[RHSA-2015:1642-03] Important: Red Hat JBoss Web Server 2.1.0 security update

bugzilla at redhat.com bugzilla at redhat.com
Tue Aug 18 19:07:05 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss Web Server 2.1.0 security update
Advisory ID:       RHSA-2015:1642-03
Product:           Red Hat JBoss Web Server
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2015-1642.html
Issue date:        2015-08-18
CVE Names:         CVE-2014-8111 CVE-2015-0298 
=====================================================================

1. Summary:

An update for Red Hat JBoss Web Server 2.1.0 that fixes two security issues
is now available for Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Relevant releases/architectures:

Red Hat JBoss Web Server 2 for RHEL 5 Server - i386, x86_64
Red Hat JBoss Web Server 2 for RHEL 6 Server - i386, x86_64
Red Hat JBoss Web Server 2 for RHEL 7 Server - x86_64

3. Description:

Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the Apache
HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector
(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat
Native library.

A flaw was found in the way the mod_cluster manager processed certain MCMP
messages. An attacker with access to the network from which MCMP messages
are allowed to be sent could use this flaw to execute arbitrary JavaScript
code in the mod_cluster manager web interface. (CVE-2015-0298)

It was discovered that a JkUnmount rule for a subtree of a previous JkMount
rule could be ignored. This could allow a remote attacker to potentially
access a private artifact in a tree that would otherwise not be accessible
to them. (CVE-2014-8111)

All users of Red Hat JBoss Web Server 2.1.0 are advised to apply this
update. The Red Hat JBoss Web Server process must be restarted for the
update to take effect.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied, and back up your existing Red
Hat JBoss Web Server installation (including all applications and
configuration files).

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1182591 - CVE-2014-8111 Tomcat mod_jk: information leak due to incorrect JkMount/JkUnmount directives processing
1197769 - CVE-2015-0298 mod_cluster: JavaScript code injection is possible via MCMP mod_manager messages

6. Package List:

Red Hat JBoss Web Server 2 for RHEL 5 Server:

Source:
mod_cluster-native-1.2.9-4.Final_redhat_2.ep6.el5.src.rpm
mod_jk-1.2.40-4.redhat_2.ep6.el5.src.rpm

i386:
mod_cluster-native-1.2.9-4.Final_redhat_2.ep6.el5.i386.rpm
mod_cluster-native-debuginfo-1.2.9-4.Final_redhat_2.ep6.el5.i386.rpm
mod_jk-ap22-1.2.40-4.redhat_2.ep6.el5.i386.rpm
mod_jk-debuginfo-1.2.40-4.redhat_2.ep6.el5.i386.rpm
mod_jk-manual-1.2.40-4.redhat_2.ep6.el5.i386.rpm

x86_64:
mod_cluster-native-1.2.9-4.Final_redhat_2.ep6.el5.x86_64.rpm
mod_cluster-native-debuginfo-1.2.9-4.Final_redhat_2.ep6.el5.x86_64.rpm
mod_jk-ap22-1.2.40-4.redhat_2.ep6.el5.x86_64.rpm
mod_jk-debuginfo-1.2.40-4.redhat_2.ep6.el5.x86_64.rpm
mod_jk-manual-1.2.40-4.redhat_2.ep6.el5.x86_64.rpm

Red Hat JBoss Web Server 2 for RHEL 6 Server:

Source:
mod_cluster-native-1.2.9-4.Final_redhat_2.ep6.el6.src.rpm
mod_jk-1.2.40-4.redhat_2.ep6.el6.src.rpm

i386:
mod_cluster-native-1.2.9-4.Final_redhat_2.ep6.el6.i386.rpm
mod_cluster-native-debuginfo-1.2.9-4.Final_redhat_2.ep6.el6.i386.rpm
mod_jk-ap22-1.2.40-4.redhat_2.ep6.el6.i386.rpm
mod_jk-debuginfo-1.2.40-4.redhat_2.ep6.el6.i386.rpm
mod_jk-manual-1.2.40-4.redhat_2.ep6.el6.i386.rpm

x86_64:
mod_cluster-native-1.2.9-4.Final_redhat_2.ep6.el6.x86_64.rpm
mod_cluster-native-debuginfo-1.2.9-4.Final_redhat_2.ep6.el6.x86_64.rpm
mod_jk-ap22-1.2.40-4.redhat_2.ep6.el6.x86_64.rpm
mod_jk-debuginfo-1.2.40-4.redhat_2.ep6.el6.x86_64.rpm
mod_jk-manual-1.2.40-4.redhat_2.ep6.el6.x86_64.rpm

Red Hat JBoss Web Server 2 for RHEL 7 Server:

Source:
mod_cluster-native-1.2.9-4.Final_redhat_2.ep6.el7.src.rpm
mod_jk-1.2.40-4.redhat_2.ep6.el7.src.rpm

x86_64:
mod_cluster-native-1.2.9-4.Final_redhat_2.ep6.el7.x86_64.rpm
mod_cluster-native-debuginfo-1.2.9-4.Final_redhat_2.ep6.el7.x86_64.rpm
mod_jk-ap22-1.2.40-4.redhat_2.ep6.el7.x86_64.rpm
mod_jk-debuginfo-1.2.40-4.redhat_2.ep6.el7.x86_64.rpm
mod_jk-manual-1.2.40-4.redhat_2.ep6.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2014-8111
https://access.redhat.com/security/cve/CVE-2015-0298
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFV04JXXlSAg2UNWIIRAobWAJ4r5HJEKoBR5VhYKxZSnUqdM6DdRACffNn0
TYxsVdrkepuKkGVOeHIGsvw=
=+xyj
-----END PGP SIGNATURE-----

More information about the Jboss-watch-list mailing list