From bugzilla at redhat.com Tue Feb 5 00:10:51 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 5 Feb 2013 00:10:51 +0000 Subject: [RHSA-2013:0229-01] Important: JBoss Enterprise Application Platform 5.2.0 security update Message-ID: <201302050010.r150ApJ0024460@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Enterprise Application Platform 5.2.0 security update Advisory ID: RHSA-2013:0229-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0229.html Issue date: 2013-02-04 CVE Names: CVE-2012-5629 ===================================================================== 1. Summary: An updated jbosssx2 package for JBoss Enterprise Application Platform 5.2.0 that fixes one security issue is now available for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: JBoss Enterprise Application Platform 5 for RHEL 4 AS - noarch JBoss Enterprise Application Platform 5 for RHEL 4 ES - noarch JBoss Enterprise Application Platform 5 for RHEL 5 Server - noarch JBoss Enterprise Application Platform 5 for RHEL 6 Server - noarch 3. Description: JBoss Enterprise Application Platform is a platform for Java applications, which integrates the JBoss Application Server with JBoss Hibernate and JBoss Seam. When using LDAP authentication with the provided LDAP login modules (LdapLoginModule/LdapExtLoginModule), empty passwords were allowed by default. An attacker could use this flaw to bypass intended authentication by providing an empty password for a valid username, as the LDAP server may recognize this as an 'unauthenticated authentication' (RFC 4513). This update sets the allowEmptyPasswords option for the LDAP login modules to false if the option is not already configured. (CVE-2012-5629) Warning: Before applying this update, back up your existing JBoss Enterprise Application Platform installation (including all applications and configuration files). All users of JBoss Enterprise Application Platform 5.2.0 on Red Hat Enterprise Linux 4, 5, and 6 are advised to upgrade to this updated package. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 885569 - CVE-2012-5629 JBoss: allows empty password to authenticate against LDAP 6. Package List: JBoss Enterprise Application Platform 5 for RHEL 4 AS: Source: ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/jbosssx2-2.0.5-9.SP3_1_patch_01.ep5.el4.src.rpm noarch: jbosssx2-2.0.5-9.SP3_1_patch_01.ep5.el4.noarch.rpm JBoss Enterprise Application Platform 5 for RHEL 4 ES: Source: ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/jbosssx2-2.0.5-9.SP3_1_patch_01.ep5.el4.src.rpm noarch: jbosssx2-2.0.5-9.SP3_1_patch_01.ep5.el4.noarch.rpm JBoss Enterprise Application Platform 5 for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbosssx2-2.0.5-9.SP3_1_patch_01.ep5.el5.src.rpm noarch: jbosssx2-2.0.5-9.SP3_1_patch_01.ep5.el5.noarch.rpm JBoss Enterprise Application Platform 5 for RHEL 6 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jbosssx2-2.0.5-9.1.SP3_1_patch_01.ep5.el6.src.rpm noarch: jbosssx2-2.0.5-9.1.SP3_1_patch_01.ep5.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-5629.html https://access.redhat.com/security/updates/classification/#important http://tools.ietf.org/html/rfc4513 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFREE35XlSAg2UNWIIRAth7AJ0dDmZA0oSeBRaTSoe7uLpqyc+JwgCgkOiC RSPPDrDoyAlhS6eFoXgaJ0E= =inhg -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Feb 5 00:11:26 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 5 Feb 2013 00:11:26 +0000 Subject: [RHSA-2013:0230-01] Important: JBoss Enterprise Web Platform 5.2.0 security update Message-ID: <201302050011.r150BQsi021489@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Enterprise Web Platform 5.2.0 security update Advisory ID: RHSA-2013:0230-01 Product: JBoss Enterprise Web Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0230.html Issue date: 2013-02-04 CVE Names: CVE-2012-5629 ===================================================================== 1. Summary: An updated jbosssx2 package for JBoss Enterprise Web Platform 5.2.0 that fixes one security issue is now available for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: JBoss Enterprise Web Platform 5 for RHEL 4 AS - noarch JBoss Enterprise Web Platform 5 for RHEL 4 ES - noarch JBoss Enterprise Web Platform 5 for RHEL 5 Server - noarch JBoss Enterprise Web Platform 5 for RHEL 6 Server - noarch 3. Description: The Enterprise Web Platform is a slimmed down profile of the JBoss Enterprise Application Platform intended for mid-size workloads with light and rich Java applications. When using LDAP authentication with the provided LDAP login modules (LdapLoginModule/LdapExtLoginModule), empty passwords were allowed by default. An attacker could use this flaw to bypass intended authentication by providing an empty password for a valid username, as the LDAP server may recognize this as an 'unauthenticated authentication' (RFC 4513). This update sets the allowEmptyPasswords option for the LDAP login modules to false if the option is not already configured. (CVE-2012-5629) Warning: Before applying this update, back up your existing JBoss Enterprise Web Platform installation (including all applications and configuration files). All users of JBoss Enterprise Web Platform 5.2.0 on Red Hat Enterprise Linux 4, 5, and 6 are advised to upgrade to this updated package. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 885569 - CVE-2012-5629 JBoss: allows empty password to authenticate against LDAP 6. Package List: JBoss Enterprise Web Platform 5 for RHEL 4 AS: Source: jbosssx2-2.0.5-9.SP3_1_patch_01.ep5.el4.src.rpm noarch: jbosssx2-2.0.5-9.SP3_1_patch_01.ep5.el4.noarch.rpm JBoss Enterprise Web Platform 5 for RHEL 4 ES: Source: jbosssx2-2.0.5-9.SP3_1_patch_01.ep5.el4.src.rpm noarch: jbosssx2-2.0.5-9.SP3_1_patch_01.ep5.el4.noarch.rpm JBoss Enterprise Web Platform 5 for RHEL 5 Server: Source: jbosssx2-2.0.5-9.SP3_1_patch_01.ep5.el5.src.rpm noarch: jbosssx2-2.0.5-9.SP3_1_patch_01.ep5.el5.noarch.rpm JBoss Enterprise Web Platform 5 for RHEL 6 Server: Source: jbosssx2-2.0.5-9.1.SP3_1_patch_01.ep5.el6.src.rpm noarch: jbosssx2-2.0.5-9.1.SP3_1_patch_01.ep5.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-5629.html https://access.redhat.com/security/updates/classification/#important http://tools.ietf.org/html/rfc4513 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFREE4fXlSAg2UNWIIRAsaeAKCoDJuhaVy9lbdXPPm62HC8tipKMwCgwHxZ doPeMyU6gpMIixPiz6vRZIQ= =HWVQ -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Feb 5 00:11:56 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 5 Feb 2013 00:11:56 +0000 Subject: [RHSA-2013:0231-01] Important: JBoss Enterprise Application Platform 6.0.1 security update Message-ID: <201302050011.r150Bus5022156@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Enterprise Application Platform 6.0.1 security update Advisory ID: RHSA-2013:0231-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0231.html Issue date: 2013-02-04 CVE Names: CVE-2012-5629 ===================================================================== 1. Summary: Updated JBoss Enterprise Application Platform 6.0.1 packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: JBoss Enterprise Application Platform 6 for RHEL 5 Server - noarch JBoss Enterprise Application Platform 6 for RHEL 6 Server - noarch 3. Description: JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. When using LDAP authentication with either the "ldap" configuration entry or the provided LDAP login modules (LdapLoginModule/LdapExtLoginModule), empty passwords were allowed by default. An attacker could use this flaw to bypass intended authentication by providing an empty password for a valid username, as the LDAP server may recognize this as an 'unauthenticated authentication' (RFC 4513). This update sets the allowEmptyPasswords option for the LDAP login modules to false if the option is not already configured. (CVE-2012-5629) Note: If you are using the "ldap" configuration entry and rely on empty passwords, they will no longer work after applying this update. The jboss-as-domain-management module, by default, will prevent empty passwords. This cannot be configured; however, a future release may add a configuration option to allow empty passwords when using the "ldap" configuration entry. Warning: Before applying this update, back up your existing JBoss Enterprise Application Platform installation and deployed applications. All users of JBoss Enterprise Application Platform 6.0.1 on Red Hat Enterprise Linux 5 and 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 885569 - CVE-2012-5629 JBoss: allows empty password to authenticate against LDAP 6. Package List: JBoss Enterprise Application Platform 6 for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-domain-management-7.1.3-5.Final_redhat_5.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/picketbox-4.0.14-3.Final_redhat_3.ep6.el5.src.rpm noarch: jboss-as-domain-management-7.1.3-5.Final_redhat_5.ep6.el5.noarch.rpm picketbox-4.0.14-3.Final_redhat_3.ep6.el5.noarch.rpm JBoss Enterprise Application Platform 6 for RHEL 6 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-domain-management-7.1.3-5.Final_redhat_5.ep6.el6.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/picketbox-4.0.14-3.Final_redhat_3.ep6.el6.src.rpm noarch: jboss-as-domain-management-7.1.3-5.Final_redhat_5.ep6.el6.noarch.rpm picketbox-4.0.14-3.Final_redhat_3.ep6.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-5629.html https://access.redhat.com/security/updates/classification/#important http://tools.ietf.org/html/rfc4513 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFREE43XlSAg2UNWIIRAo5NAJ9SlVUIamEyQ3jEw9vAVWq3WrjyUwCgpb60 GqFpsJd8CjHe6VSWJ2nR7Eo= =C6Ie -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Feb 5 00:12:28 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 5 Feb 2013 00:12:28 +0000 Subject: [RHSA-2013:0232-01] Important: JBoss Enterprise Application Platform 5.2.0 security update Message-ID: <201302050012.r150CS1H012761@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Enterprise Application Platform 5.2.0 security update Advisory ID: RHSA-2013:0232-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0232.html Issue date: 2013-02-04 CVE Names: CVE-2012-5629 ===================================================================== 1. Summary: An update for JBoss Enterprise Application Platform 5.2.0 which fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: JBoss Enterprise Application Platform is a platform for Java applications, which integrates the JBoss Application Server with JBoss Hibernate and JBoss Seam. When using LDAP authentication with the provided LDAP login modules (LdapLoginModule/LdapExtLoginModule), empty passwords were allowed by default. An attacker could use this flaw to bypass intended authentication by providing an empty password for a valid username, as the LDAP server may recognize this as an 'unauthenticated authentication' (RFC 4513). This update sets the allowEmptyPasswords option for the LDAP login modules to false if the option is not already configured. (CVE-2012-5629) Warning: Before applying this update, back up your existing JBoss Enterprise Application Platform installation (including all applications and configuration files). All users of JBoss Enterprise Application Platform 5.2.0 as provided from the Red Hat Customer Portal are advised to apply this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise Application Platform installation (including all applications and configuration files). The JBoss server process must be restarted for this update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 885569 - CVE-2012-5629 JBoss: allows empty password to authenticate against LDAP 5. References: https://www.redhat.com/security/data/cve/CVE-2012-5629.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=5.2.0 http://tools.ietf.org/html/rfc4513 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFREE5TXlSAg2UNWIIRAuJbAJwOhSl6V+WxRj7z6farM2XYOsAe6QCcD/tw 9w6M1BAYcgJYqTY8o1iQjJg= =o+2e -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Feb 5 00:12:46 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 5 Feb 2013 00:12:46 +0000 Subject: [RHSA-2013:0233-01] Important: JBoss Enterprise Web Platform 5.2.0 security update Message-ID: <201302050012.r150CkVm012808@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Enterprise Web Platform 5.2.0 security update Advisory ID: RHSA-2013:0233-01 Product: JBoss Enterprise Web Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0233.html Issue date: 2013-02-04 CVE Names: CVE-2012-5629 ===================================================================== 1. Summary: An update for JBoss Enterprise Web Platform 5.2.0 which fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: The Enterprise Web Platform is a slimmed down profile of the JBoss Enterprise Application Platform intended for mid-size workloads with light and rich Java applications. When using LDAP authentication with the provided LDAP login modules (LdapLoginModule/LdapExtLoginModule), empty passwords were allowed by default. An attacker could use this flaw to bypass intended authentication by providing an empty password for a valid username, as the LDAP server may recognize this as an 'unauthenticated authentication' (RFC 4513). This update sets the allowEmptyPasswords option for the LDAP login modules to false if the option is not already configured. (CVE-2012-5629) Warning: Before applying this update, back up your existing JBoss Enterprise Web Platform installation (including all applications and configuration files). All users of JBoss Enterprise Web Platform 5.2.0 as provided from the Red Hat Customer Portal are advised to apply this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise Web Platform installation (including all applications and configuration files). The JBoss server process must be restarted for this update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 885569 - CVE-2012-5629 JBoss: allows empty password to authenticate against LDAP 5. References: https://www.redhat.com/security/data/cve/CVE-2012-5629.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=enterpriseweb.platform&downloadType=securityPatches&version=5.2.0 http://tools.ietf.org/html/rfc4513 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFREE5zXlSAg2UNWIIRArrQAJ9xsJbw/LCxwzincouZK1AwMkA2GQCgvmqn OKZ/74Ssm9DsTPH8d2bTc/I= =GuwJ -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Feb 5 00:13:04 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 5 Feb 2013 00:13:04 +0000 Subject: [RHSA-2013:0234-01] Important: JBoss Enterprise Application Platform 6.0.1 security update Message-ID: <201302050013.r150D4TO025356@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Enterprise Application Platform 6.0.1 security update Advisory ID: RHSA-2013:0234-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0234.html Issue date: 2013-02-04 CVE Names: CVE-2012-5629 ===================================================================== 1. Summary: An update for JBoss Enterprise Application Platform 6.0.1 which fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. When using LDAP authentication with either the "ldap" configuration entry or the provided LDAP login modules (LdapLoginModule/LdapExtLoginModule), empty passwords were allowed by default. An attacker could use this flaw to bypass intended authentication by providing an empty password for a valid username, as the LDAP server may recognize this as an 'unauthenticated authentication' (RFC 4513). This update sets the allowEmptyPasswords option for the LDAP login modules to false if the option is not already configured. (CVE-2012-5629) Note: If you are using the "ldap" configuration entry and rely on empty passwords, they will no longer work after applying this update. The jboss-as-domain-management module, by default, will prevent empty passwords. This cannot be configured; however, a future release may add a configuration option to allow empty passwords when using the "ldap" configuration entry. Warning: Before applying this update, back up your existing JBoss Enterprise Application Platform installation and deployed applications. All users of JBoss Enterprise Application Platform 6.0.1 as provided from the Red Hat Customer Portal are advised to apply this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing JBoss Enterprise Application Platform installation and deployed applications. The JBoss server process must be restarted for this update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 885569 - CVE-2012-5629 JBoss: allows empty password to authenticate against LDAP 5. References: https://www.redhat.com/security/data/cve/CVE-2012-5629.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.0.1 http://tools.ietf.org/html/rfc4513 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFREE6FXlSAg2UNWIIRAsDcAJoCFjyfBGk7QCgcsWlMMHEa8aTQJQCfY/2s l1TCjr1U8b68VhNIfMec/4A= =PV5/ -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Feb 5 00:13:38 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 5 Feb 2013 00:13:38 +0000 Subject: [RHSA-2013:0235-01] Important: jbossweb security update Message-ID: <201302050013.r150Dc9n025413@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: jbossweb security update Advisory ID: RHSA-2013:0235-01 Product: JBoss Enterprise Middleware Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0235.html Issue date: 2013-02-04 CVE Names: CVE-2012-3546 ===================================================================== 1. Summary: An update for JBoss Enterprise Portal Platform 5.2.2 and JBoss Enterprise SOA Platform 5.3.0 that fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: JBoss Web is a web container based on Apache Tomcat. It provides a single deployment platform for the JavaServer Pages (JSP) and Java Servlet technologies. It was found that when an application used FORM authentication, along with another component that calls request.setUserPrincipal() before the call to FormAuthenticator#authenticate() (such as the Single-Sign-On valve), it was possible to bypass the security constraint checks in the FORM authenticator by appending "/j_security_check" to the end of a URL. A remote attacker with an authenticated session on an affected application could use this flaw to circumvent authorization controls, and thereby access resources not permitted by the roles associated with their authenticated session. (CVE-2012-3546) Warning: Before applying this update, back up your JBoss installation, including any databases, database settings, applications, configuration files, and so on. All users of JBoss Enterprise Portal Platform 5.2.2 and JBoss Enterprise SOA Platform 5.3.0 as provided from the Red Hat Customer Portal are advised to install this update. 3. Solution: The References section of this erratum contains download links (you must log in to download the update). Before applying this update, back up your JBoss installation, including any databases, database settings, applications, configuration files, and so on. For both JBoss Enterprise Portal Platform and JBoss Enterprise SOA Platform, it is recommended to halt the server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the server by starting the JBoss Application Server process. 4. Bugs fixed (http://bugzilla.redhat.com/): 883634 - CVE-2012-3546 Tomcat/JBoss Web: Bypass of security constraints 5. References: https://www.redhat.com/security/data/cve/CVE-2012-3546.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=jbportal&version=5.2.2 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=soaplatform&version=5.3.0+GA http://tomcat.apache.org/security-6.html 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFREE6bXlSAg2UNWIIRAtAZAJ48nP6TokkmGnePFdAf0npOvisEkwCfZOCo BJX+Jf/b87zxtk+KLoHUaX8= =99HK -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Feb 11 18:15:02 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 11 Feb 2013 18:15:02 +0000 Subject: [RHSA-2013:0248-01] Important: JBoss Enterprise Application Platform 4.3.0 CP10 security update Message-ID: <201302111815.r1BIF2e4026411@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Enterprise Application Platform 4.3.0 CP10 security update Advisory ID: RHSA-2013:0248-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0248.html Issue date: 2013-02-11 CVE Names: CVE-2012-5629 ===================================================================== 1. Summary: An update for JBoss Enterprise Application Platform 4.3.0 CP10 which fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: JBoss Enterprise Application Platform is a platform for Java applications, which integrates the JBoss Application Server with JBoss Hibernate and JBoss Seam. When using LDAP authentication with the provided LDAP login modules (LdapLoginModule/LdapExtLoginModule), empty passwords were allowed by default. An attacker could use this flaw to bypass intended authentication by providing an empty password for a valid username, as the LDAP server may recognize this as an 'unauthenticated authentication' (RFC 4513). This update sets the allowEmptyPasswords option for the LDAP login modules to false if the option is not already configured. (CVE-2012-5629) Warning: Before applying this update, back up your existing JBoss Enterprise Application Platform installation (including all applications and configuration files). All users of JBoss Enterprise Application Platform 4.3.0 CP10 as provided from the Red Hat Customer Portal are advised to apply this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise Application Platform installation (including all applications and configuration files). The JBoss server process must be restarted for this update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 885569 - CVE-2012-5629 JBoss: allows empty password to authenticate against LDAP 5. References: https://www.redhat.com/security/data/cve/CVE-2012-5629.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=4.3.0.GA_CP10 http://tools.ietf.org/html/rfc4513 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRGTUHXlSAg2UNWIIRApnLAKCWa+TFTLhxXDgMGV/42IRzjbXgpwCeJasl gEjqUjmNYcVWJTJNdfOiE3o= =khKT -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Feb 11 18:15:50 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 11 Feb 2013 18:15:50 +0000 Subject: [RHSA-2013:0249-01] Important: JBoss Enterprise Application Platform 4.3.0 CP10 security update Message-ID: <201302111815.r1BIFpQd002509@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Enterprise Application Platform 4.3.0 CP10 security update Advisory ID: RHSA-2013:0249-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0249.html Issue date: 2013-02-11 CVE Names: CVE-2012-5629 ===================================================================== 1. Summary: Updated JBoss Enterprise Application Platform 4.3.0 CP10 packages that fix one security issue are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: JBoss Enterprise Application Platform 4.3.0 for RHEL 4 AS - noarch JBoss Enterprise Application Platform 4.3.0 for RHEL 4 ES - noarch JBoss Enterprise Application Platform 4.3.0 for RHEL 5 Server - noarch 3. Description: JBoss Enterprise Application Platform is a platform for Java applications, which integrates the JBoss Application Server with JBoss Hibernate and JBoss Seam. When using LDAP authentication with the provided LDAP login modules (LdapLoginModule/LdapExtLoginModule), empty passwords were allowed by default. An attacker could use this flaw to bypass intended authentication by providing an empty password for a valid username, as the LDAP server may recognize this as an 'unauthenticated authentication' (RFC 4513). This update sets the allowEmptyPasswords option for the LDAP login modules to false if the option is not already configured. (CVE-2012-5629) Warning: Before applying this update, back up your existing JBoss Enterprise Application Platform installation (including all applications and configuration files). All users of JBoss Enterprise Application Platform 4.3.0 CP10 on Red Hat Enterprise Linux 4 and 5 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 885569 - CVE-2012-5629 JBoss: allows empty password to authenticate against LDAP 6. Package List: JBoss Enterprise Application Platform 4.3.0 for RHEL 4 AS: Source: ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/jbossas-4.3.0-12.GA_CP10_patch_01.1.ep1.el4.src.rpm noarch: jbossas-4.3.0-12.GA_CP10_patch_01.1.ep1.el4.noarch.rpm jbossas-client-4.3.0-12.GA_CP10_patch_01.1.ep1.el4.noarch.rpm JBoss Enterprise Application Platform 4.3.0 for RHEL 4 ES: Source: ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/jbossas-4.3.0-12.GA_CP10_patch_01.1.ep1.el4.src.rpm noarch: jbossas-4.3.0-12.GA_CP10_patch_01.1.ep1.el4.noarch.rpm jbossas-client-4.3.0-12.GA_CP10_patch_01.1.ep1.el4.noarch.rpm JBoss Enterprise Application Platform 4.3.0 for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossas-4.3.0-12.GA_CP10_patch_01.1.ep1.el5.src.rpm noarch: jbossas-4.3.0-12.GA_CP10_patch_01.1.ep1.el5.noarch.rpm jbossas-client-4.3.0-12.GA_CP10_patch_01.1.ep1.el5.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-5629.html https://access.redhat.com/security/updates/classification/#important http://tools.ietf.org/html/rfc4513 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRGTU1XlSAg2UNWIIRAmURAJ9YfA36j+BI9XU79JwBs0OY62CjLgCgoObl 8ENKWsjct9VMETM1/LwbflM= =jm3Y -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Feb 13 19:03:56 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 13 Feb 2013 19:03:56 +0000 Subject: [RHSA-2013:0256-01] Important: JBoss Enterprise Application Platform 5.2.0 security update Message-ID: <201302131903.r1DJ3vEB015649@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Enterprise Application Platform 5.2.0 security update Advisory ID: RHSA-2013:0256-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0256.html Issue date: 2013-02-13 CVE Names: CVE-2012-3451 CVE-2012-5633 ===================================================================== 1. Summary: An update for JBoss Enterprise Application Platform 5.2.0 which fixes two security issues is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: JBoss Enterprise Application Platform is a platform for Java applications, which integrates the JBoss Application Server with JBoss Hibernate and JBoss Seam. If web services were deployed using Apache CXF with the WSS4JInInterceptor enabled to apply WS-Security processing, HTTP GET requests to these services were always granted access, without applying authentication checks. The URIMappingInterceptor is a legacy mechanism for allowing REST-like access (via GET requests) to simple SOAP services. A remote attacker could use this flaw to access the REST-like interface of a simple SOAP service using GET requests that bypass the security constraints applied by WSS4JInInterceptor. This flaw was only exploitable if WSS4JInInterceptor was used to apply WS-Security processing. Services that use WS-SecurityPolicy to apply security were not affected. (CVE-2012-5633) It was found that Apache CXF was vulnerable to SOAPAction spoofing attacks under certain conditions. If web services were exposed via Apache CXF that use a unique SOAPAction for each service operation, then a remote attacker could perform SOAPAction spoofing to call a forbidden operation if it accepts the same parameters as an allowed operation. WS-Policy validation was performed against the operation being invoked, and an attack must pass validation to be successful. (CVE-2012-3451) Note that the CVE-2012-3451 and CVE-2012-5633 issues only affected environments that have JBoss Web Services CXF installed. Red Hat would like to thank the Apache CXF project for reporting CVE-2012-3451. Warning: Before applying this update, back up your existing JBoss Enterprise Application Platform installation (including all applications and configuration files). All users of JBoss Enterprise Application Platform 5.2.0 as provided from the Red Hat Customer Portal are advised to apply this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise Application Platform installation (including all applications and configuration files). The JBoss server process must be restarted for this update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 851896 - CVE-2012-3451 jbossws-cxf, apache-cxf: SOAPAction spoofing on document literal web services 889008 - CVE-2012-5633 jbossws-cxf, apache-cxf: Bypass of security constraints on WS endpoints when using WSS4JInInterceptor 5. References: https://www.redhat.com/security/data/cve/CVE-2012-3451.html https://www.redhat.com/security/data/cve/CVE-2012-5633.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=5.2.0 http://cxf.apache.org/security-advisories.html 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRG+OGXlSAg2UNWIIRAoxvAJ9RrTco3OP+swQT/+8x1wvE1vX+0ACgk7O9 Px4I72tGniAvJBLjtSLVcRA= =mr32 -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Feb 13 19:04:28 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 13 Feb 2013 19:04:28 +0000 Subject: [RHSA-2013:0257-01] Important: JBoss Enterprise Application Platform 5.2.0 security update Message-ID: <201302131904.r1DJ4Twu011544@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Enterprise Application Platform 5.2.0 security update Advisory ID: RHSA-2013:0257-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0257.html Issue date: 2013-02-13 CVE Names: CVE-2012-3451 CVE-2012-5633 ===================================================================== 1. Summary: An updated apache-cxf package for JBoss Enterprise Application Platform 5.2.0 that fixes two security issues is now available for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: JBoss Enterprise Application Platform 5 for RHEL 4 AS - noarch JBoss Enterprise Application Platform 5 for RHEL 4 ES - noarch JBoss Enterprise Application Platform 5 for RHEL 5 Server - noarch JBoss Enterprise Application Platform 5 for RHEL 6 Server - noarch 3. Description: JBoss Enterprise Application Platform is a platform for Java applications, which integrates the JBoss Application Server with JBoss Hibernate and JBoss Seam. If web services were deployed using Apache CXF with the WSS4JInInterceptor enabled to apply WS-Security processing, HTTP GET requests to these services were always granted access, without applying authentication checks. The URIMappingInterceptor is a legacy mechanism for allowing REST-like access (via GET requests) to simple SOAP services. A remote attacker could use this flaw to access the REST-like interface of a simple SOAP service using GET requests that bypass the security constraints applied by WSS4JInInterceptor. This flaw was only exploitable if WSS4JInInterceptor was used to apply WS-Security processing. Services that use WS-SecurityPolicy to apply security were not affected. (CVE-2012-5633) It was found that Apache CXF was vulnerable to SOAPAction spoofing attacks under certain conditions. If web services were exposed via Apache CXF that use a unique SOAPAction for each service operation, then a remote attacker could perform SOAPAction spoofing to call a forbidden operation if it accepts the same parameters as an allowed operation. WS-Policy validation was performed against the operation being invoked, and an attack must pass validation to be successful. (CVE-2012-3451) Note that the CVE-2012-3451 and CVE-2012-5633 issues only affected environments that have JBoss Web Services CXF installed. Red Hat would like to thank the Apache CXF project for reporting CVE-2012-3451. Warning: Before applying this update, back up your existing JBoss Enterprise Application Platform installation (including all applications and configuration files). All users of JBoss Enterprise Application Platform 5.2.0 on Red Hat Enterprise Linux 4, 5, and 6 are advised to upgrade to this updated package. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 851896 - CVE-2012-3451 jbossws-cxf, apache-cxf: SOAPAction spoofing on document literal web services 889008 - CVE-2012-5633 jbossws-cxf, apache-cxf: Bypass of security constraints on WS endpoints when using WSS4JInInterceptor 6. Package List: JBoss Enterprise Application Platform 5 for RHEL 4 AS: Source: ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/apache-cxf-2.2.12-10.patch_06.ep5.el4.src.rpm noarch: apache-cxf-2.2.12-10.patch_06.ep5.el4.noarch.rpm JBoss Enterprise Application Platform 5 for RHEL 4 ES: Source: ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/apache-cxf-2.2.12-10.patch_06.ep5.el4.src.rpm noarch: apache-cxf-2.2.12-10.patch_06.ep5.el4.noarch.rpm JBoss Enterprise Application Platform 5 for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/apache-cxf-2.2.12-10.patch_06.ep5.el5.src.rpm noarch: apache-cxf-2.2.12-10.patch_06.ep5.el5.noarch.rpm JBoss Enterprise Application Platform 5 for RHEL 6 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/apache-cxf-2.2.12-10.patch_06.ep5.el6.src.rpm noarch: apache-cxf-2.2.12-10.patch_06.ep5.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-3451.html https://www.redhat.com/security/data/cve/CVE-2012-5633.html https://access.redhat.com/security/updates/classification/#important http://cxf.apache.org/security-advisories.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRG+OpXlSAg2UNWIIRAtLdAJ425QdqzqG9BEN2wxjwSljb6fSwhQCeLq04 s1bPeI1LZf9se7z5r9WwLlk= =Ii82 -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Feb 13 19:05:02 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 13 Feb 2013 19:05:02 +0000 Subject: [RHSA-2013:0258-01] Important: JBoss Enterprise Web Platform 5.2.0 security update Message-ID: <201302131905.r1DJ53X2011020@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Enterprise Web Platform 5.2.0 security update Advisory ID: RHSA-2013:0258-01 Product: JBoss Enterprise Web Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0258.html Issue date: 2013-02-13 CVE Names: CVE-2012-3451 CVE-2012-5633 ===================================================================== 1. Summary: An update for JBoss Enterprise Web Platform 5.2.0 which fixes two security issues is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: The Enterprise Web Platform is a slimmed down profile of the JBoss Enterprise Application Platform intended for mid-size workloads with light and rich Java applications. If web services were deployed using Apache CXF with the WSS4JInInterceptor enabled to apply WS-Security processing, HTTP GET requests to these services were always granted access, without applying authentication checks. The URIMappingInterceptor is a legacy mechanism for allowing REST-like access (via GET requests) to simple SOAP services. A remote attacker could use this flaw to access the REST-like interface of a simple SOAP service using GET requests that bypass the security constraints applied by WSS4JInInterceptor. This flaw was only exploitable if WSS4JInInterceptor was used to apply WS-Security processing. Services that use WS-SecurityPolicy to apply security were not affected. (CVE-2012-5633) It was found that Apache CXF was vulnerable to SOAPAction spoofing attacks under certain conditions. If web services were exposed via Apache CXF that use a unique SOAPAction for each service operation, then a remote attacker could perform SOAPAction spoofing to call a forbidden operation if it accepts the same parameters as an allowed operation. WS-Policy validation was performed against the operation being invoked, and an attack must pass validation to be successful. (CVE-2012-3451) Note that the CVE-2012-3451 and CVE-2012-5633 issues only affected environments that have JBoss Web Services CXF installed. Red Hat would like to thank the Apache CXF project for reporting CVE-2012-3451. Warning: Before applying this update, back up your existing JBoss Enterprise Web Platform installation (including all applications and configuration files). All users of JBoss Enterprise Web Platform 5.2.0 as provided from the Red Hat Customer Portal are advised to apply this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise Web Platform installation (including all applications and configuration files). The JBoss server process must be restarted for this update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 851896 - CVE-2012-3451 jbossws-cxf, apache-cxf: SOAPAction spoofing on document literal web services 889008 - CVE-2012-5633 jbossws-cxf, apache-cxf: Bypass of security constraints on WS endpoints when using WSS4JInInterceptor 5. References: https://www.redhat.com/security/data/cve/CVE-2012-3451.html https://www.redhat.com/security/data/cve/CVE-2012-5633.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=enterpriseweb.platform&downloadType=securityPatches&version=5.2.0 http://cxf.apache.org/security-advisories.html 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRG+PDXlSAg2UNWIIRAvg2AKCUVzU3A58A3pUiZ3FYmIo6dz/j6ACgnWOK jXtbx9DmafsiixAzHyOBfFs= =xzKM -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Feb 13 19:05:43 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 13 Feb 2013 19:05:43 +0000 Subject: [RHSA-2013:0259-01] Important: JBoss Enterprise Web Platform 5.2.0 security update Message-ID: <201302131905.r1DJ5h2M012247@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Enterprise Web Platform 5.2.0 security update Advisory ID: RHSA-2013:0259-01 Product: JBoss Enterprise Web Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0259.html Issue date: 2013-02-13 CVE Names: CVE-2012-3451 CVE-2012-5633 ===================================================================== 1. Summary: An updated apache-cxf package for JBoss Enterprise Web Platform 5.2.0 that fixes two security issues is now available for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: JBoss Enterprise Web Platform 5 for RHEL 4 AS - noarch JBoss Enterprise Web Platform 5 for RHEL 4 ES - noarch JBoss Enterprise Web Platform 5 for RHEL 5 Server - noarch JBoss Enterprise Web Platform 5 for RHEL 6 Server - noarch 3. Description: The Enterprise Web Platform is a slimmed down profile of the JBoss Enterprise Application Platform intended for mid-size workloads with light and rich Java applications. If web services were deployed using Apache CXF with the WSS4JInInterceptor enabled to apply WS-Security processing, HTTP GET requests to these services were always granted access, without applying authentication checks. The URIMappingInterceptor is a legacy mechanism for allowing REST-like access (via GET requests) to simple SOAP services. A remote attacker could use this flaw to access the REST-like interface of a simple SOAP service using GET requests that bypass the security constraints applied by WSS4JInInterceptor. This flaw was only exploitable if WSS4JInInterceptor was used to apply WS-Security processing. Services that use WS-SecurityPolicy to apply security were not affected. (CVE-2012-5633) It was found that Apache CXF was vulnerable to SOAPAction spoofing attacks under certain conditions. If web services were exposed via Apache CXF that use a unique SOAPAction for each service operation, then a remote attacker could perform SOAPAction spoofing to call a forbidden operation if it accepts the same parameters as an allowed operation. WS-Policy validation was performed against the operation being invoked, and an attack must pass validation to be successful. (CVE-2012-3451) Note that the CVE-2012-3451 and CVE-2012-5633 issues only affected environments that have JBoss Web Services CXF installed. Red Hat would like to thank the Apache CXF project for reporting CVE-2012-3451. Warning: Before applying this update, back up your existing JBoss Enterprise Web Platform installation (including all applications and configuration files). All users of JBoss Enterprise Web Platform 5.2.0 on Red Hat Enterprise Linux 4, 5, and 6 are advised to upgrade to this updated package. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 851896 - CVE-2012-3451 jbossws-cxf, apache-cxf: SOAPAction spoofing on document literal web services 889008 - CVE-2012-5633 jbossws-cxf, apache-cxf: Bypass of security constraints on WS endpoints when using WSS4JInInterceptor 6. Package List: JBoss Enterprise Web Platform 5 for RHEL 4 AS: Source: apache-cxf-2.2.12-10.patch_06.ep5.el4.src.rpm noarch: apache-cxf-2.2.12-10.patch_06.ep5.el4.noarch.rpm JBoss Enterprise Web Platform 5 for RHEL 4 ES: Source: apache-cxf-2.2.12-10.patch_06.ep5.el4.src.rpm noarch: apache-cxf-2.2.12-10.patch_06.ep5.el4.noarch.rpm JBoss Enterprise Web Platform 5 for RHEL 5 Server: Source: apache-cxf-2.2.12-10.patch_06.ep5.el5.src.rpm noarch: apache-cxf-2.2.12-10.patch_06.ep5.el5.noarch.rpm JBoss Enterprise Web Platform 5 for RHEL 6 Server: Source: apache-cxf-2.2.12-10.patch_06.ep5.el6.src.rpm noarch: apache-cxf-2.2.12-10.patch_06.ep5.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-3451.html https://www.redhat.com/security/data/cve/CVE-2012-5633.html https://access.redhat.com/security/updates/classification/#important http://cxf.apache.org/security-advisories.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRG+PyXlSAg2UNWIIRApdLAJ912977yyOyDTxKYfZOquF7THJ3QgCfRh8Y WS2jLmIm2jOQU41vcJJluTo= =PufV -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Feb 14 18:44:25 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 14 Feb 2013 18:44:25 +0000 Subject: [RHSA-2013:0261-01] Important: JBoss Enterprise Application Platform 4.3.0 CP10 security update Message-ID: <201302141844.r1EIiPeJ014012@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Enterprise Application Platform 4.3.0 CP10 security update Advisory ID: RHSA-2013:0261-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0261.html Issue date: 2013-02-14 CVE Names: CVE-2011-1096 ===================================================================== 1. Summary: An update for the JBoss Web Services component in JBoss Enterprise Application Platform 4.3.0 CP10 which fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: JBoss Enterprise Application Platform is a platform for Java applications, which integrates the JBoss Application Server with JBoss Hibernate and JBoss Seam. An attack technique was found against the W3C XML Encryption Standard when block ciphers were used in cipher-block chaining (CBC) mode. A remote attacker could use this flaw to conduct chosen-ciphertext attacks, leading to the recovery of the entire plain text of a particular cryptogram by examining the differences between SOAP (Simple Object Access Protocol) responses sent from JBoss Web Services. (CVE-2011-1096) Red Hat would like to thank Juraj Somorovsky of Ruhr-University Bochum for reporting this issue. Note: Manual action is required to apply this update. The CVE-2011-1096 issue is an attack on the WS-Security standard itself. Using new Galois/Counter Mode (GCM) based algorithms for WS-Security encryption is the W3C suggested way of dealing with this issue. To use GCM algorithms in your application, update the encrypt element of all jboss-ws-security configuration to specify a GCM algorithm. The following is an example directive: encrypt type="x509v3" algorithm="aes-128-gcm" alias="wsse" Warning: Before applying this update, back up your existing JBoss Enterprise Application Platform installation (including all applications and configuration files). All users of JBoss Enterprise Application Platform 4.3.0 CP10 as provided from the Red Hat Customer Portal are advised to apply this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise Application Platform installation (including all applications and configuration files). The JBoss server process must be restarted for this update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 681916 - CVE-2011-1096 jbossws: Prone to character encoding pattern attack (XML Encryption flaw) 5. References: https://www.redhat.com/security/data/cve/CVE-2011-1096.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=4.3.0.GA_CP10 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRHTB6XlSAg2UNWIIRAhDwAJ9mHw37uqesBmOyw43NOkhImSd2ogCfR3zN uQRafOvMvrFpMAap+imA0rs= =YRxC -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Feb 19 23:44:22 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 19 Feb 2013 23:44:22 +0000 Subject: [RHSA-2013:0265-01] Moderate: tomcat6 security update Message-ID: <201302192344.r1JNiMsx017425@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: tomcat6 security update Advisory ID: RHSA-2013:0265-01 Product: JBoss Enterprise Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0265.html Issue date: 2013-02-19 CVE Names: CVE-2012-2733 CVE-2012-4431 CVE-2012-4534 CVE-2012-5885 CVE-2012-5886 CVE-2012-5887 ===================================================================== 1. Summary: An update for the Apache Tomcat 6 component for JBoss Enterprise Web Server 2.0.0 that fixes multiple security issues is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Apache Tomcat is a servlet container. It was found that sending a request without a session identifier to a protected resource could bypass the Cross-Site Request Forgery (CSRF) prevention filter. A remote attacker could use this flaw to perform CSRF attacks against applications that rely on the CSRF prevention filter and do not contain internal mitigation for CSRF. (CVE-2012-4431) A flaw was found in the way Tomcat handled sendfile operations when using the HTTP NIO (Non-Blocking I/O) connector and HTTPS. A remote attacker could use this flaw to cause a denial of service (infinite loop). The HTTP NIO connector is used by default in JBoss Enterprise Web Server. The Apache Portable Runtime (APR) connector from the Tomcat Native library was not affected by this flaw. (CVE-2012-4534) Multiple weaknesses were found in the Tomcat DIGEST authentication implementation, effectively reducing the security normally provided by DIGEST authentication. A remote attacker could use these flaws to perform replay attacks in some circumstances. (CVE-2012-5885, CVE-2012-5886, CVE-2012-5887) A denial of service flaw was found in the way the Tomcat HTTP NIO connector enforced limits on the permitted size of request headers. A remote attacker could use this flaw to trigger an OutOfMemoryError by sending a specially-crafted request with very large headers. The HTTP NIO connector is used by default in JBoss Enterprise Web Server. The APR connector from the Tomcat Native library was not affected by this flaw. (CVE-2012-2733) Warning: Before applying the update, back up your existing JBoss Enterprise Web Server installation (including all applications and configuration files). All users of JBoss Enterprise Web Server 2.0.0 as provided from the Red Hat Customer Portal are advised to apply this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise Web Server installation (including all applications and configuration files). Tomcat must be restarted for this update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 873664 - CVE-2012-5885 CVE-2012-5886 CVE-2012-5887 tomcat: three DIGEST authentication implementation issues 873695 - CVE-2012-2733 tomcat: HTTP NIO connector OOM DoS via a request with large headers 883636 - CVE-2012-4431 Tomcat/JBoss Web - Bypass of CSRF prevention filter 883637 - CVE-2012-4534 Tomcat - Denial Of Service when using NIO+SSL+sendfile 5. References: https://www.redhat.com/security/data/cve/CVE-2012-2733.html https://www.redhat.com/security/data/cve/CVE-2012-4431.html https://www.redhat.com/security/data/cve/CVE-2012-4534.html https://www.redhat.com/security/data/cve/CVE-2012-5885.html https://www.redhat.com/security/data/cve/CVE-2012-5886.html https://www.redhat.com/security/data/cve/CVE-2012-5887.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=webserver&version=2.0.0 http://tomcat.apache.org/security-6.html 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRJA4hXlSAg2UNWIIRAkoNAJ4jwFMtCaZTAxGjQJrsz7jVjy9TCwCgtlgA B9QpCX/gtW2/gCJXhNyRGRc= =xRE1 -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Feb 19 23:44:47 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 19 Feb 2013 23:44:47 +0000 Subject: [RHSA-2013:0266-01] Moderate: tomcat6 security update Message-ID: <201302192344.r1JNile5024468@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: tomcat6 security update Advisory ID: RHSA-2013:0266-01 Product: JBoss Enterprise Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0266.html Issue date: 2013-02-19 CVE Names: CVE-2012-2733 CVE-2012-4431 CVE-2012-4534 CVE-2012-5885 CVE-2012-5886 CVE-2012-5887 ===================================================================== 1. Summary: Updated tomcat6 packages that fix multiple security issues are now available for JBoss Enterprise Web Server 2.0.0 for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: JBoss Enterprise Web Server 2 for RHEL 5 Server - noarch JBoss Enterprise Web Server 2 for RHEL 6 Server - noarch 3. Description: Apache Tomcat is a servlet container. It was found that sending a request without a session identifier to a protected resource could bypass the Cross-Site Request Forgery (CSRF) prevention filter. A remote attacker could use this flaw to perform CSRF attacks against applications that rely on the CSRF prevention filter and do not contain internal mitigation for CSRF. (CVE-2012-4431) A flaw was found in the way Tomcat handled sendfile operations when using the HTTP NIO (Non-Blocking I/O) connector and HTTPS. A remote attacker could use this flaw to cause a denial of service (infinite loop). The HTTP NIO connector is used by default in JBoss Enterprise Web Server. The Apache Portable Runtime (APR) connector from the Tomcat Native library was not affected by this flaw. (CVE-2012-4534) Multiple weaknesses were found in the Tomcat DIGEST authentication implementation, effectively reducing the security normally provided by DIGEST authentication. A remote attacker could use these flaws to perform replay attacks in some circumstances. (CVE-2012-5885, CVE-2012-5886, CVE-2012-5887) A denial of service flaw was found in the way the Tomcat HTTP NIO connector enforced limits on the permitted size of request headers. A remote attacker could use this flaw to trigger an OutOfMemoryError by sending a specially-crafted request with very large headers. The HTTP NIO connector is used by default in JBoss Enterprise Web Server. The APR connector from the Tomcat Native library was not affected by this flaw. (CVE-2012-2733) Warning: Before applying the update, back up your existing JBoss Enterprise Web Server installation (including all applications and configuration files). Users of Tomcat should upgrade to these updated packages, which resolve these issues. Tomcat must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 873664 - CVE-2012-5885 CVE-2012-5886 CVE-2012-5887 tomcat: three DIGEST authentication implementation issues 873695 - CVE-2012-2733 tomcat: HTTP NIO connector OOM DoS via a request with large headers 883636 - CVE-2012-4431 Tomcat/JBoss Web - Bypass of CSRF prevention filter 883637 - CVE-2012-4534 Tomcat - Denial Of Service when using NIO+SSL+sendfile 6. Package List: JBoss Enterprise Web Server 2 for RHEL 5 Server: Source: tomcat6-6.0.35-6_patch_06.ep6.el5.src.rpm noarch: tomcat6-6.0.35-6_patch_06.ep6.el5.noarch.rpm tomcat6-admin-webapps-6.0.35-6_patch_06.ep6.el5.noarch.rpm tomcat6-docs-webapp-6.0.35-6_patch_06.ep6.el5.noarch.rpm tomcat6-el-1.0-api-6.0.35-6_patch_06.ep6.el5.noarch.rpm tomcat6-javadoc-6.0.35-6_patch_06.ep6.el5.noarch.rpm tomcat6-jsp-2.1-api-6.0.35-6_patch_06.ep6.el5.noarch.rpm tomcat6-lib-6.0.35-6_patch_06.ep6.el5.noarch.rpm tomcat6-log4j-6.0.35-6_patch_06.ep6.el5.noarch.rpm tomcat6-servlet-2.5-api-6.0.35-6_patch_06.ep6.el5.noarch.rpm tomcat6-webapps-6.0.35-6_patch_06.ep6.el5.noarch.rpm JBoss Enterprise Web Server 2 for RHEL 6 Server: Source: tomcat6-6.0.35-29_patch_06.ep6.el6.src.rpm noarch: tomcat6-6.0.35-29_patch_06.ep6.el6.noarch.rpm tomcat6-admin-webapps-6.0.35-29_patch_06.ep6.el6.noarch.rpm tomcat6-docs-webapp-6.0.35-29_patch_06.ep6.el6.noarch.rpm tomcat6-el-1.0-api-6.0.35-29_patch_06.ep6.el6.noarch.rpm tomcat6-javadoc-6.0.35-29_patch_06.ep6.el6.noarch.rpm tomcat6-jsp-2.1-api-6.0.35-29_patch_06.ep6.el6.noarch.rpm tomcat6-lib-6.0.35-29_patch_06.ep6.el6.noarch.rpm tomcat6-log4j-6.0.35-29_patch_06.ep6.el6.noarch.rpm tomcat6-servlet-2.5-api-6.0.35-29_patch_06.ep6.el6.noarch.rpm tomcat6-webapps-6.0.35-29_patch_06.ep6.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-2733.html https://www.redhat.com/security/data/cve/CVE-2012-4431.html https://www.redhat.com/security/data/cve/CVE-2012-4534.html https://www.redhat.com/security/data/cve/CVE-2012-5885.html https://www.redhat.com/security/data/cve/CVE-2012-5886.html https://www.redhat.com/security/data/cve/CVE-2012-5887.html https://access.redhat.com/security/updates/classification/#moderate http://tomcat.apache.org/security-6.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRJA5gXlSAg2UNWIIRAv0aAKCzi0k+VkK+5+7EtoM0+N9VHydrIACfZ3O8 2UQP+qWrhV0etdXhUf0nYbA= =ryw2 -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Feb 19 23:45:11 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 19 Feb 2013 23:45:11 +0000 Subject: [RHSA-2013:0267-01] Moderate: tomcat7 security update Message-ID: <201302192345.r1JNjBHG029588@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: tomcat7 security update Advisory ID: RHSA-2013:0267-01 Product: JBoss Enterprise Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0267.html Issue date: 2013-02-19 CVE Names: CVE-2012-4431 ===================================================================== 1. Summary: An update for the Apache Tomcat 7 component for JBoss Enterprise Web Server 2.0.0 that fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: Apache Tomcat is a servlet container. It was found that sending a request without a session identifier to a protected resource could bypass the Cross-Site Request Forgery (CSRF) prevention filter. A remote attacker could use this flaw to perform CSRF attacks against applications that rely on the CSRF prevention filter and do not contain internal mitigation for CSRF. (CVE-2012-4431) Warning: Before applying the update, back up your existing JBoss Enterprise Web Server installation (including all applications and configuration files). All users of JBoss Enterprise Web Server 2.0.0 as provided from the Red Hat Customer Portal are advised to apply this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise Web Server installation (including all applications and configuration files). Tomcat must be restarted for this update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 883636 - CVE-2012-4431 Tomcat/JBoss Web - Bypass of CSRF prevention filter 5. References: https://www.redhat.com/security/data/cve/CVE-2012-4431.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=webserver&version=2.0.0 http://tomcat.apache.org/security-7.html 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRJA51XlSAg2UNWIIRAqPfAJ932TweYQJv+sobR/JFdOTHLjaU0gCgjpxP ElpKi7gMp8G4cXx0wNB6cQE= =Ncfk -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Feb 19 23:45:47 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 19 Feb 2013 23:45:47 +0000 Subject: [RHSA-2013:0268-01] Moderate: tomcat7 security update Message-ID: <201302192345.r1JNjlZQ030040@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: tomcat7 security update Advisory ID: RHSA-2013:0268-01 Product: JBoss Enterprise Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0268.html Issue date: 2013-02-19 CVE Names: CVE-2012-4431 ===================================================================== 1. Summary: Updated tomcat7 packages that fix one security issue are now available for JBoss Enterprise Web Server 2.0.0 for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: JBoss Enterprise Web Server 2 for RHEL 5 Server - noarch JBoss Enterprise Web Server 2 for RHEL 6 Server - noarch 3. Description: Apache Tomcat is a servlet container. It was found that sending a request without a session identifier to a protected resource could bypass the Cross-Site Request Forgery (CSRF) prevention filter. A remote attacker could use this flaw to perform CSRF attacks against applications that rely on the CSRF prevention filter and do not contain internal mitigation for CSRF. (CVE-2012-4431) Warning: Before applying the update, back up your existing JBoss Enterprise Web Server installation (including all applications and configuration files). Users of Tomcat should upgrade to these updated packages, which resolve this issue. Tomcat must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 883636 - CVE-2012-4431 Tomcat/JBoss Web - Bypass of CSRF prevention filter 6. Package List: JBoss Enterprise Web Server 2 for RHEL 5 Server: Source: tomcat7-7.0.30-3_patch_02.ep6.el5.src.rpm noarch: tomcat7-7.0.30-3_patch_02.ep6.el5.noarch.rpm tomcat7-admin-webapps-7.0.30-3_patch_02.ep6.el5.noarch.rpm tomcat7-docs-webapp-7.0.30-3_patch_02.ep6.el5.noarch.rpm tomcat7-el-1.0-api-7.0.30-3_patch_02.ep6.el5.noarch.rpm tomcat7-javadoc-7.0.30-3_patch_02.ep6.el5.noarch.rpm tomcat7-jsp-2.2-api-7.0.30-3_patch_02.ep6.el5.noarch.rpm tomcat7-lib-7.0.30-3_patch_02.ep6.el5.noarch.rpm tomcat7-log4j-7.0.30-3_patch_02.ep6.el5.noarch.rpm tomcat7-servlet-3.0-api-7.0.30-3_patch_02.ep6.el5.noarch.rpm tomcat7-webapps-7.0.30-3_patch_02.ep6.el5.noarch.rpm JBoss Enterprise Web Server 2 for RHEL 6 Server: Source: tomcat7-7.0.30-5_patch_02.ep6.el6.src.rpm noarch: tomcat7-7.0.30-5_patch_02.ep6.el6.noarch.rpm tomcat7-admin-webapps-7.0.30-5_patch_02.ep6.el6.noarch.rpm tomcat7-docs-webapp-7.0.30-5_patch_02.ep6.el6.noarch.rpm tomcat7-el-1.0-api-7.0.30-5_patch_02.ep6.el6.noarch.rpm tomcat7-javadoc-7.0.30-5_patch_02.ep6.el6.noarch.rpm tomcat7-jsp-2.2-api-7.0.30-5_patch_02.ep6.el6.noarch.rpm tomcat7-lib-7.0.30-5_patch_02.ep6.el6.noarch.rpm tomcat7-log4j-7.0.30-5_patch_02.ep6.el6.noarch.rpm tomcat7-servlet-3.0-api-7.0.30-5_patch_02.ep6.el6.noarch.rpm tomcat7-webapps-7.0.30-5_patch_02.ep6.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-4431.html https://access.redhat.com/security/updates/classification/#moderate http://tomcat.apache.org/security-7.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRJA6RXlSAg2UNWIIRAphHAJ96P96oYITQRYeeswsg4Srqaacm/gCgvsTN q4BmX5ysa+tRwV9suEJPGzQ= =0w1T -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Feb 20 21:49:03 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 20 Feb 2013 21:49:03 +0000 Subject: [RHSA-2013:0533-01] Important: JBoss Enterprise SOA Platform 5.3.1 update Message-ID: <201302202149.r1KLn3Fm008778@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Enterprise SOA Platform 5.3.1 update Advisory ID: RHSA-2013:0533-01 Product: JBoss Enterprise Middleware Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0533.html Issue date: 2013-02-20 CVE Names: CVE-2009-5066 CVE-2011-2487 CVE-2011-2730 CVE-2011-4575 CVE-2012-0034 CVE-2012-0874 CVE-2012-3369 CVE-2012-3370 CVE-2012-5370 CVE-2012-5478 ===================================================================== 1. Summary: JBoss Enterprise SOA Platform 5.3.1, which fixes multiple security issues, various bugs, and adds enhancements, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. This release of JBoss Enterprise SOA Platform 5.3.1 serves as a replacement for JBoss Enterprise SOA Platform 5.3.0. It includes various bug fixes and enhancements which are detailed in the JBoss Enterprise SOA Platform 5.3.1 Release Notes. The Release Notes will be available shortly from https://access.redhat.com/knowledge/docs/ 2. Description: Security: JBoss Web Services leaked side-channel data when distributing symmetric keys (for XML encryption), allowing a remote attacker to recover the entire plain text form of a symmetric key. (CVE-2011-2487) Spring framework could possibly evaluate Expression Language (EL) expressions twice, allowing a remote attacker to execute arbitrary code in the context of the application server, or to obtain sensitive information from the server. (CVE-2011-2730) Note: Manual action is required to apply the fix for CVE-2011-2730. If your system has deployed applications which use Spring framework, the context parameter "springJspExpressionSupport" must be set to "false" to mitigate this flaw, for example, in the application's web.xml file. This will prevent the double-evaluation of EL expressions that led to this flaw. An XSS flaw allowed a remote attacker to perform an XSS attack against victims using the JMX Console. (CVE-2011-4575) SecurityAssociation.getCredential() returned the previous credential if no security context was provided. Depending on the deployed applications, this could possibly allow a remote attacker to hijack the credentials of a previously-authenticated user. (CVE-2012-3370) A denial of service flaw was found in the implementation of associative arrays (hashes) in JRuby. An attacker able to supply a large number of inputs to a JRuby application (such as HTTP POST request parameters sent to a web application) that are used as keys when inserting data into an array could trigger multiple hash function collisions, making array operations take an excessive amount of CPU time. To mitigate this issue, the Murmur hash function has been replaced with the Perl hash function. (CVE-2012-5370) Note: JBoss Enterprise SOA Platform only provides JRuby as a dependency of the scripting_chain quickstart example application. The CVE-2012-5370 flaw is not exposed unless the version of JRuby shipped with that quickstart is used by a deployed, custom application. Configuring the JMX Invoker to restrict access to users with specific roles did not actually restrict access, allowing remote attackers with valid JMX Invoker credentials to perform JMX operations accessible to roles they are not a member of. (CVE-2012-5478) twiddle.sh accepted credentials as command line arguments, allowing local users to view them via a process listing. (CVE-2009-5066) NonManagedConnectionFactory logged the username and password in plain text when an exception was thrown. This could lead to the exposure of authentication credentials if local users had permissions to read the log file. (CVE-2012-0034) The JMXInvokerHAServlet and EJBInvokerHAServlet invoker servlets allow unauthenticated access by default in some profiles. The security interceptor's second layer of authentication prevented direct exploitation of this flaw. If the interceptor was misconfigured or inadvertently disabled, this flaw could lead to arbitrary code execution in the context of the user running the JBoss server. (CVE-2012-0874) CallerIdentityLoginModule retained the password from the previous call if a null password was provided. In non-default configurations this could possibly lead to a remote attacker hijacking a previously-authenticated user's session. (CVE-2012-3369) Red Hat would like to thank Juraj Somorovsky of Ruhr-University Bochum for reporting CVE-2011-2487, and Tyler Krpata for reporting CVE-2011-4575. The CVE-2012-3370 and CVE-2012-3369 issues were discovered by Carlo de Wolf of Red Hat; CVE-2012-5478 was discovered by Derek Horton of Red Hat; and CVE-2012-0874 was discovered by David Jorm of the Red Hat Security Response Team. Warning: Before applying the update, back up your existing JBoss Enterprise SOA Platform installation (including its databases, applications, configuration files, and so on). All users of JBoss Enterprise SOA Platform 5.3.0 as provided from the Red Hat Customer Portal are advised to upgrade to JBoss Enterprise SOA Platform 5.3.1. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise SOA Platform installation (including its databases, applications, configuration files, and so on). 4. Bugs fixed (http://bugzilla.redhat.com/): 713539 - CVE-2011-2487 jbossws: Prone to Bleichenbacher attack against to be distributed symmetric key 737608 - CVE-2011-2730 Spring Framework: Information (internal server information, classpath, local working directories, session IDs) disclosure 760387 - CVE-2011-4575 JMX Console: XSS in invoke operation 772835 - CVE-2012-0034 JBoss Cache: NonManagedConnectionFactory will log password in clear text when an exception occurs 795645 - CVE-2012-0874 JBoss invoker servlets do not require authentication 836451 - CVE-2012-3369 JBoss: CallerIdentityLoginModule retaining password from previous call if a null password is provided 836456 - CVE-2012-3370 JBoss: SecurityAssociation.getCredential() will return the previous credential if no security context is provided 842477 - CVE-2009-5066 JBoss: twiddle.sh accepts credentials as command line arguments, exposing them to other local users via a process listing 874349 - CVE-2012-5478 JBoss: AuthorizationInterceptor allows JMX operation to proceed despite authorization failure 880671 - CVE-2012-5370 jruby: Murmur hash function collisions (oCERT-2012-001) 5. References: https://www.redhat.com/security/data/cve/CVE-2009-5066.html https://www.redhat.com/security/data/cve/CVE-2011-2487.html https://www.redhat.com/security/data/cve/CVE-2011-2730.html https://www.redhat.com/security/data/cve/CVE-2011-4575.html https://www.redhat.com/security/data/cve/CVE-2012-0034.html https://www.redhat.com/security/data/cve/CVE-2012-0874.html https://www.redhat.com/security/data/cve/CVE-2012-3369.html https://www.redhat.com/security/data/cve/CVE-2012-3370.html https://www.redhat.com/security/data/cve/CVE-2012-5370.html https://www.redhat.com/security/data/cve/CVE-2012-5478.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform&downloadType=distributions https://access.redhat.com/knowledge/docs/ 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRJUS7XlSAg2UNWIIRAvOuAJ9/CfVEiOKEWkerxwWgoqEsKKDbUQCcDR+m 06ehbUNl5vzux3t3ubr8fB4= =Hz1H -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Feb 26 19:47:17 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 26 Feb 2013 19:47:17 +0000 Subject: [RHSA-2013:0569-01] Important: JBoss Web Services security update Message-ID: <201302261947.r1QJlHoU011179@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Web Services security update Advisory ID: RHSA-2013:0569-01 Product: JBoss Enterprise Middleware Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0569.html Issue date: 2013-02-26 CVE Names: CVE-2011-1096 ===================================================================== 1. Summary: An update for the JBoss Web Services component in JBoss Enterprise SOA Platform 4.3 CP05 and JBoss Enterprise Portal Platform 4.3 CP07 which fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: JBoss Enterprise SOA Platform is the next-generation ESB and business process automation infrastructure. JBoss Enterprise Portal Platform is the open source implementation of the Java EE suite of services and Portal services running atop JBoss Enterprise Application Platform. An attack technique was found against the W3C XML Encryption Standard when block ciphers were used in cipher-block chaining (CBC) mode. A remote attacker could use this flaw to conduct chosen-ciphertext attacks, leading to the recovery of the entire plain text of a particular cryptogram by examining the differences between SOAP (Simple Object Access Protocol) responses sent from JBoss Web Services. (CVE-2011-1096) Red Hat would like to thank Juraj Somorovsky of Ruhr-University Bochum for reporting this issue. Note: Manual action is required to apply this update. The CVE-2011-1096 issue is an attack on the WS-Security standard itself. Using new Galois/Counter Mode (GCM) based algorithms for WS-Security encryption is the W3C suggested way of dealing with this issue. To use GCM algorithms in your application, update the encrypt element of all jboss-ws-security configuration to specify a GCM algorithm. The following is an example directive: encrypt type="x509v3" algorithm="aes-128-gcm" alias="wsse" Warning: Before applying this update, back up your JBoss installation, including any databases, database settings, applications, configuration files, and so on. All users of JBoss Enterprise SOA Platform 4.3 CP05 and JBoss Enterprise Portal Platform 4.3 CP07 as provided from the Red Hat Customer Portal are advised to apply this update. 3. Solution: The References section of this erratum contains download links (you must log in to download the update). Before applying this update, back up your JBoss installation, including any databases, database settings, applications, configuration files, and so on. For both JBoss Enterprise Portal Platform and JBoss Enterprise SOA Platform, it is recommended to halt the server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the server by starting the JBoss Application Server process. 4. Bugs fixed (http://bugzilla.redhat.com/): 681916 - CVE-2011-1096 jbossws: Prone to character encoding pattern attack (XML Encryption flaw) 5. References: https://www.redhat.com/security/data/cve/CVE-2011-1096.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform&downloadType=securityPatches&version=4.3.0.GA_CP05 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal&downloadType=securityPatches&version=4.3+CP07 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRLREmXlSAg2UNWIIRAimDAJ0XsuEwKMTbZCEm7zg2bku8FjdatgCgiLjN cez7llELsykVdftRQ0dd3Kw= =vYYt -----END PGP SIGNATURE-----