[RHSA-2015:0719-01] Important: Red Hat JBoss Web Framework Kit 2.7.0 security update

bugzilla at redhat.com bugzilla at redhat.com
Tue Mar 24 21:10:26 UTC 2015

Hash: SHA1

                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss Web Framework Kit 2.7.0 security update
Advisory ID:       RHSA-2015:0719-01
Product:           Red Hat JBoss Web Framework Kit
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2015-0719.html
Issue date:        2015-03-24
CVE Names:         CVE-2015-0279 

1. Summary:

An update for the RichFaces component of Red Hat JBoss Web Framework Kit
2.7.0 that fixes one security issue is now available from the Red Hat
Customer Portal.

Red Hat Product Security has rated this update as having Important security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

2. Description:

Red Hat JBoss Web Framework Kit combines popular open source web
frameworks into a single solution for Java applications. RichFaces is an
open source framework that adds Ajax capability into existing JavaServer
Faces (JSF) applications.

It was found that the 'do' parameter permitted expression language (EL)
injection, which could allow a remote attacker to execute Java methods on
an affected server. (CVE-2015-0279)

Red Hat would like to thank Takeshi Terada of Mitsui Bussan Secure
Directions, Inc. for reporting this issue.

All users of Red Hat JBoss Web Framework Kit 2.7.0 as provided from the Red
Hat Customer Portal are advised to apply this update.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Before applying this update, back up your
existing installation of Red Hat JBoss Web Framework Kit.

The JBoss server process must be restarted for this update to take effect.

4. Bugs fixed (https://bugzilla.redhat.com/):

1192140 - CVE-2015-0279 RichFaces: Remote Command Execution via insufficient EL parameter sanitization

5. References:


6. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
Version: GnuPG v1


More information about the Jboss-watch-list mailing list