From bugzilla at redhat.com Tue Apr 9 18:17:22 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 9 Apr 2013 18:17:22 +0000 Subject: [RHSA-2013:0726-01] Important: JBoss Enterprise SOA Platform 5.3.1 update Message-ID: <201304091817.r39IHMp1009650@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Enterprise SOA Platform 5.3.1 update Advisory ID: RHSA-2013:0726-01 Product: JBoss Enterprise Middleware Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0726.html Issue date: 2013-04-09 CVE Names: CVE-2012-3451 CVE-2012-5633 CVE-2012-5885 CVE-2012-5886 CVE-2012-5887 ===================================================================== 1. Summary: JBoss Enterprise SOA Platform 5.3.1 roll up patch 1, which fixes multiple security issues and various bugs, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: JBoss Enterprise SOA Platform is the next-generation ESB and business process automation infrastructure. JBoss Enterprise SOA Platform allows IT to leverage existing (MoM and EAI), modern (SOA and BPM-Rules), and future (EDA and CEP) integration methodologies to dramatically improve business process execution speed and quality. This roll up patch serves as a cumulative upgrade for JBoss Enterprise SOA Platform 5.3.1. It includes various bug fixes. The following security issues are also fixed with this release: If web services were deployed using Apache CXF with the WSS4JInInterceptor enabled to apply WS-Security processing, HTTP GET requests to these services were always granted access, without applying authentication checks. The URIMappingInterceptor is a legacy mechanism for allowing REST-like access (via GET requests) to simple SOAP services. A remote attacker could use this flaw to access the REST-like interface of a simple SOAP service using GET requests that bypass the security constraints applied by WSS4JInInterceptor. This flaw was only exploitable if WSS4JInInterceptor was used to apply WS-Security processing. Services that use WS-SecurityPolicy to apply security were not affected. (CVE-2012-5633) It was found that Apache CXF was vulnerable to SOAPAction spoofing attacks under certain conditions. If web services were exposed via Apache CXF that use a unique SOAPAction for each service operation, then a remote attacker could perform SOAPAction spoofing to call a forbidden operation if it accepts the same parameters as an allowed operation. WS-Policy validation was performed against the operation being invoked, and an attack must pass validation to be successful. (CVE-2012-3451) Multiple weaknesses were found in the JBoss Web DIGEST authentication implementation, effectively reducing the security normally provided by DIGEST authentication. A remote attacker could use these flaws to perform replay attacks in some circumstances. (CVE-2012-5885, CVE-2012-5886, CVE-2012-5887) Red Hat would like to thank the Apache CXF project for reporting CVE-2012-3451. Warning: Before applying the update, back up your existing JBoss Enterprise SOA Platform installation (including its databases, applications, configuration files, and so on). All users of JBoss Enterprise SOA Platform 5.3.1 as provided from the Red Hat Customer Portal are advised to apply this roll up patch. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise SOA Platform installation (including its databases, applications, configuration files, and so on). Note that it is recommended to halt the JBoss Enterprise SOA Platform server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the JBoss Enterprise SOA Platform server by starting the JBoss Application Server process. 4. Bugs fixed (http://bugzilla.redhat.com/): 851896 - CVE-2012-3451 jbossws-cxf, apache-cxf: SOAPAction spoofing on document literal web services 873664 - CVE-2012-5885 CVE-2012-5886 CVE-2012-5887 tomcat: three DIGEST authentication implementation issues 889008 - CVE-2012-5633 jbossws-cxf, apache-cxf: Bypass of security constraints on WS endpoints when using WSS4JInInterceptor 5. References: https://www.redhat.com/security/data/cve/CVE-2012-3451.html https://www.redhat.com/security/data/cve/CVE-2012-5633.html https://www.redhat.com/security/data/cve/CVE-2012-5885.html https://www.redhat.com/security/data/cve/CVE-2012-5886.html https://www.redhat.com/security/data/cve/CVE-2012-5887.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform&downloadType=securityPatches&version=5.3.1+GA 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRZFsLXlSAg2UNWIIRAlfDAKCN1IOxN/UqrpsQV6UKB2MoV/hQUgCfTxdN jawJPfYtX2eFmNzSW/d7JWQ= =v9g7 -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Apr 10 17:19:51 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 10 Apr 2013 17:19:51 +0000 Subject: [RHSA-2013:0733-01] Moderate: JBoss Enterprise Portal Platform 5.2.2 security update Message-ID: <201304101719.r3AHJpMC008288@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: JBoss Enterprise Portal Platform 5.2.2 security update Advisory ID: RHSA-2013:0733-01 Product: JBoss Enterprise Middleware Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0733.html Issue date: 2013-04-10 CVE Names: CVE-2012-3532 ===================================================================== 1. Summary: An update for the GateIn Portal component in JBoss Enterprise Portal Platform 5.2.2 that fixes multiple security issues is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: JBoss Enterprise Portal Platform is the open source implementation of the Java EE suite of services and Portal services running atop JBoss Enterprise Application Platform. It comprises a set of offerings for enterprise customers who are looking for pre-configured profiles of JBoss Enterprise Middleware components that have been tested and certified together to provide an integrated experience. Multiple Cross-Site Request Forgery (CSRF) flaws were found in the GateIn Portal. If a remote attacker could trick a logged in user into visiting an attacker-controlled URL, the attacker could perform actions with the privileges of the logged in user. (CVE-2012-3532) These issues were discovered by Trevor Jay of Red Hat Quality Engineering penetration testing. Warning: Before applying this update, back up all applications deployed on JBoss Enterprise Portal Platform, along with all customized configuration files, and any databases and database settings. All users of JBoss Enterprise Portal Platform 5.2.2 as provided from the Red Hat Customer Portal are advised to install this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up all applications deployed on JBoss Enterprise Portal Platform, along with all customized configuration files, and any databases and database settings. Note that it is recommended to halt the JBoss Enterprise Portal Platform server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the JBoss Enterprise Portal Platform server by starting the JBoss Application Server process. 4. Bugs fixed (http://bugzilla.redhat.com/): 851046 - CVE-2012-3532 GateIn Portal: Cross Site Request Forgery 5. References: https://www.redhat.com/security/data/cve/CVE-2012-3532.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal&downloadType=securityPatches&version=5.2.2 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRZZ8mXlSAg2UNWIIRAtuAAJ9evcixfc35n6YtzZuKEHozCvpjRQCdFit7 217Q9fB+pCaAegoNQNnlglw= =ihlV -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Apr 15 18:28:43 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 15 Apr 2013 18:28:43 +0000 Subject: [RHSA-2013:0743-01] Important: JBoss Enterprise BRMS Platform 5.3.1 update Message-ID: <201304151828.r3FIShhV008419@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Enterprise BRMS Platform 5.3.1 update Advisory ID: RHSA-2013:0743-01 Product: JBoss Enterprise Middleware Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0743.html Issue date: 2013-04-15 CVE Names: CVE-2012-3451 CVE-2012-5633 ===================================================================== 1. Summary: JBoss Enterprise BRMS Platform 5.3.1 roll up patch 1, which fixes two security issues and various bugs, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: JBoss Enterprise BRMS Platform is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules. This roll up patch serves as a cumulative upgrade for JBoss Enterprise BRMS Platform 5.3.1. It includes various bug fixes. The following security issues are also fixed with this release: If web services were deployed using Apache CXF with the WSS4JInInterceptor enabled to apply WS-Security processing, HTTP GET requests to these services were always granted access, without applying authentication checks. The URIMappingInterceptor is a legacy mechanism for allowing REST-like access (via GET requests) to simple SOAP services. A remote attacker could use this flaw to access the REST-like interface of a simple SOAP service using GET requests that bypass the security constraints applied by WSS4JInInterceptor. This flaw was only exploitable if WSS4JInInterceptor was used to apply WS-Security processing. Services that use WS-SecurityPolicy to apply security were not affected. (CVE-2012-5633) It was found that Apache CXF was vulnerable to SOAPAction spoofing attacks under certain conditions. If web services were exposed via Apache CXF that use a unique SOAPAction for each service operation, then a remote attacker could perform SOAPAction spoofing to call a forbidden operation if it accepts the same parameters as an allowed operation. WS-Policy validation was performed against the operation being invoked, and an attack must pass validation to be successful. (CVE-2012-3451) Red Hat would like to thank the Apache CXF project for reporting the CVE-2012-3451 issue. Warning: Before applying the update, back up your existing JBoss Enterprise BRMS Platform installation (including its databases, applications, configuration files, and so on). All users of JBoss Enterprise BRMS Platform 5.3.1 as provided from the Red Hat Customer Portal are advised to apply this roll up patch. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise BRMS Platform installation (including its databases, applications, configuration files, and so on). Note that it is recommended to halt the JBoss Enterprise BRMS Platform server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the JBoss Enterprise BRMS Platform server by starting the JBoss Application Server process. 4. Bugs fixed (http://bugzilla.redhat.com/): 851896 - CVE-2012-3451 jbossws-cxf, apache-cxf: SOAPAction spoofing on document literal web services 889008 - CVE-2012-5633 jbossws-cxf, apache-cxf: Bypass of security constraints on WS endpoints when using WSS4JInInterceptor 5. References: https://www.redhat.com/security/data/cve/CVE-2012-3451.html https://www.redhat.com/security/data/cve/CVE-2012-5633.html https://access.redhat.com/security/updates/classification/#important http://cxf.apache.org/security-advisories.html https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=securityPatches&version=5.3.1 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRbEbNXlSAg2UNWIIRAu+PAJ90iIZleitEq62KfWx1GKtk3c34OwCfVZR8 hqY7dV0fDoOU7KI6OIKh1BM= =AE9C -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Apr 16 19:12:55 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 16 Apr 2013 19:12:55 +0000 Subject: [RHSA-2013:0749-01] Important: apache-cxf security update Message-ID: <201304161912.r3GJCu8v016933@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: apache-cxf security update Advisory ID: RHSA-2013:0749-01 Product: JBoss Enterprise Middleware Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0749.html Issue date: 2013-04-16 CVE Names: CVE-2012-5633 CVE-2013-0239 ===================================================================== 1. Summary: An update for the Apache CXF component of JBoss Portal Platform 6.0.0 which fixes two security issues is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Apache CXF is an open source services framework. It was found that the Apache CXF UsernameTokenPolicyValidator and UsernameTokenInterceptor allowed a UsernameToken element with no password child element to bypass authentication. A remote attacker could use this flaw to circumvent access controls applied to web services by omitting the password in a UsernameToken. This flaw was exploitable on web services that rely on WS-SecurityPolicy plain text UsernameTokens to authenticate users. It was not exploitable when using hashed passwords or WS-Security without WS-SecurityPolicy. (CVE-2013-0239) If web services were deployed using Apache CXF with the WSS4JInInterceptor enabled to apply WS-Security processing, HTTP GET requests to these services were always granted access, without applying authentication checks. The URIMappingInterceptor is a legacy mechanism for allowing REST-like access (via GET requests) to simple SOAP services. A remote attacker could use this flaw to access the REST-like interface of a simple SOAP service using GET requests that bypass the security constraints applied by WSS4JInInterceptor. This flaw was only exploitable if WSS4JInInterceptor was used to apply WS-Security processing. Services that use WS-SecurityPolicy to apply security were not affected. (CVE-2012-5633) Warning: Before applying this update, back up all applications deployed on JBoss Portal Platform, along with all customized configuration files, and any databases and database settings. All users of JBoss Portal Platform 6.0.0 as provided from the Red Hat Customer Portal are advised to apply this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up all applications deployed on JBoss Portal Platform, along with all customized configuration files, and any databases and database settings. Note that it is recommended to halt the JBoss Portal Platform server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the JBoss Portal Platform server by starting the JBoss Application Server process. 4. Bugs fixed (http://bugzilla.redhat.com/): 889008 - CVE-2012-5633 jbossws-cxf, apache-cxf: Bypass of security constraints on WS endpoints when using WSS4JInInterceptor 905722 - CVE-2013-0239 jbossws-cxf, apache-cxf: UsernameTokenPolicyValidator and UsernameTokenInterceptor allow empty passwords to authenticate 5. References: https://www.redhat.com/security/data/cve/CVE-2012-5633.html https://www.redhat.com/security/data/cve/CVE-2013-0239.html https://access.redhat.com/security/updates/classification/#important http://cxf.apache.org/security-advisories.html https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=jbportal&version=6.0.0 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRbaKFXlSAg2UNWIIRAnhjAKDBD6U9glydwIOGrcsGJEfoMTAePACcD4Zh zZdmhhWHOuGcHbFupKzwK+g= =XkQc -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Apr 22 21:27:11 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 22 Apr 2013 21:27:11 +0000 Subject: [RHSA-2013:0763-01] Moderate: JBoss Web Framework Kit 2.2.0 update Message-ID: <201304222127.r3MLRB4d001688@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: JBoss Web Framework Kit 2.2.0 update Advisory ID: RHSA-2013:0763-01 Product: JBoss Web Framework Kit Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0763.html Issue date: 2013-04-22 CVE Names: CVE-2009-2625 CVE-2012-5783 ===================================================================== 1. Summary: JBoss Web Framework Kit 2.2.0, which fixes two security issues, various bugs, and adds enhancements is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: The JBoss Web Framework Kit combines popular open source web frameworks into a single solution for Java applications. This release of JBoss Web Framework Kit 2.2.0 serves as a replacement for JBoss Web Framework Kit 2.1.0. It includes various bug fixes and enhancements which are detailed in the JBoss Web Framework Kit 2.2.0 Release Notes. The Release Notes will be available shortly from https://access.redhat.com/site/documentation/ This release also fixes the following security issues: A flaw was found in the way the Apache Xerces2 Java Parser processed the SYSTEM identifier in DTDs. A remote attacker could provide a specially-crafted XML file, which once parsed by an application using the Apache Xerces2 Java Parser, would lead to a denial of service (application hang due to excessive CPU use). (CVE-2009-2625) Note: Seam and RichFaces used the xerces:xercesImpl:2.9.1-patch01 artifact, which is vulnerable to the CVE-2009-2625 flaw. In this release, the artifact has been replaced with xerces:xercesImpl:2.9.1-redhat-3, which is not vulnerable. The Jakarta Commons HttpClient component did not verify that the server hostname matched the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name. (CVE-2012-5783) Note: Jakarta Commons HttpClient 3 is vulnerable to CVE-2012-5783. Jakarta Commons HttpClient 3 has reached its end of life as an Apache-maintained component, and no upstream build is available that addresses this flaw. The version of Jakarta Commons HttpClient 3 that ships with JBoss Web Framework Kit 2.2.0 includes a patch for this flaw, which has been built by Red Hat. Versions that are consumed from Maven Central do not have this patch applied. Jakarta Commons HttpClient 3 is a transitive dependency for multiple components included in JBoss Web Framework Kit 2.2.0. If this dependency is resolved using a build of HttpClient 3 from Maven Central, then this flaw may be exposed. Warning: Before applying this update, back up your existing installation of JBoss Enterprise Application Platform or JBoss Enterprise Web Server, and applications deployed to it. All users of JBoss Web Framework Kit 2.1.0 as provided from the Red Hat Customer Portal are advised to upgrade to JBoss Web Framework Kit 2.2.0. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing installation of JBoss Enterprise Application Platform or JBoss Enterprise Web Server, and applications deployed to it. The JBoss server process must be restarted for this update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 512921 - CVE-2009-2625 xerces-j2, JDK: XML parsing Denial-Of-Service (6845701) 873317 - CVE-2012-5783 jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name 5. References: https://www.redhat.com/security/data/cve/CVE-2009-2625.html https://www.redhat.com/security/data/cve/CVE-2012-5783.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=web.framework.kit&downloadType=distributions https://access.redhat.com/site/documentation/ 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRdasaXlSAg2UNWIIRAqDqAJ9PbTS2IZ6rkgUeb0EnBniZkXtGaACdHyIu QfgrRlAafvV/aLz8TCDpJGs= =UIkM -----END PGP SIGNATURE-----