.html https://www.redhat.com/security/data/cve/CVE-2011-4610.html https://www.redhat.com/security/data/cve/CVE-2011-4858.html https://www.redhat.com/security/data/cve/CVE-2011-5062.html https://www.redhat.com/security/data/cve/CVE-2011-5063.html https://www.redhat.com/security/data/cve/CVE-2011-5064.html https://www.redhat.com/security/data/cve/CVE-2012-0022.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=enterpriseweb.platform&downloadType=securityPatches&version=5.1.2 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPKJHmXlSAg2UNWIIRAvTIAKCGwTfBEwxhEcWsJw+C7QErSayCBwCgrFgR XvClJkt9GADpgONdnx4u7NE= =iJ8F -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Feb 1 01:14:59 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 1 Feb 2012 01:14:59 +0000 Subject: [RHSA-2012:0078-01] Important: JBoss Communications Platform 5.1.3 update Message-ID: <201202010114.q111ExL8019506@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Communications Platform 5.1.3 update Advisory ID: RHSA-2012:0078-01 Product: JBoss Enterprise Middleware Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0078.html Issue date: 2012-01-31 CVE Names: CVE-2011-1184 CVE-2011-2526 CVE-2011-4610 CVE-2011-4858 CVE-2011-5062 CVE-2011-5063 CVE-2011-5064 CVE-2012-0022 ===================================================================== 1. Summary: JBoss Communications Platform 5.1.3, which fixes multiple security issues and various bugs, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: The JBoss Communications Platform (JBCP) is an open source VoIP platform certified for JAIN SLEE 1.1 and SIP Servlets 1.1 compliance. JBCP serves as a high performance core for Service Delivery Platforms (SDPs) and IP Multimedia Subsystems (IMSs) by leveraging J2EE to enable the convergence of data and video in Next-Generation Intelligent Network (NGIN) applications. This JBoss Communications Platform 5.1.3 release serves as a replacement for JBoss Communications Platform 5.1.2, and includes various bug fixes. Refer to the JBoss Communications Platform 5.1.3 Release Notes for information on the most significant of these changes. The Release Notes will be available shortly from https://docs.redhat.com/docs/en-US/index.html The following security issues are also fixed with this release: A flaw was found in the way JBoss Web handled UTF-8 surrogate pair characters. If JBoss Web was hosting an application with UTF-8 character encoding enabled, or that included user-supplied UTF-8 strings in a response, a remote attacker could use this flaw to cause a denial of service (infinite loop) on the JBoss Web server. (CVE-2011-4610) It was found that the Java hashCode() method implementation was susceptible to predictable hash collisions. A remote attacker could use this flaw to cause JBoss Web to use an excessive amount of CPU time by sending an HTTP request with a large number of parameters whose names map to the same hash value. This update introduces a limit on the number of parameters and headers processed per request to mitigate this issue. The default limit is 512 for parameters and 128 for headers. These defaults can be changed by setting the org.apache.tomcat.util.http.Parameters.MAX_COUNT and org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties in "server/$PROFILE/deploy/properties-service.xml". (CVE-2011-4858) It was found that JBoss Web did not handle large numbers of parameters and large parameter values efficiently. A remote attacker could make a JBoss Web server use an excessive amount of CPU time by sending an HTTP request containing a large number of parameters or large parameter values. This update introduces limits on the number of parameters and headers processed per request to address this issue. Refer to the CVE-2011-4858 description for information about the org.apache.tomcat.util.http.Parameters.MAX_COUNT and org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties. (CVE-2012-0022) Multiple flaws were found in the way JBoss Web handled HTTP DIGEST authentication. These flaws weakened the JBoss Web HTTP DIGEST authentication implementation, subjecting it to some of the weaknesses of HTTP BASIC authentication, for example, allowing remote attackers to perform session replay attacks. (CVE-2011-1184, CVE-2011-5062, CVE-2011-5063, CVE-2011-5064) A flaw was found in the way JBoss Web handled sendfile request attributes when using the HTTP APR (Apache Portable Runtime) or NIO (Non-Blocking I/O) connector. A malicious web application running on a JBoss Web instance could use this flaw to bypass security manager restrictions and gain access to files it would otherwise be unable to access, or possibly terminate the Java Virtual Machine (JVM). (CVE-2011-2526) Red Hat would like to thank NTT OSSC for reporting CVE-2011-4610; oCERT for reporting CVE-2011-4858; and the Apache Tomcat project for reporting CVE-2011-2526. oCERT acknowledges Julian W?lde and Alexander Klink as the original reporters of CVE-2011-4858. Warning: Before applying the update, back up your existing JBoss Communications Platform installation (including its databases, applications, configuration files, and so on). All users of JBoss Communications Platform 5.1.2 as provided from the Red Hat Customer Portal are advised to upgrade to JBoss Communications Platform 5.1.3. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (http://bugzilla.redhat.com/): 720948 - CVE-2011-2526 tomcat: security manager restrictions bypass 741401 - CVE-2011-1184 CVE-2011-5062 CVE-2011-5063 CVE-2011-5064 tomcat: Multiple weaknesses in HTTP DIGEST authentication 750521 - CVE-2011-4858 tomcat: hash table collisions CPU usage DoS (oCERT-2011-003) 767871 - CVE-2011-4610 JBoss Web remote denial of service when surrogate pair character is placed at buffer boundary 783359 - CVE-2012-0022 tomcat: large number of parameters DoS 5. References: https://www.redhat.com/security/data/cve/CVE-2011-1184.html https://www.redhat.com/security/data/cve/CVE-2011-2526.html https://www.redhat.com/security/data/cve/CVE-2011-4610.html https://www.redhat.com/security/data/cve/CVE-2011-4858.html https://www.redhat.com/security/data/cve/CVE-2011-5062.html https://www.redhat.com/security/data/cve/CVE-2011-5063.html https://www.redhat.com/security/data/cve/CVE-2011-5064.html https://www.redhat.com/security/data/cve/CVE-2012-0022.html https://access.redhat.com/security/updates/classification/#important https://docs.redhat.com/docs/en-US/index.html https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=communications.platform&downloadType=distributions 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPKJICXlSAg2UNWIIRAlAcAJwIDURFiC6/LczI6bNXigxLipAEAgCfdYnD 45cSh0e7fOT1Oex+6tFNjBo= =EqAp -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Feb 1 22:02:06 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 1 Feb 2012 22:02:06 +0000 Subject: [RHSA-2012:0089-01] Important: JBoss Operations Network 2.4.2 update Message-ID: <201202012202.q11M26oa031492@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Operations Network 2.4.2 update Advisory ID: RHSA-2012:0089-01 Product: JBoss Enterprise Middleware Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0089.html Issue date: 2012-02-01 CVE Names: CVE-2011-3206 CVE-2011-4573 CVE-2011-4858 CVE-2012-0052 CVE-2012-0062 ===================================================================== 1. Summary: JBoss Operations Network 2.4.2, which fixes multiple security issues and several bugs, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: JBoss Operations Network (JBoss ON) is a middleware management solution that provides a single point of control to deploy, manage, and monitor JBoss Enterprise Middleware, applications, and services. This JBoss ON 2.4.2 release serves as a replacement for JBoss ON 2.4.1, and includes several bug fixes. Refer to the JBoss ON 2.4.2 Release Notes for information on the most significant of these changes. The Release Notes will be available shortly from https://docs.redhat.com/docs/en-US/index.html The following security issues are also fixed with this release: JBoss ON did not properly verify security tokens, allowing an unapproved agent to connect as an approved agent. A remote attacker could use this flaw to spoof the identity of an approved agent, allowing them to hijack the approved agent's session and steal its security token. As a result, the attacker could retrieve sensitive data about the server the hijacked agent was running on, including JMX credentials. (CVE-2012-0052) JBoss ON sometimes allowed agent registration to succeed when the registration request did not include a security token. This is a feature designed to add convenience. A remote attacker could use this flaw to spoof the identity of an approved agent and pass a null security token, allowing them to hijack the approved agent's session, and steal its security token. As a result, the attacker could retrieve sensitive data about the server the hijacked agent was running on, including JMX credentials. (CVE-2012-0062) It was found that the Java hashCode() method implementation was susceptible to predictable hash collisions. A remote attacker could use this flaw to cause JBoss Web to use an excessive amount of CPU time by sending an HTTP request with a large number of parameters whose names map to the same hash value. This update introduces a limit on the number of parameters and headers processed per request to mitigate this issue. The default limit is 512 for parameters and 128 for headers. These defaults can be changed by setting the org.apache.tomcat.util.http.Parameters.MAX_COUNT and org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties in "server/$PROFILE/deploy/properties-service.xml". (CVE-2011-4858) Multiple cross-site scripting (XSS) flaws were found in the JBoss ON administration interface. If a remote attacker could trick a user, who was logged into the JBoss ON administration interface, into visiting a specially-crafted URL, it would lead to arbitrary web script execution in the context of the user's JBoss ON session. (CVE-2011-3206) JBoss ON did not verify that a user had the proper modify resource permissions when they attempted to delete a plug-in configuration update from the group connection properties history. This could allow such a user to delete a plug-in configuration update from the audit trail. Note that a user without modify resource permissions cannot use this flaw to make configuration changes. (CVE-2011-4573) Red Hat would like to thank oCERT for reporting CVE-2011-4858. oCERT acknowledges Julian W?lde and Alexander Klink as the original reporters of CVE-2011-4858. Warning: Before applying the update, back up your existing JBoss ON installation (including its databases, applications, configuration files, and so on). All users of JBoss Operations Network 2.4.1 as provided from the Red Hat Customer Portal are advised to upgrade to JBoss Operations Network 2.4.2. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (http://bugzilla.redhat.com/): 734662 - CVE-2011-3206 JON: Multiple XSS flaws 750521 - CVE-2011-4858 tomcat: hash table collisions CPU usage DoS (oCERT-2011-003) 760024 - CVE-2011-4573 JON: Incorrect delete permissions check 781964 - CVE-2012-0052 JON: Unapproved agents can connect using the name of an existing approved agent 783008 - CVE-2012-0062 JON: Unapproved agents can hijack an approved agent's endpoint by using a null security token 5. References: https://www.redhat.com/security/data/cve/CVE-2011-3206.html https://www.redhat.com/security/data/cve/CVE-2011-4573.html https://www.redhat.com/security/data/cve/CVE-2011-4858.html https://www.redhat.com/security/data/cve/CVE-2012-0052.html https://www.redhat.com/security/data/cve/CVE-2012-0062.html https://access.redhat.com/security/updates/classification/#important https://docs.redhat.com/docs/en-US/index.html https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=em&version=2.4.2 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPKbZPXlSAg2UNWIIRApr4AJ9qmS8YQukJFbj0rsa3k1ew20hq/QCeOPPq otHDTURnBUqLlJXrwIIJ5Wc= =O3a9 -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Feb 2 22:53:00 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 2 Feb 2012 22:53:00 +0000 Subject: [RHSA-2012:0091-01] Important: JBoss Enterprise Portal Platform 4.3 CP07 update Message-ID: <201202022253.q12Mr056012513@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Enterprise Portal Platform 4.3 CP07 update Advisory ID: RHSA-2012:0091-01 Product: JBoss Enterprise Middleware Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0091.html Issue date: 2012-02-02 CVE Names: CVE-2011-1184 CVE-2011-1484 CVE-2011-2526 CVE-2011-4085 CVE-2011-4858 CVE-2011-5062 CVE-2011-5063 CVE-2011-5064 ===================================================================== 1. Summary: JBoss Enterprise Portal Platform 4.3 CP07, which fixes multiple security issues and various bugs, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: JBoss Enterprise Portal Platform is the open source implementation of the Java EE suite of services and Portal services running atop JBoss Enterprise Application Platform. It comprises a set of offerings for enterprise customers who are looking for pre-configured profiles of JBoss Enterprise Middleware components that have been tested and certified together to provide an integrated experience. This JBoss Enterprise Portal Platform 4.3 CP07 release serves as a replacement for JBoss Enterprise Portal Platform 4.3 CP06. Refer to the JBoss Enterprise Portal Platform 4.3 CP07 Release Notes, available shortly from docs.redhat.com, for information on the most significant bug fixes included in this release. The following security fixes are also included: JBoss Seam 2 did not properly block access to JBoss Expression Language (EL) constructs in page exception handling, allowing arbitrary Java methods to be executed. A remote attacker could use this flaw to execute arbitrary code via a specially-crafted URL provided to certain applications based on the JBoss Seam 2 framework. Note: A properly configured and enabled Java Security Manager would prevent exploitation of this flaw. (CVE-2011-1484) Note: If you have created custom applications that are packaged with a copy of the JBoss Seam 2 library, those applications must be rebuilt with the updated jboss-seam.jar file provided by this update. It was found that the Java hashCode() method implementation was susceptible to predictable hash collisions. A remote attacker could use this flaw to cause JBoss Web to use an excessive amount of CPU time by sending an HTTP request with a large number of parameters whose names map to the same hash value. This update introduces a limit on the number of parameters and headers processed per request to mitigate this issue. The default limit is 512 for parameters and 128 for headers. These defaults can be changed by setting the org.apache.tomcat.util.http.Parameters.MAX_COUNT and org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties in "server/$PROFILE/deploy/properties-service.xml". (CVE-2011-4858) Multiple flaws were found in the way JBoss Web handled HTTP DIGEST authentication. These flaws weakened the JBoss Web HTTP DIGEST authentication implementation, subjecting it to some of the weaknesses of HTTP BASIC authentication, for example, allowing remote attackers to perform session replay attacks. (CVE-2011-1184, CVE-2011-5062, CVE-2011-5063, CVE-2011-5064) The invoker servlets, deployed by default via httpha-invoker, only performed access control on the HTTP GET and POST methods, allowing remote attackers to make unauthenticated requests by using different HTTP methods. Due to the second layer of authentication provided by a security interceptor, this issue is not exploitable on default installations unless an administrator has misconfigured the security interceptor or disabled it. (CVE-2011-4085) A flaw was found in the way JBoss Web handled sendfile request attributes when using the HTTP APR (Apache Portable Runtime) or NIO (Non-Blocking I/O) connector. A malicious web application running on a JBoss Web instance could use this flaw to bypass security manager restrictions and gain access to files it would otherwise be unable to access, or possibly terminate the Java Virtual Machine (JVM). (CVE-2011-2526) Red Hat would like to thank Martin Kouba from IT SYSTEMS a.s. for reporting CVE-2011-1484; oCERT for reporting CVE-2011-4858; and the Apache Tomcat project for reporting CVE-2011-2526. oCERT acknowledges Julian W?lde and Alexander Klink as the original reporters of CVE-2011-4858. Warning: Before applying this update, back up all applications deployed on JBoss Enterprise Portal Platform, along with all customized configuration files. All users of JBoss Enterprise Portal Platform 4.3 CP06 as provided from the Red Hat Customer Portal are advised to upgrade to JBoss Enterprise Portal Platform 4.3 CP07. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). The JBoss server process must be restarted for this update to take effect. Note that if you have created custom applications that are packaged with a copy of the JBoss Seam 2 library, those applications must be rebuilt with the updated jboss-seam.jar file provided by this update. 4. Bugs fixed (http://bugzilla.redhat.com/): 692421 - CVE-2011-1484 JBoss Seam privilege escalation caused by EL interpolation in FacesMessages 720948 - CVE-2011-2526 tomcat: security manager restrictions bypass 741401 - CVE-2011-1184 CVE-2011-5062 CVE-2011-5063 CVE-2011-5064 tomcat: Multiple weaknesses in HTTP DIGEST authentication 750422 - CVE-2011-4085 Invoker servlets authentication bypass (HTTP verb tampering) 750521 - CVE-2011-4858 tomcat: hash table collisions CPU usage DoS (oCERT-2011-003) 5. References: https://www.redhat.com/security/data/cve/CVE-2011-1184.html https://www.redhat.com/security/data/cve/CVE-2011-1484.html https://www.redhat.com/security/data/cve/CVE-2011-2526.html https://www.redhat.com/security/data/cve/CVE-2011-4085.html https://www.redhat.com/security/data/cve/CVE-2011-4858.html https://www.redhat.com/security/data/cve/CVE-2011-5062.html https://www.redhat.com/security/data/cve/CVE-2011-5063.html https://www.redhat.com/security/data/cve/CVE-2011-5064.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jbportal&version=4.3+CP07 https://docs.redhat.com/docs/en-US/index.html 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPKxPBXlSAg2UNWIIRAhb4AJ9Ks5/uus0s8PacXmno8u4QexJjkgCfap76 nuOq8z4B/1ANHDcKjdHi/Go= =H33V -----END PGP SIGNATURE----- From bugzilla at redhat.com Fri Feb 10 00:24:07 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 10 Feb 2012 00:24:07 +0000 Subject: [RHSA-2012:0108-01] Low: jbosscache security update Message-ID: <201202100024.q1A0O86c004705@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Low: jbosscache security update Advisory ID: RHSA-2012:0108-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0108.html Issue date: 2012-02-10 CVE Names: CVE-2012-0034 ===================================================================== 1. Summary: An update for JBoss Enterprise Application Platform 5.1.2 that fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: JBoss Cache is the clustering backbone for data distribution in JBoss Enterprise Application Platform. It provides the backing implementation for web session replication, stateful session bean replication and entity caching. It was found that NonManagedConnectionFactory would log the username and password in plain text when an exception was thrown. This could lead to the exposure of authentication credentials if local users had permissions to read the log file. (CVE-2012-0034) Warning: Before applying this update, back up your existing JBoss Enterprise Application Platform's "jboss-as/server/[PROFILE]/lib/jbosscache-core.jar" file. All users of JBoss Enterprise Application Platform 5.1.2 as provided from the Red Hat Customer Portal are advised to install this update. Refer to the Solution section for installation information. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). To apply this update: 1) Before applying this update, back up your existing JBoss Enterprise Application Platform's "jboss-as/server/[PROFILE]/lib/jbosscache-core.jar" file. 2) Download the update. 3) Rename the jbosscache-core-JBPAPP-7852-signed.jar file provided by the ZIP file to jbosscache-core.jar, and then copy it to the "jboss-as/server/[PROFILE]/lib/" directory, overwriting the old jbosscache-core.jar. 4) Restart the JBoss server process. 4. Bugs fixed (http://bugzilla.redhat.com/): 772835 - CVE-2012-0034 JBoss Cache: NonManagedConnectionFactory will log password in clear text when an exception occurs 5. References: https://www.redhat.com/security/data/cve/CVE-2012-0034.html https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=5.1.2 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPNGODXlSAg2UNWIIRAgSUAKDBXgJhZLOfNbU/fm4PvLn01UIxAQCcCESF 66NNx7bJLRRoITMz44JH0GA= =FXjg -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Feb 22 05:16:39 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 22 Feb 2012 05:16:39 +0000 Subject: [RHSA-2012:0325-01] Important: jbossweb security update Message-ID: <201202220516.q1M5GeHH012183@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: jbossweb security update Advisory ID: RHSA-2012:0325-01 Product: JBoss Enterprise Middleware Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0325.html Issue date: 2012-02-22 CVE Names: CVE-2011-1184 CVE-2011-2526 CVE-2011-4610 CVE-2011-4858 CVE-2011-5062 CVE-2011-5063 CVE-2011-5064 CVE-2012-0022 ===================================================================== 1. Summary: An update for JBoss Enterprise BRMS Platform 5.2.0, JBoss Enterprise Portal Platform 5.2.0, and JBoss Enterprise SOA Platform 5.2.0 that fixes multiple security issues is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: JBoss Web is a web container based on Apache Tomcat. It provides a single deployment platform for the JavaServer Pages (JSP) and Java Servlet technologies. A flaw was found in the way JBoss Web handled UTF-8 surrogate pair characters. If JBoss Web was hosting an application with UTF-8 character encoding enabled, or that included user-supplied UTF-8 strings in a response, a remote attacker could use this flaw to cause a denial of service (infinite loop) on the JBoss Web server. (CVE-2011-4610) It was found that the Java hashCode() method implementation was susceptible to predictable hash collisions. A remote attacker could use this flaw to cause JBoss Web to use an excessive amount of CPU time by sending an HTTP request with a large number of parameters whose names map to the same hash value. This update introduces a limit on the number of parameters and headers processed per request to mitigate this issue. The default limit is 512 for parameters and 128 for headers. These defaults can be changed by setting the org.apache.tomcat.util.http.Parameters.MAX_COUNT and org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties in "jboss-as/server/[PROFILE]/deploy/properties-service.xml". (CVE-2011-4858) It was found that JBoss Web did not handle large numbers of parameters and large parameter values efficiently. A remote attacker could make a JBoss Web server use an excessive amount of CPU time by sending an HTTP request containing a large number of parameters or large parameter values. This update introduces limits on the number of parameters and headers processed per request to address this issue. Refer to the CVE-2011-4858 description for information about the org.apache.tomcat.util.http.Parameters.MAX_COUNT and org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties. (CVE-2012-0022) Multiple flaws were found in the way JBoss Web handled HTTP DIGEST authentication. These flaws weakened the JBoss Web HTTP DIGEST authentication implementation, subjecting it to some of the weaknesses of HTTP BASIC authentication, for example, allowing remote attackers to perform session replay attacks. (CVE-2011-1184, CVE-2011-5062, CVE-2011-5063, CVE-2011-5064) A flaw was found in the way JBoss Web handled sendfile request attributes when using the HTTP APR (Apache Portable Runtime) or NIO (Non-Blocking I/O) connector. A malicious web application running on a JBoss Web instance could use this flaw to bypass security manager restrictions and gain access to files it would otherwise be unable to access, or possibly terminate the Java Virtual Machine (JVM). (CVE-2011-2526) Red Hat would like to thank NTT OSSC for reporting CVE-2011-4610; oCERT for reporting CVE-2011-4858; and the Apache Tomcat project for reporting CVE-2011-2526. oCERT acknowledges Julian W?lde and Alexander Klink as the original reporters of CVE-2011-4858. Warning: Before applying this update, back up your JBoss installation, including any databases, applications, configuration files, and so on. All users of JBoss Enterprise BRMS Platform 5.2.0, JBoss Enterprise Portal Platform 5.2.0, and JBoss Enterprise SOA Platform 5.2.0 as provided from the Red Hat Customer Portal are advised to install this update. 3. Solution: The References section of this erratum contains download links (you must log in to download the update). The JBoss server process must be restarted for this update to take effect. For users of JBoss Enterprise BRMS Platform and JBoss Enterprise SOA Platform, it is recommend to halt the server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the server by starting the JBoss Application Server process. 4. Bugs fixed (http://bugzilla.redhat.com/): 720948 - CVE-2011-2526 tomcat: security manager restrictions bypass 741401 - CVE-2011-1184 CVE-2011-5062 CVE-2011-5063 CVE-2011-5064 tomcat: Multiple weaknesses in HTTP DIGEST authentication 750521 - CVE-2011-4858 tomcat: hash table collisions CPU usage DoS (oCERT-2011-003) 767871 - CVE-2011-4610 JBoss Web remote denial of service when surrogate pair character is placed at buffer boundary 783359 - CVE-2012-0022 tomcat: large number of parameters DoS 5. References: https://www.redhat.com/security/data/cve/CVE-2011-1184.html https://www.redhat.com/security/data/cve/CVE-2011-2526.html https://www.redhat.com/security/data/cve/CVE-2011-4610.html https://www.redhat.com/security/data/cve/CVE-2011-4858.html https://www.redhat.com/security/data/cve/CVE-2011-5062.html https://www.redhat.com/security/data/cve/CVE-2011-5063.html https://www.redhat.com/security/data/cve/CVE-2011-5064.html https://www.redhat.com/security/data/cve/CVE-2012-0022.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=securityPatches&version=5.2.0 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal&downloadType=securityPatches&version=5.2.0 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform&downloadType=securityPatches&version=5.2.0+GA 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPRHogXlSAg2UNWIIRAprrAJ9Hqc55CPhflnMk1wb3idOY888RUACgmv5J XRjBMOHZR1NRxbhlHmVqIwY= =eZiM -----END PGP SIGNATURE-----