From bugzilla at redhat.com Tue Jun 12 23:30:41 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 12 Jun 2012 23:30:41 +0000 Subject: [RHSA-2012:0725-01] Moderate: JBoss Operations Network 3.1.0 update Message-ID: <201206122330.q5CNUg47028139@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: JBoss Operations Network 3.1.0 update Advisory ID: RHSA-2012:0725-01 Product: JBoss Enterprise Middleware Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0725.html Issue date: 2012-06-12 CVE Names: CVE-2009-2625 ===================================================================== 1. Summary: JBoss Operations Network 3.1.0, which fixes one security issue, several bugs, and adds enhancements, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: JBoss Operations Network (JBoss ON) is a middleware management solution that provides a single point of control to deploy, manage, and monitor JBoss Enterprise Middleware, applications, and services. This JBoss ON 3.1.0 release serves as a replacement for JBoss ON 3.0.1, and includes several bug fixes and enhancements. Refer to the JBoss ON 3.1.0 Release Notes for information on the most significant of these changes. The Release Notes will be available shortly from https://docs.redhat.com/docs/en-US/index.html The following security issue is also fixed with this release: A flaw was found in the way the Apache Xerces2 Java Parser processed the SYSTEM identifier in DTDs. A remote attacker could provide a specially-crafted XML file, which once parsed by an application using the Apache Xerces2 Java Parser, would lead to a denial of service (application hang due to excessive CPU use). (CVE-2009-2625) Warning: Before applying the update, back up your existing JBoss ON installation (including its databases, applications, configuration files, the JBoss ON server's file system directory, and so on). All users of JBoss Operations Network 3.0.1 as provided from the Red Hat Customer Portal are advised to upgrade to JBoss Operations Network 3.1.0. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing JBoss ON installation (including its databases, applications, configuration files, the JBoss ON server's file system directory, and so on). Refer to the JBoss Operations Network 3.1.0 Release Notes for installation information. 4. Bugs fixed (http://bugzilla.redhat.com/): 512921 - CVE-2009-2625 xerces-j2, JDK: XML parsing Denial-Of-Service (6845701) 5. References: https://www.redhat.com/security/data/cve/CVE-2009-2625.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=em&version=3.1.0 https://docs.redhat.com/docs/en-US/index.html 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFP19EUXlSAg2UNWIIRAgYuAKCQFejmgK9fY8jgq3yeNI23nNwvEQCfdpV2 JzewgvXtyiNbqAB3WEgSQRo= =kxpq -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Jun 19 19:44:02 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 19 Jun 2012 19:44:02 +0000 Subject: [RHSA-2012:1010-01] Moderate: mod_cluster security update Message-ID: <201206191944.q5JJi3MX027559@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: mod_cluster security update Advisory ID: RHSA-2012:1010-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1010.html Issue date: 2012-06-19 CVE Names: CVE-2012-1154 ===================================================================== 1. Summary: An update for JBoss Enterprise Application Platform 5.1.2 that fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: mod_cluster is an Apache HTTP Server (httpd) based load balancer that forwards requests from httpd to application server nodes. It can use the AJP, HTTP, or HTTPS protocols for communication with application server nodes. The JBoss Enterprise Application Platform 5.1.2 release (RHSA-2011:1805) introduced a regression, causing mod_cluster to register and expose the root context of a server by default, even when "ROOT" was in the "excludedContexts" list in the mod_cluster configuration. If an application was deployed on the root context, a remote attacker could use this flaw to bypass intended access restrictions and gain access to that application. (CVE-2012-1154) Warning: Before applying this update, back up your JBoss Enterprise Application Platform's "jboss-as/server/[PROFILE]/deploy/" directory, along with all other customized configuration files. All users of JBoss Enterprise Application Platform 5.1.2 as provided from the Red Hat Customer Portal are advised to install this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise Application Platform installation (including all applications and configuration files). The JBoss server process must be restarted for this update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 802200 - CVE-2012-1154 mod_cluster registers and exposes the root context of a server by default, despite ROOT being in the excluded-contexts list 5. References: https://www.redhat.com/security/data/cve/CVE-2012-1154.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=5.1.2 https://rhn.redhat.com/errata/RHSA-2011-1805.html 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFP4NZwXlSAg2UNWIIRAigbAJ4iH8tNeDCRnou4WFAQalgUlo1JeQCggMsN 5xDCb+AKeuw4aE0kU/hdzvs= =1fPV -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Jun 19 19:44:31 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 19 Jun 2012 19:44:31 +0000 Subject: [RHSA-2012:1011-01] Moderate: mod_cluster security update Message-ID: <201206191944.q5JJiWFA015960@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: mod_cluster security update Advisory ID: RHSA-2012:1011-01 Product: JBoss Enterprise Web Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1011.html Issue date: 2012-06-19 CVE Names: CVE-2012-1154 ===================================================================== 1. Summary: An update for JBoss Enterprise Web Platform 5.1.2 that fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: mod_cluster is an Apache HTTP Server (httpd) based load balancer that forwards requests from httpd to application server nodes. It can use the AJP, HTTP, or HTTPS protocols for communication with application server nodes. The JBoss Enterprise Web Platform 5.1.2 release (RHSA-2011:1806) introduced a regression, causing mod_cluster to register and expose the root context of a server by default, even when "ROOT" was in the "excludedContexts" list in the mod_cluster configuration. If an application was deployed on the root context, a remote attacker could use this flaw to bypass intended access restrictions and gain access to that application. (CVE-2012-1154) Warning: Before applying this update, back up your JBoss Enterprise Web Platform's "jboss-as-web/server/[PROFILE]/deploy/" directory and any other customized configuration files. All users of JBoss Enterprise Web Platform 5.1.2 as provided from the Red Hat Customer Portal are advised to install this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise Web Platform installation (including all applications and configuration files). The JBoss server process must be restarted for this update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 802200 - CVE-2012-1154 mod_cluster registers and exposes the root context of a server by default, despite ROOT being in the excluded-contexts list 5. References: https://www.redhat.com/security/data/cve/CVE-2012-1154.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=enterpriseweb.platform&downloadType=securityPatches&version=5.1.2 https://rhn.redhat.com/errata/RHSA-2011-1806.html 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFP4NaRXlSAg2UNWIIRAt50AJ4zPHo3asx+9ziDb/signTr5eLPmACePDat dvBhHnQTA56/lDKalctHaaQ= =GIaP -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Jun 19 19:45:04 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 19 Jun 2012 19:45:04 +0000 Subject: [RHSA-2012:1012-01] Moderate: mod_cluster security update Message-ID: <201206191945.q5JJj5KN023921@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: mod_cluster security update Advisory ID: RHSA-2012:1012-01 Product: JBoss Enterprise Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1012.html Issue date: 2012-06-19 CVE Names: CVE-2012-1154 ===================================================================== 1. Summary: An update for JBoss Enterprise Web Server 1.0.2 that fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: mod_cluster is an Apache HTTP Server (httpd) based load balancer that forwards requests from httpd to application server nodes. It can use the AJP, HTTP, or HTTPS protocols for communication with application server nodes. The RHSA-2012:0036 update for JBoss Enterprise Web Server 1.0.2 introduced a regression, causing mod_cluster to register and expose the root context of a server by default, even when "ROOT" was in the "excludedContexts" list in the mod_cluster configuration. If an application was deployed on the root context, a remote attacker could use this flaw to bypass intended access restrictions and gain access to that application. (CVE-2012-1154) Warning: Before applying the update, back up your existing JBoss Enterprise Web Server installation (including all applications and configuration files). All users of JBoss Enterprise Web Server 1.0.2 as provided from the Red Hat Customer Portal are advised to apply this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise Web Server installation (including all applications and configuration files). Apache Tomcat must be restarted for this update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 802200 - CVE-2012-1154 mod_cluster registers and exposes the root context of a server by default, despite ROOT being in the excluded-contexts list 5. References: https://www.redhat.com/security/data/cve/CVE-2012-1154.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=1.0.2 https://rhn.redhat.com/errata/RHSA-2012-0036.html 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFP4NaxXlSAg2UNWIIRAiudAKCu476cKNTNFYrtSzDJG6of6lKqzQCgnhNH 6nmAnYeNJkeXnNHKxxuZZOY= =t/uk -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Jun 19 19:45:33 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 19 Jun 2012 19:45:33 +0000 Subject: [RHSA-2012:1013-01] Moderate: jbossas security update Message-ID: <201206191945.q5JJjYPN016655@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: jbossas security update Advisory ID: RHSA-2012:1013-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1013.html Issue date: 2012-06-19 CVE Names: CVE-2012-1167 ===================================================================== 1. Summary: An update for JBoss Enterprise Application Platform 5.1.2 that fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: The Java Authorization Contract for Containers (Java ACC) specification defines Permission classes and the binding of container access decisions to operations on instances of these permission classes. JaccAuthorizationRealm performs authorization based on Java ACC permissions and a Policy implementation. When a JBoss server is configured to use JaccAuthorizationRealm, the WebPermissionMapping class creates permissions that are not checked and can permit access to users without checking their roles. If the ignoreBaseDecision property is set to true on JBossWebRealm, the web authorization process is handled exclusively by JBossAuthorizationEngine, without any input from JBoss Web. This allows any valid user to access an application, without needing to be assigned the role specified in the application's web.xml "security-constraint" tag. (CVE-2012-1167) Warning: Before applying this update, back up your JBoss Enterprise Application Platform's "jboss-as/server/[PROFILE]/deploy/" directory, along with all other customized configuration files. All users of JBoss Enterprise Application Platform 5.1.2 as provided from the Red Hat Customer Portal are advised to install this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise Application Platform installation (including all applications and configuration files). The JBoss server process must be restarted for this update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 802622 - CVE-2012-1167 JBoss: authentication bypass when running under JACC with ignoreBaseDecision on JBossWebRealm 5. References: https://www.redhat.com/security/data/cve/CVE-2012-1167.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=5.1.2 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFP4NbQXlSAg2UNWIIRAuBRAJsFdgHZIFh5LzfwyMITKrasgST/6ACgtVgo RtTAdqWIlAyaKxcdf7/Kq4I= =i5OV -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Jun 19 19:46:04 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 19 Jun 2012 19:46:04 +0000 Subject: [RHSA-2012:1014-01] Moderate: jbossas security update Message-ID: <201206191946.q5JJk6YY006237@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: jbossas security update Advisory ID: RHSA-2012:1014-01 Product: JBoss Enterprise Web Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1014.html Issue date: 2012-06-19 CVE Names: CVE-2012-1167 ===================================================================== 1. Summary: An update for JBoss Enterprise Web Platform 5.1.2 that fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: The Java Authorization Contract for Containers (Java ACC) specification defines Permission classes and the binding of container access decisions to operations on instances of these permission classes. JaccAuthorizationRealm performs authorization based on Java ACC permissions and a Policy implementation. When a JBoss server is configured to use JaccAuthorizationRealm, the WebPermissionMapping class creates permissions that are not checked and can permit access to users without checking their roles. If the ignoreBaseDecision property is set to true on JBossWebRealm, the web authorization process is handled exclusively by JBossAuthorizationEngine, without any input from JBoss Web. This allows any valid user to access an application, without needing to be assigned the role specified in the application's web.xml "security-constraint" tag. (CVE-2012-1167) Warning: Before applying this update, back up your JBoss Enterprise Web Platform's "jboss-as-web/server/[PROFILE]/deploy/" directory and any other customized configuration files. All users of JBoss Enterprise Web Platform 5.1.2 as provided from the Red Hat Customer Portal are advised to install this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise Web Platform installation (including all applications and configuration files). The JBoss server process must be restarted for this update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 802622 - CVE-2012-1167 JBoss: authentication bypass when running under JACC with ignoreBaseDecision on JBossWebRealm 5. References: https://www.redhat.com/security/data/cve/CVE-2012-1167.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=enterpriseweb.platform&downloadType=securityPatches&version=5.1.2 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFP4NbuXlSAg2UNWIIRAg7iAKCwDtDIZA8GkcXOsc6qP8puSMybrACcDlVO YyQu73YOtvqchEcf3ywKdkw= =PEk4 -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Jun 20 16:08:05 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 20 Jun 2012 16:08:05 +0000 Subject: [RHSA-2012:1022-01] Important: jbossas security update Message-ID: <201206201608.q5KG86Nl007551@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: jbossas security update Advisory ID: RHSA-2012:1022-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1022.html Issue date: 2012-06-20 CVE Names: CVE-2011-4605 ===================================================================== 1. Summary: An update for JBoss Enterprise Application Platform 5.1.2 that fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: JBoss Application Server is the base package for JBoss Enterprise Application Platform, providing the core server components. The Java Naming and Directory Interface (JNDI) Java API allows Java software clients to locate objects or services in an application server. It was found that the JBoss JNDI service allowed unauthenticated, remote write access by default. The JNDI and HA-JNDI services, and the HAJNDIFactory invoker servlet were all affected. A remote attacker able to access the JNDI service (port 1099), HA-JNDI service (port 1100), or the HAJNDIFactory invoker servlet on a JBoss server could use this flaw to add, delete, and modify items in the JNDI tree. This could have various, application-specific impacts. (CVE-2011-4605) Red Hat would like to thank Christian Schl?ter (VIADA) for reporting this issue. Warning: Before applying this update, back up your JBoss Enterprise Application Platform's "jboss-as/server/[PROFILE]/deploy/" directory, along with all other customized configuration files. All users of JBoss Enterprise Application Platform 5.1.2 as provided from the Red Hat Customer Portal are advised to install this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise Application Platform installation (including all applications and configuration files). The JBoss server process must be restarted for this update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 766469 - CVE-2011-4605 JNDI: unauthenticated remote write access is permitted by default 5. References: https://www.redhat.com/security/data/cve/CVE-2011-4605.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=appplatform&version=5.1.2 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFP4fVTXlSAg2UNWIIRAl6lAJ9E6Oxmkziquhq4WyyMiEbMGGdlGQCgh4Iw oepdCh2zZ/5kpREUwKC33Ws= =CKm8 -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Jun 20 16:08:37 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 20 Jun 2012 16:08:37 +0000 Subject: [RHSA-2012:1023-01] Important: jbossas security update Message-ID: <201206201608.q5KG8cGj007833@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: jbossas security update Advisory ID: RHSA-2012:1023-01 Product: JBoss Enterprise Web Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1023.html Issue date: 2012-06-20 CVE Names: CVE-2011-4605 ===================================================================== 1. Summary: An update for JBoss Enterprise Web Platform 5.1.2 that fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: JBoss Application Server is the base package for JBoss Enterprise Web Platform, providing the core server components. The Java Naming and Directory Interface (JNDI) Java API allows Java software clients to locate objects or services in an application server. It was found that the JBoss JNDI service allowed unauthenticated, remote write access by default. The JNDI and HA-JNDI services, and the HAJNDIFactory invoker servlet were all affected. A remote attacker able to access the JNDI service (port 1099), HA-JNDI service (port 1100), or the HAJNDIFactory invoker servlet on a JBoss server could use this flaw to add, delete, and modify items in the JNDI tree. This could have various, application-specific impacts. (CVE-2011-4605) Red Hat would like to thank Christian Schl?ter (VIADA) for reporting this issue. Warning: Before applying this update, back up your JBoss Enterprise Web Platform's "jboss-as-web/server/[PROFILE]/deploy/" directory and any other customized configuration files. All users of JBoss Enterprise Web Platform 5.1.2 as provided from the Red Hat Customer Portal are advised to install this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise Web Platform installation (including all applications and configuration files). The JBoss server process must be restarted for this update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 766469 - CVE-2011-4605 JNDI: unauthenticated remote write access is permitted by default 5. References: https://www.redhat.com/security/data/cve/CVE-2011-4605.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=enterpriseweb.platform&downloadType=securityPatches&version=5.1.2 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFP4fV7XlSAg2UNWIIRAjq/AJ9BVDRDIYRx4LALXZ3O97wpZQnOwwCfaIPU Dr35NiLxzIfboMwocqRzKEY= =JLXp -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Jun 20 16:09:03 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 20 Jun 2012 16:09:03 +0000 Subject: [RHSA-2012:1024-01] Important: jbossas security update Message-ID: <201206201609.q5KG94Vx006506@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: jbossas security update Advisory ID: RHSA-2012:1024-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1024.html Issue date: 2012-06-20 CVE Names: CVE-2011-4605 ===================================================================== 1. Summary: An update for JBoss Enterprise Application Platform 4.3.0 CP10 that fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: JBoss Application Server is the base package for JBoss Enterprise Application Platform, providing the core server components. The Java Naming and Directory Interface (JNDI) Java API allows Java software clients to locate objects or services in an application server. It was found that the JBoss JNDI service allowed unauthenticated, remote write access by default. The JNDI and HA-JNDI services, and the HAJNDIFactory invoker servlet were all affected. A remote attacker able to access the JNDI service (port 1099), HA-JNDI service (port 1100), or the HAJNDIFactory invoker servlet on a JBoss server could use this flaw to add, delete, and modify items in the JNDI tree. This could have various, application-specific impacts. (CVE-2011-4605) Red Hat would like to thank Christian Schl?ter (VIADA) for reporting this issue. Warning: Before applying this update, back up your JBoss Enterprise Application Platform's "jboss-as/server/[PROFILE]/deploy/" directory, along with all other customized configuration files. All users of JBoss Enterprise Application Platform 4.3.0 CP10 as provided from the Red Hat Customer Portal are advised to install this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise Application Platform installation (including all applications and configuration files). The JBoss server process must be restarted for this update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 766469 - CVE-2011-4605 JNDI: unauthenticated remote write access is permitted by default 5. References: https://www.redhat.com/security/data/cve/CVE-2011-4605.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=4.3.0.GA_CP10 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFP4fWTXlSAg2UNWIIRApr/AKCd7px6/gme9TWeS6Xr9ZraeaNILwCgrxi+ J6+ogi7LED2mn+maS1sJQSI= =DAOi -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Jun 20 16:09:32 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 20 Jun 2012 16:09:32 +0000 Subject: [RHSA-2012:1025-01] Important: jbossas security update Message-ID: <201206201609.q5KG9XPk008132@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: jbossas security update Advisory ID: RHSA-2012:1025-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1025.html Issue date: 2012-06-20 CVE Names: CVE-2011-4605 ===================================================================== 1. Summary: Updated jbossas packages that fix one security issue are now available for JBoss Enterprise Application Platform 4.3.0 CP10 for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: JBoss Enterprise Application Platform 4.3.0 for RHEL 4 AS - noarch JBoss Enterprise Application Platform 4.3.0 for RHEL 4 ES - noarch JBoss Enterprise Application Platform 4.3.0 for RHEL 5 Server - noarch 3. Description: JBoss Application Server is the base package for JBoss Enterprise Application Platform, providing the core server components. The Java Naming and Directory Interface (JNDI) Java API allows Java software clients to locate objects or services in an application server. It was found that the JBoss JNDI service allowed unauthenticated, remote write access by default. The JNDI and HA-JNDI services, and the HAJNDIFactory invoker servlet were all affected. A remote attacker able to access the JNDI service (port 1099), HA-JNDI service (port 1100), or the HAJNDIFactory invoker servlet on a JBoss server could use this flaw to add, delete, and modify items in the JNDI tree. This could have various, application-specific impacts. (CVE-2011-4605) Red Hat would like to thank Christian Schl?ter (VIADA) for reporting this issue. Warning: Before applying this update, back up your JBoss Enterprise Application Platform's "server/[PROFILE]/deploy/" directory, along with all other customized configuration files. Users of JBoss Enterprise Application Platform 4.3.0 CP10 on Red Hat Enterprise Linux 4 and 5 should upgrade to these updated packages, which correct this issue. The JBoss server process must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 766469 - CVE-2011-4605 JNDI: unauthenticated remote write access is permitted by default 6. Package List: JBoss Enterprise Application Platform 4.3.0 for RHEL 4 AS: Source: ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/jbossas-4.3.0-10.GA_CP10_patch_01.1.ep1.el4.src.rpm noarch: jbossas-4.3.0-10.GA_CP10_patch_01.1.ep1.el4.noarch.rpm jbossas-client-4.3.0-10.GA_CP10_patch_01.1.ep1.el4.noarch.rpm JBoss Enterprise Application Platform 4.3.0 for RHEL 4 ES: Source: ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/jbossas-4.3.0-10.GA_CP10_patch_01.1.ep1.el4.src.rpm noarch: jbossas-4.3.0-10.GA_CP10_patch_01.1.ep1.el4.noarch.rpm jbossas-client-4.3.0-10.GA_CP10_patch_01.1.ep1.el4.noarch.rpm JBoss Enterprise Application Platform 4.3.0 for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossas-4.3.0-10.GA_CP10_patch_01.1.ep1.el5.src.rpm noarch: jbossas-4.3.0-10.GA_CP10_patch_01.1.ep1.el5.noarch.rpm jbossas-client-4.3.0-10.GA_CP10_patch_01.1.ep1.el5.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2011-4605.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFP4fWsXlSAg2UNWIIRAgLgAJ4iQ1bpBlpOdeT/F7UMvNwPcUOtDgCgo1qh dR6KvbqpmQmxqnYO6W4m87M= =9haW -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Jun 20 16:10:04 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 20 Jun 2012 16:10:04 +0000 Subject: [RHSA-2012:1026-01] Important: jbossas and jboss-naming security update Message-ID: <201206201610.q5KGA5ER030874@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: jbossas and jboss-naming security update Advisory ID: RHSA-2012:1026-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1026.html Issue date: 2012-06-20 CVE Names: CVE-2011-4605 CVE-2012-1167 ===================================================================== 1. Summary: Updated jbossas and jboss-naming packages that fix two security issues are now available for JBoss Enterprise Application Platform 5.1.2 for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: JBoss Enterprise Application Platform 5 for RHEL 4 AS - noarch JBoss Enterprise Application Platform 5 for RHEL 4 ES - noarch JBoss Enterprise Application Platform 5 for RHEL 5 Server - noarch JBoss Enterprise Application Platform 5 for RHEL 6 Server - noarch 3. Description: JBoss Application Server is the base package for JBoss Enterprise Application Platform, providing the core server components. The Java Naming and Directory Interface (JNDI) Java API allows Java software clients to locate objects or services in an application server. The Java Authorization Contract for Containers (Java ACC) specification defines Permission classes and the binding of container access decisions to operations on instances of these permission classes. JaccAuthorizationRealm performs authorization based on Java ACC permissions and a Policy implementation. It was found that the JBoss JNDI service allowed unauthenticated, remote write access by default. The JNDI and HA-JNDI services, and the HAJNDIFactory invoker servlet were all affected. A remote attacker able to access the JNDI service (port 1099), HA-JNDI service (port 1100), or the HAJNDIFactory invoker servlet on a JBoss server could use this flaw to add, delete, and modify items in the JNDI tree. This could have various, application-specific impacts. (CVE-2011-4605) When a JBoss server is configured to use JaccAuthorizationRealm, the WebPermissionMapping class creates permissions that are not checked and can permit access to users without checking their roles. If the ignoreBaseDecision property is set to true on JBossWebRealm, the web authorization process is handled exclusively by JBossAuthorizationEngine, without any input from JBoss Web. This allows any valid user to access an application, without needing to be assigned the role specified in the application's web.xml "security-constraint" tag. (CVE-2012-1167) Red Hat would like to thank Christian Schl?ter (VIADA) for reporting CVE-2011-4605. Warning: Before applying this update, back up your JBoss Enterprise Application Platform's "server/[PROFILE]/deploy/" directory, along with all other customized configuration files. Users of JBoss Enterprise Application Platform 5.1.2 on Red Hat Enterprise Linux 4, 5, and 6 should upgrade to these updated packages, which correct these issues. The JBoss server process must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 766469 - CVE-2011-4605 JNDI: unauthenticated remote write access is permitted by default 802622 - CVE-2012-1167 JBoss: authentication bypass when running under JACC with ignoreBaseDecision on JBossWebRealm 6. Package List: JBoss Enterprise Application Platform 5 for RHEL 4 AS: Source: ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/jboss-naming-5.0.3-4.CP01_patch_01.1.ep5.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/jbossas-5.1.2-10.ep5.el4.src.rpm noarch: jboss-naming-5.0.3-4.CP01_patch_01.1.ep5.el4.noarch.rpm jbossas-5.1.2-10.ep5.el4.noarch.rpm jbossas-client-5.1.2-10.ep5.el4.noarch.rpm jbossas-messaging-5.1.2-10.ep5.el4.noarch.rpm jbossas-ws-native-5.1.2-10.ep5.el4.noarch.rpm JBoss Enterprise Application Platform 5 for RHEL 4 ES: Source: ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/jboss-naming-5.0.3-4.CP01_patch_01.1.ep5.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/jbossas-5.1.2-10.ep5.el4.src.rpm noarch: jboss-naming-5.0.3-4.CP01_patch_01.1.ep5.el4.noarch.rpm jbossas-5.1.2-10.ep5.el4.noarch.rpm jbossas-client-5.1.2-10.ep5.el4.noarch.rpm jbossas-messaging-5.1.2-10.ep5.el4.noarch.rpm jbossas-ws-native-5.1.2-10.ep5.el4.noarch.rpm JBoss Enterprise Application Platform 5 for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-naming-5.0.3-4.CP01_patch_01.1.ep5.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossas-5.1.2-10.ep5.el5.src.rpm noarch: jboss-naming-5.0.3-4.CP01_patch_01.1.ep5.el5.noarch.rpm jbossas-5.1.2-10.ep5.el5.noarch.rpm jbossas-client-5.1.2-10.ep5.el5.noarch.rpm jbossas-messaging-5.1.2-10.ep5.el5.noarch.rpm jbossas-ws-native-5.1.2-10.ep5.el5.noarch.rpm JBoss Enterprise Application Platform 5 for RHEL 6 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-naming-5.0.3-4.CP01_patch_01.2.ep5.el6.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jbossas-5.1.2-10.ep5.el6.src.rpm noarch: jboss-naming-5.0.3-4.CP01_patch_01.2.ep5.el6.noarch.rpm jbossas-5.1.2-10.ep5.el6.noarch.rpm jbossas-client-5.1.2-10.ep5.el6.noarch.rpm jbossas-messaging-5.1.2-10.ep5.el6.noarch.rpm jbossas-ws-native-5.1.2-10.ep5.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2011-4605.html https://www.redhat.com/security/data/cve/CVE-2012-1167.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFP4fXKXlSAg2UNWIIRAiuOAJ4m5i1k9Emuqxb1QHBkfojEYonqGwCdHKTK iTqEhwZiNIQR62MU+g17vNg= =ZTTD -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Jun 20 16:10:42 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 20 Jun 2012 16:10:42 +0000 Subject: [RHSA-2012:1027-01] Important: jbossas-web and jboss-naming security update Message-ID: <201206201610.q5KGAhbh007065@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: jbossas-web and jboss-naming security update Advisory ID: RHSA-2012:1027-01 Product: JBoss Enterprise Web Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1027.html Issue date: 2012-06-20 CVE Names: CVE-2011-4605 CVE-2012-1167 ===================================================================== 1. Summary: Updated jbossas-web and jboss-naming packages that fix two security issues are now available for JBoss Enterprise Web Platform 5.1.2 for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: JBoss Enterprise Web Platform 5 for RHEL 4 AS - noarch JBoss Enterprise Web Platform 5 for RHEL 4 ES - noarch JBoss Enterprise Web Platform 5 for RHEL 5 Server - noarch JBoss Enterprise Web Platform 5 for RHEL 6 Server - noarch 3. Description: JBoss Application Server is the base package for JBoss Enterprise Web Platform, providing the core server components. The Java Naming and Directory Interface (JNDI) Java API allows Java software clients to locate objects or services in an application server. The Java Authorization Contract for Containers (Java ACC) specification defines Permission classes and the binding of container access decisions to operations on instances of these permission classes. JaccAuthorizationRealm performs authorization based on Java ACC permissions and a Policy implementation. It was found that the JBoss JNDI service allowed unauthenticated, remote write access by default. The JNDI and HA-JNDI services, and the HAJNDIFactory invoker servlet were all affected. A remote attacker able to access the JNDI service (port 1099), HA-JNDI service (port 1100), or the HAJNDIFactory invoker servlet on a JBoss server could use this flaw to add, delete, and modify items in the JNDI tree. This could have various, application-specific impacts. (CVE-2011-4605) When a JBoss server is configured to use JaccAuthorizationRealm, the WebPermissionMapping class creates permissions that are not checked and can permit access to users without checking their roles. If the ignoreBaseDecision property is set to true on JBossWebRealm, the web authorization process is handled exclusively by JBossAuthorizationEngine, without any input from JBoss Web. This allows any valid user to access an application, without needing to be assigned the role specified in the application's web.xml "security-constraint" tag. (CVE-2012-1167) Red Hat would like to thank Christian Schl?ter (VIADA) for reporting CVE-2011-4605. Warning: Before applying this update, back up your JBoss Enterprise Web Platform's "server/[PROFILE]/deploy/" directory and any other customized configuration files. Users of JBoss Enterprise Web Platform 5.1.2 on Red Hat Enterprise Linux 4, 5, and 6 should upgrade to these updated packages, which correct these issues. The JBoss server process must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 766469 - CVE-2011-4605 JNDI: unauthenticated remote write access is permitted by default 802622 - CVE-2012-1167 JBoss: authentication bypass when running under JACC with ignoreBaseDecision on JBossWebRealm 6. Package List: JBoss Enterprise Web Platform 5 for RHEL 4 AS: Source: jboss-naming-5.0.3-4.CP01_patch_01.1.ep5.el4.src.rpm jbossas-web-5.1.2-10.ep5.el4.src.rpm noarch: jboss-naming-5.0.3-4.CP01_patch_01.1.ep5.el4.noarch.rpm jbossas-web-5.1.2-10.ep5.el4.noarch.rpm jbossas-web-client-5.1.2-10.ep5.el4.noarch.rpm jbossas-web-ws-native-5.1.2-10.ep5.el4.noarch.rpm JBoss Enterprise Web Platform 5 for RHEL 4 ES: Source: jboss-naming-5.0.3-4.CP01_patch_01.1.ep5.el4.src.rpm jbossas-web-5.1.2-10.ep5.el4.src.rpm noarch: jboss-naming-5.0.3-4.CP01_patch_01.1.ep5.el4.noarch.rpm jbossas-web-5.1.2-10.ep5.el4.noarch.rpm jbossas-web-client-5.1.2-10.ep5.el4.noarch.rpm jbossas-web-ws-native-5.1.2-10.ep5.el4.noarch.rpm JBoss Enterprise Web Platform 5 for RHEL 5 Server: Source: jboss-naming-5.0.3-4.CP01_patch_01.1.ep5.el5.src.rpm jbossas-web-5.1.2-10.ep5.el5.src.rpm noarch: jboss-naming-5.0.3-4.CP01_patch_01.1.ep5.el5.noarch.rpm jbossas-web-5.1.2-10.ep5.el5.noarch.rpm jbossas-web-client-5.1.2-10.ep5.el5.noarch.rpm jbossas-web-ws-native-5.1.2-10.ep5.el5.noarch.rpm JBoss Enterprise Web Platform 5 for RHEL 6 Server: Source: jboss-naming-5.0.3-4.CP01_patch_01.2.ep5.el6.src.rpm jbossas-web-5.1.2-10.ep5.el6.src.rpm noarch: jboss-naming-5.0.3-4.CP01_patch_01.2.ep5.el6.noarch.rpm jbossas-web-5.1.2-10.ep5.el6.noarch.rpm jbossas-web-client-5.1.2-10.ep5.el6.noarch.rpm jbossas-web-ws-native-5.1.2-10.ep5.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2011-4605.html https://www.redhat.com/security/data/cve/CVE-2012-1167.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFP4fXvXlSAg2UNWIIRAu7TAJ9ku9rzvhAqnQGLCe6HqLPMBZ1pvACeLTwo 6tCPWVMNtPQntwAJNKycbEI= =C47C -----END PGP SIGNATURE----- From bugzilla at redhat.com Fri Jun 22 01:29:36 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 22 Jun 2012 01:29:36 +0000 Subject: [RHSA-2012:1028-01] Important: JBoss Enterprise BRMS Platform 5.3.0 update Message-ID: <201206220129.q5M1TaXp008938@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Enterprise BRMS Platform 5.3.0 update Advisory ID: RHSA-2012:1028-01 Product: JBoss Enterprise Middleware Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1028.html Issue date: 2012-06-22 CVE Names: CVE-2011-4085 CVE-2011-4605 CVE-2012-2377 ===================================================================== 1. Summary: JBoss Enterprise BRMS Platform 5.3.0, which fixes multiple security issues, various bugs, and adds enhancements is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: JBoss Enterprise BRMS Platform is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules. The Java Naming and Directory Interface (JNDI) Java API allows Java software clients to locate objects or services in an application server. This release of JBoss Enterprise BRMS Platform 5.3.0 serves as a replacement for JBoss Enterprise BRMS Platform 5.2.0. It includes various bug fixes and enhancements which are detailed in the JBoss Enterprise BRMS Platform 5.3.0 Release Notes. The Release Notes will be available shortly from https://docs.redhat.com/docs/en-US/index.html The following security issues are also fixed with this release: It was found that the JBoss JNDI service allowed unauthenticated, remote write access by default. The JNDI and HA-JNDI services, and the HAJNDIFactory invoker servlet were all affected. A remote attacker able to access the JNDI service (port 1099), HA-JNDI service (port 1100), or the HAJNDIFactory invoker servlet on a JBoss server could use this flaw to add, delete, and modify items in the JNDI tree. This could have various, application-specific impacts. (CVE-2011-4605) It was found that the invoker servlets, deployed by default via httpha-invoker, only performed access control on the HTTP GET and POST methods, allowing remote attackers to make unauthenticated requests by using different HTTP methods. Due to the second layer of authentication provided by a security interceptor, this issue is not exploitable on default installations unless an administrator has misconfigured the security interceptor or disabled it. (CVE-2011-4085) When a JGroups channel is started, the JGroups diagnostics service would be enabled by default with no authentication. This service is exposed via IP multicast. An attacker on an adjacent network could exploit this flaw to read diagnostics information. (CVE-2012-2377) Red Hat would like to thank Christian Schl?ter (VIADA) for reporting CVE-2011-4605. Warning: Before applying the update, back up your existing JBoss Enterprise BRMS Platform installation (including its databases, applications, configuration files, and so on). All users of JBoss Enterprise BRMS Platform 5.2.0 as provided from the Red Hat Customer Portal are advised to upgrade to JBoss Enterprise BRMS Platform 5.3.0. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise BRMS Platform installation (including its databases, applications, configuration files, and so on). 4. Bugs fixed (http://bugzilla.redhat.com/): 750422 - CVE-2011-4085 Invoker servlets authentication bypass (HTTP verb tampering) 766469 - CVE-2011-4605 JNDI: unauthenticated remote write access is permitted by default 823392 - CVE-2012-2377 JGroups diagnostics service enabled by default with no authentication when a JGroups channel is started 5. References: https://www.redhat.com/security/data/cve/CVE-2011-4085.html https://www.redhat.com/security/data/cve/CVE-2011-4605.html https://www.redhat.com/security/data/cve/CVE-2012-2377.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=distributions https://docs.redhat.com/docs/en-US/index.html 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFP48ppXlSAg2UNWIIRAuvfAJkBEt7BGoBnd0xBiy8+LLUIEP1kmgCgoZ4P KdN4iIuXKzcJeDfIPCIULtw= =D4Vt -----END PGP SIGNATURE-----