[RHSA-2014:0195-01] Moderate: Red Hat JBoss Portal 6.1.1 update

bugzilla at redhat.com bugzilla at redhat.com
Thu Feb 20 17:31:41 UTC 2014

Hash: SHA1

                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat JBoss Portal 6.1.1 update
Advisory ID:       RHSA-2014:0195-01
Product:           Red Hat JBoss Portal
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-0195.html
Issue date:        2014-02-20
CVE Names:         CVE-2013-4517 CVE-2013-6440 

1. Summary:

Red Hat JBoss Portal 6.1.1, which fixes two security issues and various
bugs, is now available from the Red Hat Customer Portal.

The Red Hat Security Response Team has rated this update as having Moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

2. Description:

Red Hat JBoss Portal is the open source implementation of the Java EE suite
of services and Portal services running atop Red Hat JBoss Enterprise
Application Platform.

This Red Hat JBoss Portal 6.1.1 release serves as a replacement for 6.1.0.
Refer to the 6.1.1 Release Notes for further information, available shortly
from https://access.redhat.com/site/documentation/en-US/

It was found that the ParserPool and Decrypter classes in the OpenSAML Java
implementation resolved external entities, permitting XML External Entity
(XXE) attacks. A remote attacker could use this flaw to read files
accessible to the user running the application server, and potentially
perform other more advanced XXE attacks. (CVE-2013-6440)

It was discovered that the Apache Santuario XML Security for Java project
allowed Document Type Definitions (DTDs) to be processed when applying
Transforms even when secure validation was enabled. A remote attacker could
use this flaw to exhaust all available memory on the system, causing a
denial of service. (CVE-2013-4517)

All users of Red Hat JBoss Portal 6.1.0 as provided from the Red Hat
Customer Portal are advised to upgrade to Red Hat JBoss Portal 6.1.1.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Before applying the update, back up all
applications deployed on JBoss Enterprise Portal Platform, along with all
customized configuration files, and any databases and database settings.

4. Bugs fixed (https://bugzilla.redhat.com/):

1043332 - CVE-2013-6440 XMLTooling-J/OpenSAML Java: XML eXternal Entity (XXE) flaw in ParserPool and Decrypter
1045257 - CVE-2013-4517 Apache Santuario XML Security for Java: Java XML Signature DoS Attack

5. References:


6. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
Version: GnuPG v1.4.4 (GNU/Linux)


More information about the Jboss-watch-list mailing list