[RHSA-2015:1641-03] Important: Red Hat JBoss Web Server 2.1.0 security update

bugzilla at redhat.com bugzilla at redhat.com
Tue Aug 18 19:06:49 UTC 2015

Hash: SHA1

                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss Web Server 2.1.0 security update
Advisory ID:       RHSA-2015:1641-03
Product:           Red Hat JBoss Web Server
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2015-1641.html
Issue date:        2015-08-18
CVE Names:         CVE-2014-8111 CVE-2015-0298 

1. Summary:

An update for Red Hat JBoss Web Server 2.1.0 that fixes two security issues
is now available from the Red Hat Customer Portal.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Description:

Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the Apache
HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector
(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat
Native library.

A flaw was found in the way the mod_cluster manager processed certain MCMP
messages. An attacker with access to the network from which MCMP messages
are allowed to be sent could use this flaw to execute arbitrary JavaScript
code in the mod_cluster manager web interface. (CVE-2015-0298)

It was discovered that a JkUnmount rule for a subtree of a previous JkMount
rule could be ignored. This could allow a remote attacker to potentially
access a private artifact in a tree that would otherwise not be accessible
to them. (CVE-2014-8111)

All users of Red Hat JBoss Web Server 2.1.0 as provided from the Red Hat
Customer Portal are advised to apply this update. The Red Hat JBoss Web
Server process must be restarted for the update to take effect.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Before applying the update, back up your
existing Red Hat JBoss Web Server installation (including all applications
and configuration files).

4. Bugs fixed (https://bugzilla.redhat.com/):

1182591 - CVE-2014-8111 Tomcat mod_jk: information leak due to incorrect JkMount/JkUnmount directives processing
1197769 - CVE-2015-0298 mod_cluster: JavaScript code injection is possible via MCMP mod_manager messages

5. References:


6. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
Version: GnuPG v1


More information about the Jboss-watch-list mailing list