From bugzilla at redhat.com Mon Jul 1 15:25:47 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 1 Jul 2013 15:25:47 +0000 Subject: [RHSA-2013:1006-01] Important: Red Hat JBoss BRMS 5.3.1 update Message-ID: <201307011525.r61FPmoj012723@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss BRMS 5.3.1 update Advisory ID: RHSA-2013:1006-01 Product: Red Hat JBoss Middleware Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1006.html Issue date: 2013-07-01 CVE Names: CVE-2012-5575 CVE-2012-5783 CVE-2012-5885 CVE-2012-5886 CVE-2012-5887 ===================================================================== 1. Summary: Red Hat JBoss BRMS 5.3.1 roll up patch 2, which fixes multiple security issues and various bugs, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss BRMS is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules. This roll up patch serves as a cumulative upgrade for Red Hat JBoss BRMS 5.3.1. It includes various bug fixes. The following security issues are also fixed with this release: XML encryption backwards compatibility attacks were found against various frameworks, including Apache CXF. An attacker could force a server to use insecure, legacy cryptosystems, even when secure cryptosystems were enabled on endpoints. By forcing the use of legacy cryptosystems, flaws such as CVE-2011-1096 and CVE-2011-2487 would be exposed, allowing plain text to be recovered from cryptograms and symmetric keys. This issue affected both the JBoss Web Services CXF (jbossws-cxf) and JBoss Web Services Native (jbossws-native) stacks. (CVE-2012-5575) If you are using jbossws-cxf, then automatic checks to prevent this flaw are only run when WS-SecurityPolicy is used to enforce security requirements. It is best practice to use WS-SecurityPolicy to enforce security requirements. If you are using jbossws-native, the fix for this flaw is implemented by two new configuration parameters in the 'encryption' element. This element can be a child of 'requires' in both client and server wsse configuration descriptors (set on a per-application basis via the application's jboss-wsse-server.xml and jboss-wsse-client.xml files). The new attributes are 'algorithms' and 'keyWrapAlgorithms'. These attributes should contain a blank space or comma separated list of algorithm IDs that are allowed for the encrypted incoming message, both for encryption and private key wrapping. For backwards compatibility, no algorithm checks are performed by default for empty lists or missing attributes. For example (do not include the line break in your configuration): encryption algorithms="aes-192-gcm aes-256-gcm" keyWrapAlgorithms="rsa_oaep" Specifies that incoming messages are required to be encrypted, and that the only permitted encryption algorithms are AES-192 and 256 in GCM mode, and RSA-OAEP only for key wrapping. Before performing any decryption, the jbossws-native stack will verify that each algorithm specified in the incoming messages is included in the allowed algorithms lists from these new encryption element attributes. The algorithm values to be used for 'algorithms' and 'keyWrapAlgorithms' are the same as for 'algorithm' and 'keyWrapAlgorithm' in the 'encrypt' element. The Jakarta Commons HttpClient component did not verify that the server hostname matched the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name. (CVE-2012-5783) Multiple weaknesses were found in the JBoss Web DIGEST authentication implementation, effectively reducing the security normally provided by DIGEST authentication. A remote attacker could use these flaws to perform replay attacks in some circumstances. (CVE-2012-5885, CVE-2012-5886, CVE-2012-5887) Red Hat would like to thank Tibor Jager, Kenneth G. Paterson and Juraj Somorovsky of Ruhr-University Bochum for reporting CVE-2012-5575. Warning: Before applying the update, back up your existing Red Hat JBoss BRMS installation (including its databases, applications, configuration files, and so on). All users of Red Hat JBoss BRMS 5.3.1 as provided from the Red Hat Customer Portal are advised to apply this roll up patch. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing Red Hat JBoss BRMS installation (including its databases, applications, configuration files, and so on). Note that it is recommended to halt the Red Hat JBoss BRMS server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the Red Hat JBoss BRMS server by starting the JBoss Application Server process. 4. Bugs fixed (http://bugzilla.redhat.com/): 873317 - CVE-2012-5783 jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name 873664 - CVE-2012-5885 CVE-2012-5886 CVE-2012-5887 tomcat: three DIGEST authentication implementation issues 880443 - CVE-2012-5575 jbossws-native, jbossws-cxf, apache-cxf: XML encryption backwards compatibility attacks 5. References: https://www.redhat.com/security/data/cve/CVE-2012-5575.html https://www.redhat.com/security/data/cve/CVE-2012-5783.html https://www.redhat.com/security/data/cve/CVE-2012-5885.html https://www.redhat.com/security/data/cve/CVE-2012-5886.html https://www.redhat.com/security/data/cve/CVE-2012-5887.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=securityPatches&version=5.3.1 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFR0Z8zXlSAg2UNWIIRAvVSAJ9etvm8ZWhkWKtCXoWKsGIRqzNrFACeJ8cU s4zJGYpP21nMLvS7/0uHsKU= =JCh5 -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Jul 3 17:12:27 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 3 Jul 2013 17:12:27 +0000 Subject: [RHSA-2013:1011-01] Moderate: Red Hat JBoss Web Server 2.0.1 update Message-ID: <201307031712.r63HCRGt017200@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Web Server 2.0.1 update Advisory ID: RHSA-2013:1011-01 Product: Red Hat JBoss Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1011.html Issue date: 2013-07-03 CVE Names: CVE-2012-3499 CVE-2012-3544 CVE-2012-4558 CVE-2013-2067 CVE-2013-2071 ===================================================================== 1. Summary: Red Hat JBoss Web Server 2.0.1, which fixes multiple security issues and several bugs, is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat JBoss Web Server 2 for RHEL 5 Server - i386, noarch, x86_64 3. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release serves as a replacement for Red Hat JBoss Web Server 2.0.0, and includes several bug fixes. Refer to the Red Hat JBoss Web Server 2.0.1 Release Notes for information on the most significant of these changes, available shortly from https://access.redhat.com/site/documentation/ The following security issues are also fixed with this release: Cross-site scripting (XSS) flaws were found in the Apache HTTP Server mod_proxy_balancer module's manager web interface. If a remote attacker could trick a user, who was logged into the manager web interface, into visiting a specially-crafted URL, it would lead to arbitrary web script execution in the context of the user's manager interface session. (CVE-2012-4558) Cross-site scripting (XSS) flaws were found in the Apache HTTP Server mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp modules. An attacker could possibly use these flaws to perform XSS attacks if they were able to make the victim's browser generate an HTTP request with a specially-crafted Host header. (CVE-2012-3499) A session fixation flaw was found in the Tomcat FormAuthenticator module. During a narrow window of time, if a remote attacker sent requests while a user was logging in, it could possibly result in the attacker's requests being processed as if they were sent by the user. (CVE-2013-2067) A denial of service flaw was found in the way the Tomcat chunked transfer encoding input filter processed CRLF sequences. A remote attacker could use this flaw to send an excessively long request, consuming network bandwidth, CPU, and memory on the Tomcat server. Chunked transfer encoding is enabled by default. (CVE-2012-3544) A flaw was found in the way the Tomcat 7 asynchronous context implementation performed request management in certain circumstances. If an application used AsyncListeners and threw RuntimeExceptions, Tomcat could send a reply that contains information from a different user's request, possibly leading to the disclosure of sensitive information. This issue only affected Tomcat 7. (CVE-2013-2071) Note: Do not install Red Hat JBoss Web Server 2 on a host which has Red Hat JBoss Web Server 1 installed. Warning: Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). All users of Red Hat JBoss Web Server 2.0.0 on Red Hat Enterprise Linux 5 are advised to upgrade to Red Hat JBoss Web Server 2.0.1. The JBoss server process must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 915883 - CVE-2012-3499 httpd: multiple XSS flaws due to unescaped hostnames 915884 - CVE-2012-4558 httpd: XSS flaw in mod_proxy_balancer manager interface 961779 - CVE-2013-2067 tomcat: Session fixation in form authenticator 961783 - CVE-2012-3544 tomcat: Limited DoS in chunked transfer encoding input filter 961803 - CVE-2013-2071 tomcat: Information disclosure in asynchronous context when using AsyncListeners that threw RuntimeExceptions 6. Package List: Red Hat JBoss Web Server 2 for RHEL 5 Server: Source: apache-commons-daemon-eap6-1.0.15-4.redhat_1.ep6.el5.src.rpm apache-commons-daemon-jsvc-eap6-1.0.15-1.redhat_1.ep6.el5.src.rpm apache-commons-pool-eap6-1.6-6.redhat_4.ep6.el5.src.rpm dom4j-1.6.1-19.redhat_5.ep6.el5.src.rpm ecj3-3.7.2-6.redhat_1.ep6.el5.src.rpm httpd-2.2.22-23.ep6.el5.src.rpm mod_cluster-1.2.4-1.Final_redhat_1.ep6.el5.src.rpm mod_cluster-native-1.2.4-1.Final.redhat_1.ep6.el5.src.rpm mod_jk-1.2.37-2.redhat_1.ep6.el5.src.rpm tomcat-native-1.1.27-4.redhat_1.ep6.el5.src.rpm tomcat6-6.0.37-8_patch_01.ep6.el5.src.rpm tomcat7-7.0.40-9_patch_01.ep6.el5.src.rpm i386: apache-commons-daemon-jsvc-eap6-1.0.15-1.redhat_1.ep6.el5.i386.rpm apache-commons-daemon-jsvc-eap6-debuginfo-1.0.15-1.redhat_1.ep6.el5.i386.rpm httpd-2.2.22-23.ep6.el5.i386.rpm httpd-debuginfo-2.2.22-23.ep6.el5.i386.rpm httpd-devel-2.2.22-23.ep6.el5.i386.rpm httpd-manual-2.2.22-23.ep6.el5.i386.rpm httpd-tools-2.2.22-23.ep6.el5.i386.rpm mod_cluster-native-1.2.4-1.Final.redhat_1.ep6.el5.i386.rpm mod_cluster-native-debuginfo-1.2.4-1.Final.redhat_1.ep6.el5.i386.rpm mod_jk-ap22-1.2.37-2.redhat_1.ep6.el5.i386.rpm mod_jk-debuginfo-1.2.37-2.redhat_1.ep6.el5.i386.rpm mod_jk-manual-1.2.37-2.redhat_1.ep6.el5.i386.rpm mod_ssl-2.2.22-23.ep6.el5.i386.rpm tomcat-native-1.1.27-4.redhat_1.ep6.el5.i386.rpm tomcat-native-debuginfo-1.1.27-4.redhat_1.ep6.el5.i386.rpm noarch: apache-commons-daemon-eap6-1.0.15-4.redhat_1.ep6.el5.noarch.rpm apache-commons-pool-eap6-1.6-6.redhat_4.ep6.el5.noarch.rpm apache-commons-pool-tomcat-eap6-1.6-6.redhat_4.ep6.el5.noarch.rpm dom4j-1.6.1-19.redhat_5.ep6.el5.noarch.rpm ecj3-3.7.2-6.redhat_1.ep6.el5.noarch.rpm mod_cluster-1.2.4-1.Final_redhat_1.ep6.el5.noarch.rpm mod_cluster-demo-1.2.4-1.Final_redhat_1.ep6.el5.noarch.rpm mod_cluster-tomcat6-1.2.4-1.Final_redhat_1.ep6.el5.noarch.rpm mod_cluster-tomcat7-1.2.4-1.Final_redhat_1.ep6.el5.noarch.rpm tomcat6-6.0.37-8_patch_01.ep6.el5.noarch.rpm tomcat6-admin-webapps-6.0.37-8_patch_01.ep6.el5.noarch.rpm tomcat6-docs-webapp-6.0.37-8_patch_01.ep6.el5.noarch.rpm tomcat6-el-1.0-api-6.0.37-8_patch_01.ep6.el5.noarch.rpm tomcat6-javadoc-6.0.37-8_patch_01.ep6.el5.noarch.rpm tomcat6-jsp-2.1-api-6.0.37-8_patch_01.ep6.el5.noarch.rpm tomcat6-lib-6.0.37-8_patch_01.ep6.el5.noarch.rpm tomcat6-log4j-6.0.37-8_patch_01.ep6.el5.noarch.rpm tomcat6-servlet-2.5-api-6.0.37-8_patch_01.ep6.el5.noarch.rpm tomcat6-webapps-6.0.37-8_patch_01.ep6.el5.noarch.rpm tomcat7-7.0.40-9_patch_01.ep6.el5.noarch.rpm tomcat7-admin-webapps-7.0.40-9_patch_01.ep6.el5.noarch.rpm tomcat7-docs-webapp-7.0.40-9_patch_01.ep6.el5.noarch.rpm tomcat7-el-1.0-api-7.0.40-9_patch_01.ep6.el5.noarch.rpm tomcat7-javadoc-7.0.40-9_patch_01.ep6.el5.noarch.rpm tomcat7-jsp-2.2-api-7.0.40-9_patch_01.ep6.el5.noarch.rpm tomcat7-lib-7.0.40-9_patch_01.ep6.el5.noarch.rpm tomcat7-log4j-7.0.40-9_patch_01.ep6.el5.noarch.rpm tomcat7-servlet-3.0-api-7.0.40-9_patch_01.ep6.el5.noarch.rpm tomcat7-webapps-7.0.40-9_patch_01.ep6.el5.noarch.rpm x86_64: apache-commons-daemon-jsvc-eap6-1.0.15-1.redhat_1.ep6.el5.x86_64.rpm apache-commons-daemon-jsvc-eap6-debuginfo-1.0.15-1.redhat_1.ep6.el5.x86_64.rpm httpd-2.2.22-23.ep6.el5.x86_64.rpm httpd-debuginfo-2.2.22-23.ep6.el5.x86_64.rpm httpd-devel-2.2.22-23.ep6.el5.x86_64.rpm httpd-manual-2.2.22-23.ep6.el5.x86_64.rpm httpd-tools-2.2.22-23.ep6.el5.x86_64.rpm mod_cluster-native-1.2.4-1.Final.redhat_1.ep6.el5.x86_64.rpm mod_cluster-native-debuginfo-1.2.4-1.Final.redhat_1.ep6.el5.x86_64.rpm mod_jk-ap22-1.2.37-2.redhat_1.ep6.el5.x86_64.rpm mod_jk-debuginfo-1.2.37-2.redhat_1.ep6.el5.x86_64.rpm mod_jk-manual-1.2.37-2.redhat_1.ep6.el5.x86_64.rpm mod_ssl-2.2.22-23.ep6.el5.x86_64.rpm tomcat-native-1.1.27-4.redhat_1.ep6.el5.x86_64.rpm tomcat-native-debuginfo-1.1.27-4.redhat_1.ep6.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-3499.html https://www.redhat.com/security/data/cve/CVE-2012-3544.html https://www.redhat.com/security/data/cve/CVE-2012-4558.html https://www.redhat.com/security/data/cve/CVE-2013-2067.html https://www.redhat.com/security/data/cve/CVE-2013-2071.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/site/documentation/ https://access.redhat.com/site/documentation/en-US/JBoss_Enterprise_Web_Server/2/html-single/Installation_Guide/index.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFR1FtaXlSAg2UNWIIRAmppAJ9JqTKjlMUw+Fk2fJ3Q6odbYoA5igCfTW0J jc7eLnAzD5kw2nqSpKNb/Hc= =x+vm -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Jul 3 17:13:32 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 3 Jul 2013 17:13:32 +0000 Subject: [RHSA-2013:1012-01] Moderate: Red Hat JBoss Web Server 2.0.1 update Message-ID: <201307031713.r63HDXSd009447@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Web Server 2.0.1 update Advisory ID: RHSA-2013:1012-01 Product: Red Hat JBoss Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1012.html Issue date: 2013-07-03 CVE Names: CVE-2012-3499 CVE-2012-3544 CVE-2012-4558 CVE-2013-2067 CVE-2013-2071 ===================================================================== 1. Summary: Red Hat JBoss Web Server 2.0.1, which fixes multiple security issues and several bugs, is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat JBoss Web Server 2 for RHEL 6 Server - i386, noarch, x86_64 3. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release serves as a replacement for Red Hat JBoss Web Server 2.0.0, and includes several bug fixes. Refer to the Red Hat JBoss Web Server 2.0.1 Release Notes for information on the most significant of these changes, available shortly from https://access.redhat.com/site/documentation/ The following security issues are also fixed with this release: Cross-site scripting (XSS) flaws were found in the Apache HTTP Server mod_proxy_balancer module's manager web interface. If a remote attacker could trick a user, who was logged into the manager web interface, into visiting a specially-crafted URL, it would lead to arbitrary web script execution in the context of the user's manager interface session. (CVE-2012-4558) Cross-site scripting (XSS) flaws were found in the Apache HTTP Server mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp modules. An attacker could possibly use these flaws to perform XSS attacks if they were able to make the victim's browser generate an HTTP request with a specially-crafted Host header. (CVE-2012-3499) A session fixation flaw was found in the Tomcat FormAuthenticator module. During a narrow window of time, if a remote attacker sent requests while a user was logging in, it could possibly result in the attacker's requests being processed as if they were sent by the user. (CVE-2013-2067) A denial of service flaw was found in the way the Tomcat chunked transfer encoding input filter processed CRLF sequences. A remote attacker could use this flaw to send an excessively long request, consuming network bandwidth, CPU, and memory on the Tomcat server. Chunked transfer encoding is enabled by default. (CVE-2012-3544) A flaw was found in the way the Tomcat 7 asynchronous context implementation performed request management in certain circumstances. If an application used AsyncListeners and threw RuntimeExceptions, Tomcat could send a reply that contains information from a different user's request, possibly leading to the disclosure of sensitive information. This issue only affected Tomcat 7. (CVE-2013-2071) Note: Do not install Red Hat JBoss Web Server 2 on a host which has Red Hat JBoss Web Server 1 installed. Warning: Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). All users of Red Hat JBoss Web Server 2.0.0 on Red Hat Enterprise Linux 6 are advised to upgrade to Red Hat JBoss Web Server 2.0.1. The JBoss server process must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 915883 - CVE-2012-3499 httpd: multiple XSS flaws due to unescaped hostnames 915884 - CVE-2012-4558 httpd: XSS flaw in mod_proxy_balancer manager interface 961779 - CVE-2013-2067 tomcat: Session fixation in form authenticator 961783 - CVE-2012-3544 tomcat: Limited DoS in chunked transfer encoding input filter 961803 - CVE-2013-2071 tomcat: Information disclosure in asynchronous context when using AsyncListeners that threw RuntimeExceptions 6. Package List: Red Hat JBoss Web Server 2 for RHEL 6 Server: Source: apache-commons-daemon-eap6-1.0.15-4.redhat_1.ep6.el6.src.rpm apache-commons-daemon-jsvc-eap6-1.0.15-1.redhat_1.ep6.el6.src.rpm apache-commons-pool-eap6-1.6-6.redhat_4.ep6.el6.src.rpm dom4j-1.6.1-19.redhat_5.ep6.el6.src.rpm ecj3-3.7.2-6.redhat_1.ep6.el6.src.rpm httpd-2.2.22-23.ep6.el6.src.rpm mod_cluster-1.2.4-1.Final_redhat_1.ep6.el6.src.rpm mod_cluster-native-1.2.4-1.Final.redhat_1.ep6.el6.src.rpm mod_jk-1.2.37-2.redhat_1.ep6.el6.src.rpm tomcat-native-1.1.27-4.redhat_1.ep6.el6.src.rpm tomcat6-6.0.37-10_patch_01.ep6.el6.src.rpm tomcat7-7.0.40-5_patch_01.ep6.el6.src.rpm i386: apache-commons-daemon-jsvc-eap6-1.0.15-1.redhat_1.ep6.el6.i386.rpm apache-commons-daemon-jsvc-eap6-debuginfo-1.0.15-1.redhat_1.ep6.el6.i386.rpm httpd-2.2.22-23.ep6.el6.i386.rpm httpd-debuginfo-2.2.22-23.ep6.el6.i386.rpm httpd-devel-2.2.22-23.ep6.el6.i386.rpm httpd-manual-2.2.22-23.ep6.el6.i386.rpm httpd-tools-2.2.22-23.ep6.el6.i386.rpm mod_cluster-native-1.2.4-1.Final.redhat_1.ep6.el6.i386.rpm mod_cluster-native-debuginfo-1.2.4-1.Final.redhat_1.ep6.el6.i386.rpm mod_jk-ap22-1.2.37-2.redhat_1.ep6.el6.i386.rpm mod_jk-debuginfo-1.2.37-2.redhat_1.ep6.el6.i386.rpm mod_jk-manual-1.2.37-2.redhat_1.ep6.el6.i386.rpm mod_ssl-2.2.22-23.ep6.el6.i386.rpm tomcat-native-1.1.27-4.redhat_1.ep6.el6.i386.rpm tomcat-native-debuginfo-1.1.27-4.redhat_1.ep6.el6.i386.rpm noarch: apache-commons-daemon-eap6-1.0.15-4.redhat_1.ep6.el6.noarch.rpm apache-commons-pool-eap6-1.6-6.redhat_4.ep6.el6.noarch.rpm apache-commons-pool-tomcat-eap6-1.6-6.redhat_4.ep6.el6.noarch.rpm dom4j-1.6.1-19.redhat_5.ep6.el6.noarch.rpm ecj3-3.7.2-6.redhat_1.ep6.el6.noarch.rpm mod_cluster-1.2.4-1.Final_redhat_1.ep6.el6.noarch.rpm mod_cluster-demo-1.2.4-1.Final_redhat_1.ep6.el6.noarch.rpm mod_cluster-tomcat6-1.2.4-1.Final_redhat_1.ep6.el6.noarch.rpm mod_cluster-tomcat7-1.2.4-1.Final_redhat_1.ep6.el6.noarch.rpm tomcat6-6.0.37-10_patch_01.ep6.el6.noarch.rpm tomcat6-admin-webapps-6.0.37-10_patch_01.ep6.el6.noarch.rpm tomcat6-docs-webapp-6.0.37-10_patch_01.ep6.el6.noarch.rpm tomcat6-el-1.0-api-6.0.37-10_patch_01.ep6.el6.noarch.rpm tomcat6-javadoc-6.0.37-10_patch_01.ep6.el6.noarch.rpm tomcat6-jsp-2.1-api-6.0.37-10_patch_01.ep6.el6.noarch.rpm tomcat6-lib-6.0.37-10_patch_01.ep6.el6.noarch.rpm tomcat6-log4j-6.0.37-10_patch_01.ep6.el6.noarch.rpm tomcat6-servlet-2.5-api-6.0.37-10_patch_01.ep6.el6.noarch.rpm tomcat6-webapps-6.0.37-10_patch_01.ep6.el6.noarch.rpm tomcat7-7.0.40-5_patch_01.ep6.el6.noarch.rpm tomcat7-admin-webapps-7.0.40-5_patch_01.ep6.el6.noarch.rpm tomcat7-docs-webapp-7.0.40-5_patch_01.ep6.el6.noarch.rpm tomcat7-el-1.0-api-7.0.40-5_patch_01.ep6.el6.noarch.rpm tomcat7-javadoc-7.0.40-5_patch_01.ep6.el6.noarch.rpm tomcat7-jsp-2.2-api-7.0.40-5_patch_01.ep6.el6.noarch.rpm tomcat7-lib-7.0.40-5_patch_01.ep6.el6.noarch.rpm tomcat7-log4j-7.0.40-5_patch_01.ep6.el6.noarch.rpm tomcat7-servlet-3.0-api-7.0.40-5_patch_01.ep6.el6.noarch.rpm tomcat7-webapps-7.0.40-5_patch_01.ep6.el6.noarch.rpm x86_64: apache-commons-daemon-jsvc-eap6-1.0.15-1.redhat_1.ep6.el6.x86_64.rpm apache-commons-daemon-jsvc-eap6-debuginfo-1.0.15-1.redhat_1.ep6.el6.x86_64.rpm httpd-2.2.22-23.ep6.el6.x86_64.rpm httpd-debuginfo-2.2.22-23.ep6.el6.x86_64.rpm httpd-devel-2.2.22-23.ep6.el6.x86_64.rpm httpd-manual-2.2.22-23.ep6.el6.x86_64.rpm httpd-tools-2.2.22-23.ep6.el6.x86_64.rpm mod_cluster-native-1.2.4-1.Final.redhat_1.ep6.el6.x86_64.rpm mod_cluster-native-debuginfo-1.2.4-1.Final.redhat_1.ep6.el6.x86_64.rpm mod_jk-ap22-1.2.37-2.redhat_1.ep6.el6.x86_64.rpm mod_jk-debuginfo-1.2.37-2.redhat_1.ep6.el6.x86_64.rpm mod_jk-manual-1.2.37-2.redhat_1.ep6.el6.x86_64.rpm mod_ssl-2.2.22-23.ep6.el6.x86_64.rpm tomcat-native-1.1.27-4.redhat_1.ep6.el6.x86_64.rpm tomcat-native-debuginfo-1.1.27-4.redhat_1.ep6.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-3499.html https://www.redhat.com/security/data/cve/CVE-2012-3544.html https://www.redhat.com/security/data/cve/CVE-2012-4558.html https://www.redhat.com/security/data/cve/CVE-2013-2067.html https://www.redhat.com/security/data/cve/CVE-2013-2071.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/site/documentation/ https://access.redhat.com/site/documentation/en-US/JBoss_Enterprise_Web_Server/2/html-single/Installation_Guide/index.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFR1FucXlSAg2UNWIIRAtVsAJ46qgWGWJSEguA8zM2V8tU6U6/VcACcC8RK nKCvwbo+rHahayKYkr/TMQQ= =mBgm -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Jul 3 17:14:42 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 3 Jul 2013 17:14:42 +0000 Subject: [RHSA-2013:1013-01] Moderate: Red Hat JBoss Web Server 2.0.1 update Message-ID: <201307031714.r63HEgHD011815@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Web Server 2.0.1 update Advisory ID: RHSA-2013:1013-01 Product: Red Hat JBoss Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1013.html Issue date: 2013-07-03 CVE Names: CVE-2012-3499 CVE-2012-3544 CVE-2012-4558 CVE-2013-0166 CVE-2013-0169 CVE-2013-2067 CVE-2013-2071 ===================================================================== 1. Summary: Red Hat JBoss Web Server 2.0.1, which fixes multiple security issues and several bugs, is now available from the Red Hat Customer Portal for Red Hat Enterprise Linux 5 and 6, Solaris, and Microsoft Windows. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release serves as a replacement for Red Hat JBoss Web Server 2.0.0, and includes several bug fixes. Refer to the Red Hat JBoss Web Server 2.0.1 Release Notes for information on the most significant of these changes, available shortly from https://access.redhat.com/site/documentation/ The following security issues are also fixed with this release: Cross-site scripting (XSS) flaws were found in the Apache HTTP Server mod_proxy_balancer module's manager web interface. If a remote attacker could trick a user, who was logged into the manager web interface, into visiting a specially-crafted URL, it would lead to arbitrary web script execution in the context of the user's manager interface session. (CVE-2012-4558) Cross-site scripting (XSS) flaws were found in the Apache HTTP Server mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp modules. An attacker could possibly use these flaws to perform XSS attacks if they were able to make the victim's browser generate an HTTP request with a specially-crafted Host header. (CVE-2012-3499) A NULL pointer dereference flaw was found in the OCSP response verification in OpenSSL. A malicious OCSP server could use this flaw to crash applications performing OCSP verification by sending a specially-crafted response. (CVE-2013-0166) It was discovered that OpenSSL leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. (CVE-2013-0169) Note: CVE-2013-0166 and CVE-2013-0169 were only corrected in the packages for Solaris and Windows. Updates for Red Hat Enterprise Linux can be downloaded from the Red Hat Network. A session fixation flaw was found in the Tomcat FormAuthenticator module. During a narrow window of time, if a remote attacker sent requests while a user was logging in, it could possibly result in the attacker's requests being processed as if they were sent by the user. (CVE-2013-2067) A denial of service flaw was found in the way the Tomcat chunked transfer encoding input filter processed CRLF sequences. A remote attacker could use this flaw to send an excessively long request, consuming network bandwidth, CPU, and memory on the Tomcat server. Chunked transfer encoding is enabled by default. (CVE-2012-3544) A flaw was found in the way the Tomcat 7 asynchronous context implementation performed request management in certain circumstances. If an application used AsyncListeners and threw RuntimeExceptions, Tomcat could send a reply that contains information from a different user's request, possibly leading to the disclosure of sensitive information. This issue only affected Tomcat 7. (CVE-2013-2071) Warning: Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). All users of Red Hat JBoss Web Server 2.0.0 as provided from the Red Hat Customer Portal are advised to upgrade to Red Hat JBoss Web Server 2.0.1, which corrects these issues. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). 4. Bugs fixed (http://bugzilla.redhat.com/): 907589 - CVE-2013-0169 SSL/TLS: CBC padding timing attack (lucky-13) 908052 - CVE-2013-0166 openssl: DoS due to improper handling of OCSP response verification 915883 - CVE-2012-3499 httpd: multiple XSS flaws due to unescaped hostnames 915884 - CVE-2012-4558 httpd: XSS flaw in mod_proxy_balancer manager interface 961779 - CVE-2013-2067 tomcat: Session fixation in form authenticator 961783 - CVE-2012-3544 tomcat: Limited DoS in chunked transfer encoding input filter 961803 - CVE-2013-2071 tomcat: Information disclosure in asynchronous context when using AsyncListeners that threw RuntimeExceptions 5. References: https://www.redhat.com/security/data/cve/CVE-2012-3499.html https://www.redhat.com/security/data/cve/CVE-2012-3544.html https://www.redhat.com/security/data/cve/CVE-2012-4558.html https://www.redhat.com/security/data/cve/CVE-2013-0166.html https://www.redhat.com/security/data/cve/CVE-2013-0169.html https://www.redhat.com/security/data/cve/CVE-2013-2067.html https://www.redhat.com/security/data/cve/CVE-2013-2071.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/site/documentation/ https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=webserver&version=2.0.1 https://access.redhat.com/site/documentation/en-US/JBoss_Enterprise_Web_Server/2/html-single/Installation_Guide/index.html 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFR1FvaXlSAg2UNWIIRAuRHAJwPeq1bbpVCriOQYzzsB9/oKfZANACfXGnX PT1zTAO0MYY7uRnj/x6ul3s= =PZWq -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Jul 9 18:01:55 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 9 Jul 2013 18:01:55 +0000 Subject: [RHSA-2013:1028-01] Important: Fuse ESB Enterprise 7.1.0 update Message-ID: <201307091801.r69I1toe031571@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Fuse ESB Enterprise 7.1.0 update Advisory ID: RHSA-2013:1028-01 Product: Fuse Enterprise Middleware Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1028.html Issue date: 2013-07-09 CVE Names: CVE-2012-5575 CVE-2013-0269 CVE-2013-1821 CVE-2013-2160 ===================================================================== 1. Summary: Fuse ESB Enterprise 7.1.0 roll up patch 1, which fixes multiple security issues and various bugs, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Fuse ESB Enterprise, based on Apache ServiceMix, provides an integration platform. This release of Fuse ESB Enterprise 7.1.0 roll up patch 1 is an update to Fuse ESB Enterprise 7.1.0 and includes bug fixes. Refer to the readme file included with the patch files for information about the bug fixes. The following security issues are also fixed with this release: XML encryption backwards compatibility attacks were found against various frameworks, including Apache CXF. An attacker could force a server to use insecure, legacy cryptosystems, even when secure cryptosystems were enabled on endpoints. By forcing the use of legacy cryptosystems, flaws such as CVE-2011-1096 and CVE-2011-2487 would be exposed, allowing plain text to be recovered from cryptograms and symmetric keys. (CVE-2012-5575) Note: Automatic checks to prevent CVE-2012-5575 are only run when WS-SecurityPolicy is used to enforce security requirements. It is best practice to use WS-SecurityPolicy to enforce security requirements. A flaw in JRuby's JSON gem allowed remote attacks by creating different types of malicious objects. For example, it could initiate a denial of service attack through resource consumption by using a JSON document to create arbitrary Ruby symbols, which were never garbage collected. It could also be exploited to create internal objects which could allow a SQL injection attack. (CVE-2013-0269) It was discovered that JRuby's REXML library did not properly restrict XML entity expansion. An attacker could use this flaw to cause a denial of service by tricking a Ruby application using REXML to read text nodes from specially-crafted XML content, which will result in REXML consuming large amounts of system memory. (CVE-2013-1821) Multiple denial of service flaws were found in the way the Apache CXF StAX parser implementation processed certain XML files. If a web service utilized the StAX parser, a remote attacker could provide a specially-crafted XML file that, when processed, would lead to excessive CPU and memory consumption. (CVE-2013-2160) Note: Fuse ESB Enterprise 7.1.0 ships JRuby as part of the camel-ruby component, which allows users to define Camel routes in Ruby. The default use of JRuby in Fuse ESB Enterprise 7.1.0 does not appear to expose either CVE-2013-0269 or CVE-2013-1821. If the version of JRuby shipped with Fuse ESB Enterprise 7.1.0 was used to build a custom application, then these flaws could be exposed. Red Hat would like to thank Tibor Jager, Kenneth G. Paterson and Juraj Somorovsky of Ruhr-University Bochum for reporting CVE-2012-5575; Ruby on Rails upstream for reporting CVE-2013-0269; and Andreas Falkenberg of SEC Consult Deutschland GmbH, and Christian Mainka, Juraj Somorovsky and Joerg Schwenk of Ruhr-University Bochum for reporting CVE-2013-2160. Upstream acknowledges Thomas Hollstegge of Zweitag and Ben Murphy as the original reporters of CVE-2013-0269. All users of Fuse ESB Enterprise 7.1.0 as provided from the Red Hat Customer Portal are advised to upgrade to Fuse ESB Enterprise 7.1.0 roll up patch 1. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (http://bugzilla.redhat.com/): 880443 - CVE-2012-5575 jbossws-native, jbossws-cxf, apache-cxf: XML encryption backwards compatibility attacks 909029 - CVE-2013-0269 rubygem-json: Denial of Service and SQL Injection 914716 - CVE-2013-1821 ruby: entity expansion DoS vulnerability in REXML 929197 - CVE-2013-2160 cxf, jbossws-cxf, apache-cxf: Multiple denial of service flaws in the StAX parser 5. References: https://www.redhat.com/security/data/cve/CVE-2012-5575.html https://www.redhat.com/security/data/cve/CVE-2013-0269.html https://www.redhat.com/security/data/cve/CVE-2013-1821.html https://www.redhat.com/security/data/cve/CVE-2013-2160.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.esb.enterprise&downloadType=securityPatches&version=7.1.0 http://cxf.apache.org/cve-2012-5575.html https://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFR3E/xXlSAg2UNWIIRAsvVAKCf8pGQ9CDR9pwQYUbn0l1hB0R6kgCgtGn3 bJaiDK+zZxeA/Xvt4LdhsqE= =4+Kq -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Jul 9 18:03:08 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 9 Jul 2013 18:03:08 +0000 Subject: [RHSA-2013:1029-01] Important: Fuse MQ Enterprise 7.1.0 update Message-ID: <201307091803.r69I38YB029310@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Fuse MQ Enterprise 7.1.0 update Advisory ID: RHSA-2013:1029-01 Product: Fuse Enterprise Middleware Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1029.html Issue date: 2013-07-09 CVE Names: CVE-2012-6092 CVE-2012-6551 CVE-2013-1879 CVE-2013-1880 CVE-2013-2035 CVE-2013-3060 ===================================================================== 1. Summary: Fuse MQ Enterprise 7.1.0 roll up patch 1, which fixes multiple security issues and various bugs, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Fuse MQ Enterprise, based on Apache ActiveMQ, is a standards compliant messaging system that is tailored for use in mission critical applications. This release of Fuse MQ Enterprise 7.1.0 roll up patch 1 is an update to Fuse MQ Enterprise 7.1.0 and includes bug fixes. Refer to the readme file included with the patch files for information about the bug fixes. The following security issues are also fixed with this release: It was found that, by default, the Apache ActiveMQ web console did not require authentication. A remote attacker could use this flaw to modify the state of the Apache ActiveMQ environment, obtain sensitive information, or cause a denial of service. (CVE-2013-3060) Multiple cross-site scripting (XSS) flaws were found in the Apache ActiveMQ demo web applications. A remote attacker could use these flaws to inject arbitrary web script or HTML on pages displayed by the demo web applications. (CVE-2012-6092) It was found that a sample Apache ActiveMQ application was deployed by default. A remote attacker could use this flaw to send the sample application requests, allowing them to consume all available broker resources. (CVE-2012-6551) A stored cross-site scripting (XSS) flaw was found in the way Apache ActiveMQ handled cron jobs. A remote attacker could use this flaw to perform an XSS attack against users viewing the scheduled.jsp page. (CVE-2013-1879) A reflected cross-site scripting (XSS) flaw was found in the portfolioPublish servlet of the Apache ActiveMQ demo web applications. A remote attacker could use this flaw to inject arbitrary web script or HTML. (CVE-2013-1880) Note: All of the above flaws only affected the distribution of Apache ActiveMQ included in the extras directory of the Fuse MQ Enterprise distribution. The Fuse MQ Enterprise product itself was not affected by any of the above flaws. The HawtJNI Library class wrote native libraries to a predictable file name in /tmp/ when the native libraries were bundled in a JAR file, and no custom library path was specified. A local attacker could overwrite these native libraries with malicious versions during the window between when HawtJNI writes them and when they are executed. (CVE-2013-2035) The CVE-2013-2035 issue was discovered by Florian Weimer of the Red Hat Product Security Team. All users of Fuse MQ Enterprise 7.1.0 as provided from the Red Hat Customer Portal are advised to upgrade to Fuse MQ Enterprise 7.1.0 roll up patch 1. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (http://bugzilla.redhat.com/): 924446 - CVE-2013-1879 ActiveMQ: XSS vulnerability in scheduled.jsp 924447 - CVE-2013-1880 ActiveMQ: XSS vulnerability in portfolioPublish demo application 955906 - CVE-2012-6092 activemq: Multiple XSS flaws in web demos 955907 - CVE-2012-6551 activemq: DoS by resource consumption via HTTP requests to sample webapp 955908 - CVE-2013-3060 activemq: Unauthenticated access to web console 958618 - CVE-2013-2035 HawtJNI: predictable temporary file name leading to local arbitrary code execution 5. References: https://www.redhat.com/security/data/cve/CVE-2012-6092.html https://www.redhat.com/security/data/cve/CVE-2012-6551.html https://www.redhat.com/security/data/cve/CVE-2013-1879.html https://www.redhat.com/security/data/cve/CVE-2013-1880.html https://www.redhat.com/security/data/cve/CVE-2013-2035.html https://www.redhat.com/security/data/cve/CVE-2013-3060.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.mq.enterprise&downloadType=securityPatches&version=7.1.0 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFR3FAxXlSAg2UNWIIRAk3GAKCl5lKq02FkTzjEMpo3tJ8Xoy8IzgCgv6WI O2Lf3I1h038va3APHQ765yQ= =qG+d -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Jul 11 01:25:01 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 11 Jul 2013 01:25:01 +0000 Subject: [RHSA-2013:1041-01] Critical: Red Hat JBoss Web Framework Kit 2.3.0 update Message-ID: <201307110125.r6B1P2dZ018662@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: Red Hat JBoss Web Framework Kit 2.3.0 update Advisory ID: RHSA-2013:1041-01 Product: Red Hat JBoss Web Framework Kit Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1041.html Issue date: 2013-07-10 CVE Names: CVE-2013-2165 ===================================================================== 1. Summary: Red Hat JBoss Web Framework Kit 2.3.0, which fixes one security issue, various bugs, and adds enhancements, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: Red Hat JBoss Web Framework Kit combines popular open source web frameworks into a single solution for Java applications. This release serves as a replacement for Red Hat JBoss Web Framework Kit 2.2.0, and includes bug fixes and enhancements. Refer to the 2.3.0 Release Notes for information on the most significant of these changes, available shortly from https://access.redhat.com/site/documentation/ This release also fixes the following security issue: A flaw was found in the way RichFaces ResourceBuilderImpl handled deserialization. A remote attacker could use this flaw to trigger the execution of the deserialization methods in any serializable class deployed on the server. This could lead to a variety of security impacts depending on the deserialization logic of these classes. (CVE-2013-2165) The fix for this issue introduces a whitelist to limit classes that can be deserialized by RichFaces. If you require to whitelist a class that is not already listed, for example, a custom class, you can achieve this by following one of these methods: Method 1: Implementing the SerializableResource interface. In RichFaces 3, this is defined at org.ajax4jsf.resource.SerializableResource and in RichFaces 4/5, at org.richfaces.resource.SerializableResource. Method 2: Adding the class to the resource-serialization.properties file (a default properties file is provided once this update is applied). To do this you can extend the framework provided properties file that is available under org.ajax4jsf.resource in RichFaces 3 and org.richfaces.resource in RichFaces 4/5. The modified properties file has to be copied into the classpath of your deployment under the version-specific packages. Where possible, it is recommended that Method 1 be followed. Red Hat would like to thank Takeshi Terada (Mitsui Bussan Secure Directions, Inc.) for reporting this issue. Warning: Before applying this update, back up your existing installation of Red Hat JBoss Enterprise Application Platform or Red Hat JBoss Web Server, and applications deployed to it. All users of Red Hat JBoss Web Framework Kit 2.2.0 as provided from the Red Hat Customer Portal are advised to upgrade to Red Hat JBoss Web Framework Kit 2.3.0. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing installation of Red Hat JBoss Enterprise Application Platform or Red Hat JBoss Web Server, and applications deployed to it. The JBoss server process must be restarted for this update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 973570 - CVE-2013-2165 JBoss RichFaces: Remote code execution due to insecure deserialization 5. References: https://www.redhat.com/security/data/cve/CVE-2013-2165.html https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=web.framework.kit&downloadType=distributions https://access.redhat.com/site/documentation/ 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFR3gldXlSAg2UNWIIRAi2sAKCLBq5XRA6iugyDFso8BPSVVP1/NgCfc5Nm o1ezvGVgBpqWB0tAdv41+rc= =qHkU -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Jul 11 01:39:20 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 11 Jul 2013 01:39:20 +0000 Subject: [RHSA-2013:1042-01] Critical: richfaces security update Message-ID: <201307110139.r6B1dLHd023987@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: richfaces security update Advisory ID: RHSA-2013:1042-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1042.html Issue date: 2013-07-10 CVE Names: CVE-2013-2165 ===================================================================== 1. Summary: Updated richfaces packages that fix one security issue are now available for Red Hat JBoss Enterprise Application Platform 5.2.0 for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS - noarch Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES - noarch Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server - noarch Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server - noarch 3. Description: RichFaces is an open source framework that adds Ajax capability into existing JavaServer Faces (JSF) applications. A flaw was found in the way RichFaces ResourceBuilderImpl handled deserialization. A remote attacker could use this flaw to trigger the execution of the deserialization methods in any serializable class deployed on the server. This could lead to a variety of security impacts depending on the deserialization logic of these classes. (CVE-2013-2165) The fix for this issue introduces a whitelist to limit classes that can be deserialized by RichFaces. If you require to whitelist a class that is not already listed, for example, a custom class, you can achieve this by following one of these methods: Method 1: Implementing the SerializableResource interface. In RichFaces 3, this is defined at org.ajax4jsf.resource.SerializableResource and in RichFaces 4/5, at org.richfaces.resource.SerializableResource. Method 2: Adding the class to the resource-serialization.properties file (a default properties file is provided once this update is applied). To do this you can extend the framework provided properties file that is available under org.ajax4jsf.resource in RichFaces 3 and org.richfaces.resource in RichFaces 4/5. The modified properties file has to be copied into the classpath of your deployment under the version-specific packages. Where possible, it is recommended that Method 1 be followed. Red Hat would like to thank Takeshi Terada (Mitsui Bussan Secure Directions, Inc.) for reporting this issue. Warning: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation (including all applications and configuration files). All users of Red Hat JBoss Enterprise Application Platform 5.2.0 on Red Hat Enterprise Linux 4, 5, and 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 973570 - CVE-2013-2165 JBoss RichFaces: Remote code execution due to insecure deserialization 6. Package List: Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS: Source: ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/richfaces-3.3.1-11.SP3_patch_01.ep5.el4.src.rpm noarch: richfaces-3.3.1-11.SP3_patch_01.ep5.el4.noarch.rpm richfaces-demo-3.3.1-11.SP3_patch_01.ep5.el4.noarch.rpm richfaces-framework-3.3.1-11.SP3_patch_01.ep5.el4.noarch.rpm richfaces-root-3.3.1-11.SP3_patch_01.ep5.el4.noarch.rpm richfaces-ui-3.3.1-11.SP3_patch_01.ep5.el4.noarch.rpm Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES: Source: ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/richfaces-3.3.1-11.SP3_patch_01.ep5.el4.src.rpm noarch: richfaces-3.3.1-11.SP3_patch_01.ep5.el4.noarch.rpm richfaces-demo-3.3.1-11.SP3_patch_01.ep5.el4.noarch.rpm richfaces-framework-3.3.1-11.SP3_patch_01.ep5.el4.noarch.rpm richfaces-root-3.3.1-11.SP3_patch_01.ep5.el4.noarch.rpm richfaces-ui-3.3.1-11.SP3_patch_01.ep5.el4.noarch.rpm Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/richfaces-3.3.1-6.SP3_patch_01.ep5.el5.src.rpm noarch: richfaces-3.3.1-6.SP3_patch_01.ep5.el5.noarch.rpm richfaces-demo-3.3.1-6.SP3_patch_01.ep5.el5.noarch.rpm richfaces-framework-3.3.1-6.SP3_patch_01.ep5.el5.noarch.rpm richfaces-root-3.3.1-6.SP3_patch_01.ep5.el5.noarch.rpm richfaces-ui-3.3.1-6.SP3_patch_01.ep5.el5.noarch.rpm Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/richfaces-3.3.1-3.SP3_patch_01.ep5.el6.src.rpm noarch: richfaces-3.3.1-3.SP3_patch_01.ep5.el6.noarch.rpm richfaces-demo-3.3.1-3.SP3_patch_01.ep5.el6.noarch.rpm richfaces-framework-3.3.1-3.SP3_patch_01.ep5.el6.noarch.rpm richfaces-root-3.3.1-3.SP3_patch_01.ep5.el6.noarch.rpm richfaces-ui-3.3.1-3.SP3_patch_01.ep5.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-2165.html https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFR3gmhXlSAg2UNWIIRAhvUAJ4hI+IdciG9M62YoPCivXbEqu/yIgCgjseP 4cbpkpeTEDJqA2Ng14DhBb0= =PNsW -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Jul 11 01:46:42 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 11 Jul 2013 01:46:42 +0000 Subject: [RHSA-2013:1043-01] Critical: richfaces security update Message-ID: <201307110146.r6B1kgj4021834@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: richfaces security update Advisory ID: RHSA-2013:1043-01 Product: Red Hat JBoss Web Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1043.html Issue date: 2013-07-10 CVE Names: CVE-2013-2165 ===================================================================== 1. Summary: Updated richfaces packages that fix one security issue are now available for Red Hat JBoss Web Platform 5.2.0 for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat JBoss Web Platform 5 for RHEL 4 AS - noarch Red Hat JBoss Web Platform 5 for RHEL 4 ES - noarch Red Hat JBoss Web Platform 5 for RHEL 5 Server - noarch Red Hat JBoss Web Platform 5 for RHEL 6 Server - noarch 3. Description: RichFaces is an open source framework that adds Ajax capability into existing JavaServer Faces (JSF) applications. A flaw was found in the way RichFaces ResourceBuilderImpl handled deserialization. A remote attacker could use this flaw to trigger the execution of the deserialization methods in any serializable class deployed on the server. This could lead to a variety of security impacts depending on the deserialization logic of these classes. (CVE-2013-2165) The fix for this issue introduces a whitelist to limit classes that can be deserialized by RichFaces. If you require to whitelist a class that is not already listed, for example, a custom class, you can achieve this by following one of these methods: Method 1: Implementing the SerializableResource interface. In RichFaces 3, this is defined at org.ajax4jsf.resource.SerializableResource and in RichFaces 4/5, at org.richfaces.resource.SerializableResource. Method 2: Adding the class to the resource-serialization.properties file (a default properties file is provided once this update is applied). To do this you can extend the framework provided properties file that is available under org.ajax4jsf.resource in RichFaces 3 and org.richfaces.resource in RichFaces 4/5. The modified properties file has to be copied into the classpath of your deployment under the version-specific packages. Where possible, it is recommended that Method 1 be followed. Red Hat would like to thank Takeshi Terada (Mitsui Bussan Secure Directions, Inc.) for reporting this issue. Warning: Before applying this update, back up your existing Red Hat JBoss Web Platform installation (including all applications and configuration files). All users of Red Hat JBoss Web Platform 5.2.0 on Red Hat Enterprise Linux 4, 5, and 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 973570 - CVE-2013-2165 JBoss RichFaces: Remote code execution due to insecure deserialization 6. Package List: Red Hat JBoss Web Platform 5 for RHEL 4 AS: Source: richfaces-3.3.1-11.SP3_patch_01.ep5.el4.src.rpm noarch: richfaces-3.3.1-11.SP3_patch_01.ep5.el4.noarch.rpm richfaces-demo-3.3.1-11.SP3_patch_01.ep5.el4.noarch.rpm richfaces-framework-3.3.1-11.SP3_patch_01.ep5.el4.noarch.rpm richfaces-root-3.3.1-11.SP3_patch_01.ep5.el4.noarch.rpm richfaces-ui-3.3.1-11.SP3_patch_01.ep5.el4.noarch.rpm Red Hat JBoss Web Platform 5 for RHEL 4 ES: Source: richfaces-3.3.1-11.SP3_patch_01.ep5.el4.src.rpm noarch: richfaces-3.3.1-11.SP3_patch_01.ep5.el4.noarch.rpm richfaces-demo-3.3.1-11.SP3_patch_01.ep5.el4.noarch.rpm richfaces-framework-3.3.1-11.SP3_patch_01.ep5.el4.noarch.rpm richfaces-root-3.3.1-11.SP3_patch_01.ep5.el4.noarch.rpm richfaces-ui-3.3.1-11.SP3_patch_01.ep5.el4.noarch.rpm Red Hat JBoss Web Platform 5 for RHEL 5 Server: Source: richfaces-3.3.1-6.SP3_patch_01.ep5.el5.src.rpm noarch: richfaces-3.3.1-6.SP3_patch_01.ep5.el5.noarch.rpm richfaces-demo-3.3.1-6.SP3_patch_01.ep5.el5.noarch.rpm richfaces-framework-3.3.1-6.SP3_patch_01.ep5.el5.noarch.rpm richfaces-root-3.3.1-6.SP3_patch_01.ep5.el5.noarch.rpm richfaces-ui-3.3.1-6.SP3_patch_01.ep5.el5.noarch.rpm Red Hat JBoss Web Platform 5 for RHEL 6 Server: Source: richfaces-3.3.1-3.SP3_patch_01.ep5.el6.src.rpm noarch: richfaces-3.3.1-3.SP3_patch_01.ep5.el6.noarch.rpm richfaces-demo-3.3.1-3.SP3_patch_01.ep5.el6.noarch.rpm richfaces-framework-3.3.1-3.SP3_patch_01.ep5.el6.noarch.rpm richfaces-root-3.3.1-3.SP3_patch_01.ep5.el6.noarch.rpm richfaces-ui-3.3.1-3.SP3_patch_01.ep5.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-2165.html https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFR3g0bXlSAg2UNWIIRAlLRAKC1SS9ia4cEFulwULag1O0JP7e19gCdFKvJ P6ipMRbmGhZIX8LbhQmk1Ik= =mWE9 -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Jul 11 01:47:59 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 11 Jul 2013 01:47:59 +0000 Subject: [RHSA-2013:1044-01] Critical: jboss-seam2 security update Message-ID: <201307110148.r6B1m0A0021989@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: jboss-seam2 security update Advisory ID: RHSA-2013:1044-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1044.html Issue date: 2013-07-10 CVE Names: CVE-2013-2165 ===================================================================== 1. Summary: Updated jboss-seam2 packages that fix one security issue are now available for Red Hat JBoss Enterprise Application Platform 4.3.0 CP10 for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 4 AS - noarch Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 4 ES - noarch Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 5 Server - noarch 3. Description: The JBoss Seam 2 framework is an application framework for building web applications in Java. The RichFaces component is an open source framework that adds Ajax capability into existing JavaServer Faces (JSF) applications. A flaw was found in the way RichFaces ResourceBuilderImpl handled deserialization. A remote attacker could use this flaw to trigger the execution of the deserialization methods in any serializable class deployed on the server. This could lead to a variety of security impacts depending on the deserialization logic of these classes. (CVE-2013-2165) The fix for this issue introduces a whitelist to limit classes that can be deserialized by RichFaces. If you require to whitelist a class that is not already listed, for example, a custom class, you can achieve this by following one of these methods: Method 1: Implementing the SerializableResource interface. In RichFaces 3, this is defined at org.ajax4jsf.resource.SerializableResource and in RichFaces 4/5, at org.richfaces.resource.SerializableResource. Method 2: Adding the class to the resource-serialization.properties file (a default properties file is provided once this update is applied). To do this you can extend the framework provided properties file that is available under org.ajax4jsf.resource in RichFaces 3 and org.richfaces.resource in RichFaces 4/5. The modified properties file has to be copied into the classpath of your deployment under the version-specific packages. Where possible, it is recommended that Method 1 be followed. Red Hat would like to thank Takeshi Terada (Mitsui Bussan Secure Directions, Inc.) for reporting this issue. Warning: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation (including all applications and configuration files). All users of Red Hat JBoss Enterprise Application Platform 4.3.0 CP10 on Red Hat Enterprise Linux 4 and 5 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 973570 - CVE-2013-2165 JBoss RichFaces: Remote code execution due to insecure deserialization 6. Package List: Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 4 AS: Source: ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/jboss-seam2-2.0.2.FP_SEC1-1.ep2.6.el4.src.rpm noarch: jboss-seam2-2.0.2.FP_SEC1-1.ep2.6.el4.noarch.rpm jboss-seam2-docs-2.0.2.FP_SEC1-1.ep2.6.el4.noarch.rpm Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 4 ES: Source: ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/jboss-seam2-2.0.2.FP_SEC1-1.ep2.6.el4.src.rpm noarch: jboss-seam2-2.0.2.FP_SEC1-1.ep2.6.el4.noarch.rpm jboss-seam2-docs-2.0.2.FP_SEC1-1.ep2.6.el4.noarch.rpm Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-seam2-2.0.2.FP_SEC1-1.ep2.6.el5.src.rpm noarch: jboss-seam2-2.0.2.FP_SEC1-1.ep2.6.el5.noarch.rpm jboss-seam2-docs-2.0.2.FP_SEC1-1.ep2.6.el5.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-2165.html https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFR3g6+XlSAg2UNWIIRAnz/AKCPsV4ZBdrec2jbsJlrTobo8/GncwCcCch6 lmfIU45PMKM64d80vmz9h9g= =B9ld -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Jul 11 01:49:02 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 11 Jul 2013 01:49:02 +0000 Subject: [RHSA-2013:1045-01] Critical: RichFaces security update Message-ID: <201307110149.r6B1n36L025741@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: RichFaces security update Advisory ID: RHSA-2013:1045-01 Product: Red Hat JBoss Middleware Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1045.html Issue date: 2013-07-11 CVE Names: CVE-2013-2165 ===================================================================== 1. Summary: An update for the RichFaces component that fixes one security issue is now available from the Red Hat Customer Portal for Red Hat JBoss Enterprise Application Platform 4.3.0 CP10 and 5.2.0; Red Hat JBoss Web Platform 5.2.0; Red Hat JBoss BRMS 5.3.1; Red Hat JBoss SOA Platform 4.3.0 CP05 and 5.3.1; Red Hat JBoss Portal 4.3 CP07 and 5.2.2; and Red Hat JBoss Operations Network 2.4.2 and 3.1.2. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: RichFaces is an open source framework that adds Ajax capability into existing JavaServer Faces (JSF) applications. A flaw was found in the way RichFaces ResourceBuilderImpl handled deserialization. A remote attacker could use this flaw to trigger the execution of the deserialization methods in any serializable class deployed on the server. This could lead to a variety of security impacts depending on the deserialization logic of these classes. (CVE-2013-2165) The fix for this issue introduces a whitelist to limit classes that can be deserialized by RichFaces. If you require to whitelist a class that is not already listed, for example, a custom class, you can achieve this by following one of these methods: Method 1: Implementing the SerializableResource interface. In RichFaces 3, this is defined at org.ajax4jsf.resource.SerializableResource and in RichFaces 4/5, at org.richfaces.resource.SerializableResource. Method 2: Adding the class to the resource-serialization.properties file (a default properties file is provided once this update is applied). To do this you can extend the framework provided properties file that is available under org.ajax4jsf.resource in RichFaces 3 and org.richfaces.resource in RichFaces 4/5. The modified properties file has to be copied into the classpath of your deployment under the version-specific packages. Where possible, it is recommended that Method 1 be followed. Red Hat would like to thank Takeshi Terada (Mitsui Bussan Secure Directions, Inc.) for reporting this issue. Warning: Before applying this update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. For Red Hat JBoss Operations Network, also back up the Red Hat JBoss Operations Network server's file system directory. All users of the affected products as provided from the Red Hat Customer Portal are advised to apply this update. 3. Solution: The References section of this erratum contains download links (you must log in to download the updates). Before applying the updates, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. For Red Hat JBoss Operations Network, also back up the Red Hat JBoss Operations Network server's file system directory. For Red Hat JBoss BRMS, Red Hat JBoss SOA Platform, and Red Hat JBoss Portal, it is recommended to halt the server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the server by starting the JBoss Application Server process. Refer to the Red Hat JBoss Operations Network Release Notes for installation information. The JBoss server process must be restarted for this update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 973570 - CVE-2013-2165 JBoss RichFaces: Remote code execution due to insecure deserialization 5. References: https://www.redhat.com/security/data/cve/CVE-2013-2165.html https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/site/documentation/ https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=appplatform&version=5.2.0 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=appplatform&version=4.3.0.GA_CP10 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=enterpriseweb.platform&downloadType=securityPatches&version=5.2.0 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=securityPatches&version=5.3.1 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform&downloadType=securityPatches&version=5.3.1+GA https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=soaplatform&version=4.3.0.GA_CP05 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal&downloadType=securityPatches&version=5.2.2 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal&downloadType=securityPatches&version=4.3+CP07 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em&downloadType=securityPatches&version=3.1.2 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=em&version=2.4.2 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFR3g8EXlSAg2UNWIIRAkMDAJwIujkAfpbDxw6QBYZBseJWPXu+DwCfd3xg jLAr2X/y0xrZFh3Pc8Alcd0= =gnqQ -----END PGP SIGNATURE-----