From bugzilla at redhat.com Mon Oct 12 15:28:16 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 12 Oct 2015 11:28:16 -0400 Subject: [RHSA-2015:1888-01] Important: Red Hat JBoss SOA Platform 5.3.1 security update Message-ID: <201510121528.t9CFSGhx023880@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss SOA Platform 5.3.1 security update Advisory ID: RHSA-2015:1888-01 Product: Red Hat JBoss SOA Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1888.html Issue date: 2015-10-12 CVE Names: CVE-2012-6153 CVE-2013-7285 CVE-2014-0107 CVE-2014-0248 CVE-2014-3530 CVE-2014-3577 CVE-2014-3604 ===================================================================== 1. Summary: An update for Red Hat JBoss SOA Platform 5.3.1 which fixes multiple security issues is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss SOA Platform is the next-generation ESB and business process automation infrastructure. Red Hat JBoss SOA Platform allows IT to leverage existing (MoM and EAI), modern (SOA and BPM-Rules), and future (EDA and CEP) integration methodologies to dramatically improve business process execution speed and quality. It was found that the code which checked that the server hostname matches the domain name in a subject's Common Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. (CVE-2012-6153, CVE-2014-3577) It was found that XStream could deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application. (CVE-2013-7285) It was found that the secure processing feature of Xalan-Java had insufficient restrictions defined for certain properties and features. A remote attacker able to provide Extensible Stylesheet Language Transformations (XSLT) content to be processed by an application using Xalan-Java could use this flaw to bypass the intended constraints of the secure processing feature. Depending on the components available in the classpath, this could lead to arbitrary remote code execution in the context of the application server running the application that uses Xalan-Java. (CVE-2014-0107) It was found that the org.jboss.seam.web.AuthenticationFilter class implementation did not properly use Seam logging. A remote attacker could send specially crafted authentication headers to an application, which could result in arbitrary code execution with the privileges of the user running that application. (CVE-2014-0248) It was found that the implementation of the org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory() method provided a DocumentBuilderFactory that would expand entity references. A remote, unauthenticated attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. (CVE-2014-3530) It was discovered that the implementation used by the Not Yet Commons SSL project to check that the server host name matches the domain name in the subject's CN field was flawed. This could be exploited by a man-in-the-middle attacker by spoofing a valid certificate using a specially crafted subject. (CVE-2014-3604) Red Hat would like to thank Alexander Papadakis for reporting CVE-2014-3530. The CVE-2012-6153 issue was discovered by Florian Weimer of Red Hat Product Security, the CVE-2014-3604 issue was discovered by Arun Babu Neelicattu of Red Hat Product Security, and the CVE-2014-0248 issue was discovered by Marek Schmidt of Red Hat. All users of Red Hat JBoss SOA Platform 5.3.1 as provided from the Red Hat Customer Portal are advised to apply this security update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing Red Hat JBoss SOA Platform installation (including its databases, applications, configuration files, and so on). Note that it is recommended to halt the Red Hat JBoss SOA Platform server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the Red Hat JBoss SOA Platform server by starting the JBoss Application Server process. 4. Bugs fixed (https://bugzilla.redhat.com/): 1051277 - CVE-2013-7285 XStream: remote code execution due to insecure XML deserialization 1080248 - CVE-2014-0107 Xalan-Java: insufficient constraints in secure processing feature 1101619 - CVE-2014-0248 JBoss Seam: RCE via unsafe logging in AuthenticationFilter 1112987 - CVE-2014-3530 PicketLink: XXE via insecure DocumentBuilderFactory usage 1129074 - CVE-2014-3577 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-6153 fix 1129916 - CVE-2012-6153 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-5783 fix 1131803 - CVE-2014-3604 Not Yet Commons SSL: Hostname verification susceptible to MITM attack 5. References: https://access.redhat.com/security/cve/CVE-2012-6153 https://access.redhat.com/security/cve/CVE-2013-7285 https://access.redhat.com/security/cve/CVE-2014-0107 https://access.redhat.com/security/cve/CVE-2014-0248 https://access.redhat.com/security/cve/CVE-2014-3530 https://access.redhat.com/security/cve/CVE-2014-3577 https://access.redhat.com/security/cve/CVE-2014-3604 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform&downloadType=securityPatches&version=5.3.1+GA 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWG9GOXlSAg2UNWIIRAvcOAJoDZcxHd7+IIm3QQ0uQzRQLqg8RBQCfTOZh Nc+aD62FD22/HWPiGx+RwJQ= =WBei -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Oct 15 16:50:05 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 15 Oct 2015 12:50:05 -0400 Subject: [RHSA-2015:1904-01] Important: Red Hat JBoss Enterprise Application Platform 6.4.4 update Message-ID: <201510151650.t9FGo5IY030184@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 6.4.4 update Advisory ID: RHSA-2015:1904-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1904.html Issue date: 2015-10-15 CVE Names: CVE-2015-5178 CVE-2015-5188 CVE-2015-5220 ===================================================================== 1. Summary: Updated packages that provide Red Hat JBoss Enterprise Application Platform 6.4.4 and fix three security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 6.4 for RHEL 5 - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was discovered that sending requests containing large headers to the Web Console produced a Java OutOfMemoryError in the HTTP management interface. An attacker could use this flaw to cause a denial of service. (CVE-2015-5220) It was discovered that the EAP Management Console could be opened in an IFRAME, which made it possible to intercept and manipulate requests. An attacker could use this flaw to trick a user into performing arbitrary actions in the Console (clickjacking). (CVE-2015-5178) Note: Resolving this issue required a change in the way http requests are sent in the Console; this change may affect users. See the Release Notes linked to in the References section for details about this change. It was discovered that when uploading a file using a multipart/form-data submission to the EAP Web Console, the Console was vulnerable to Cross-Site Request Forgery (CSRF). This meant that an attacker could use the flaw together with a forgery attack to make changes to an authenticated instance. (CVE-2015-5188) The CVE-2015-5220 issue was discovered by Aaron Ogburn of Red Hat GSS Middleware Team, and the CVE-2015-5188 issue was discovered by Jason Greene of the Red Hat Middleware Engineering Team. This release serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.3, and includes bug fixes and enhancements. Documentation for these changes is available from the link in the References section. All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1250552 - CVE-2015-5178 JBoss AS/WildFly: missing X-Frame-Options header leading to clickjacking 1252885 - CVE-2015-5188 JBoss EAP: CSRF vulnerability in EAP & WildFly Web Console 1255597 - CVE-2015-5220 OOME from EAP 6 http management console 1256986 - RHEL5 RPMs: Upgrade jboss-security-negotiation to 2.3.8.redhat-1 1261575 - RHEL5 RPMs: Upgrade infinispan to 5.2.15.Final-redhat-1 1261580 - RHEL5 RPMs: Upgrade jboss-vfs2 to 3.2.10.Final-redhat-1 1261584 - RHEL5 RPMs: Upgrade jboss-aesh to 0.33.16.redhat-1 1261588 - RHEL5 RPMs: Upgrade jbossweb to 7.5.11.Final-redhat-1 1261599 - RHEL5 RPMs: Upgrade jboss-as-console to 2.5.10.Final-redhat-2 1261604 - RHEL5 RPMs: Upgrade jboss-hal to 2.5.10.Final-redhat-2 1261619 - RHEL5 RPMs: Upgrade jboss-weld-1.1-api to 1.1.0.Final-redhat-7 1261623 - RHEL5 RPMs: Upgrade weld-cdi-1.0-api to 1.0.0.SP4-redhat-6 1261626 - RHEL5 RPMs: Upgrade weld-core to 1.1.31.Final-redhat-1 1261991 - RHEL5 RPMs: Upgrade apache-cxf to 2.7.17.redhat-1 1262022 - RHEL5 RPMs: Upgrade jbossws-cxf to 4.3.5.Final-redhat-3 1263380 - RHEL5 RPMs: Upgrade httpserver to 1.0.5.Final-redhat-1 6. Package List: Red Hat JBoss EAP 6.4 for RHEL 5: Source: apache-cxf-2.7.17-1.redhat_1.1.ep6.el5.src.rpm httpserver-1.0.5-1.Final_redhat_1.1.ep6.el5.src.rpm infinispan-5.2.15-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-aesh-0.33.16-1.redhat_1.1.ep6.el5.src.rpm jboss-as-appclient-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-cli-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-client-all-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-clustering-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-cmp-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-configadmin-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-connector-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-console-2.5.10-4.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-controller-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-controller-client-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-core-security-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-deployment-repository-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-deployment-scanner-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-domain-http-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-domain-management-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-ee-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-ee-deployment-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-ejb3-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-embedded-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-host-controller-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-jacorb-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-jaxr-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-jaxrs-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-jdr-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-jmx-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-jpa-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-jsf-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-jsr77-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-logging-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-mail-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-management-client-content-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-messaging-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-modcluster-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-naming-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-network-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-osgi-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-osgi-configadmin-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-osgi-service-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-picketlink-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-platform-mbean-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-pojo-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-process-controller-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-protocol-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-remoting-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-sar-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-security-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-server-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-system-jmx-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-threads-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-transactions-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-version-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-web-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-webservices-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-weld-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-xts-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-hal-2.5.10-2.Final_redhat_2.2.ep6.el5.src.rpm jboss-security-negotiation-2.3.8-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-vfs2-3.2.10-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-weld-1.1-api-1.1.0-2.Final_redhat_7.1.ep6.el5.src.rpm jbossas-appclient-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jbossas-bundles-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jbossas-core-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jbossas-domain-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jbossas-javadocs-7.5.4-4.Final_redhat_4.1.ep6.el5.src.rpm jbossas-modules-eap-7.5.4-3.Final_redhat_4.1.ep6.el5.src.rpm jbossas-product-eap-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jbossas-standalone-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jbossas-welcome-content-eap-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jbossweb-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jbossws-cxf-4.3.5-4.Final_redhat_3.1.ep6.el5.src.rpm weld-cdi-1.0-api-1.0.0-2.SP4_redhat_6.1.ep6.el5.src.rpm weld-core-1.1.31-1.Final_redhat_1.1.ep6.el5.src.rpm noarch: apache-cxf-2.7.17-1.redhat_1.1.ep6.el5.noarch.rpm httpserver-1.0.5-1.Final_redhat_1.1.ep6.el5.noarch.rpm infinispan-5.2.15-1.Final_redhat_1.1.ep6.el5.noarch.rpm infinispan-cachestore-jdbc-5.2.15-1.Final_redhat_1.1.ep6.el5.noarch.rpm infinispan-cachestore-remote-5.2.15-1.Final_redhat_1.1.ep6.el5.noarch.rpm infinispan-client-hotrod-5.2.15-1.Final_redhat_1.1.ep6.el5.noarch.rpm infinispan-core-5.2.15-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-aesh-0.33.16-1.redhat_1.1.ep6.el5.noarch.rpm jboss-as-appclient-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-cli-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-client-all-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-clustering-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-cmp-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-configadmin-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-connector-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-console-2.5.10-4.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-controller-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-controller-client-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-core-security-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-deployment-repository-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-deployment-scanner-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-domain-http-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-domain-management-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-ee-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-ee-deployment-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-ejb3-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-embedded-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-host-controller-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-jacorb-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-jaxr-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-jaxrs-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-jdr-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-jmx-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-jpa-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-jsf-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-jsr77-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-logging-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-mail-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-management-client-content-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-messaging-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-modcluster-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-naming-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-network-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-osgi-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-osgi-configadmin-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-osgi-service-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-picketlink-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-platform-mbean-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-pojo-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-process-controller-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-protocol-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-remoting-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-sar-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-security-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-server-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-system-jmx-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-threads-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-transactions-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-version-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-web-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-webservices-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-weld-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-xts-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-hal-2.5.10-2.Final_redhat_2.2.ep6.el5.noarch.rpm jboss-security-negotiation-2.3.8-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-vfs2-3.2.10-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-weld-1.1-api-1.1.0-2.Final_redhat_7.1.ep6.el5.noarch.rpm jbossas-appclient-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jbossas-bundles-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jbossas-core-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jbossas-domain-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jbossas-javadocs-7.5.4-4.Final_redhat_4.1.ep6.el5.noarch.rpm jbossas-modules-eap-7.5.4-3.Final_redhat_4.1.ep6.el5.noarch.rpm jbossas-product-eap-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jbossas-standalone-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jbossas-welcome-content-eap-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jbossweb-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jbossws-cxf-4.3.5-4.Final_redhat_3.1.ep6.el5.noarch.rpm weld-cdi-1.0-api-1.0.0-2.SP4_redhat_6.1.ep6.el5.noarch.rpm weld-core-1.1.31-1.Final_redhat_1.1.ep6.el5.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-5178 https://access.redhat.com/security/cve/CVE-2015-5188 https://access.redhat.com/security/cve/CVE-2015-5220 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWH9k6XlSAg2UNWIIRAmWpAJwNwBCt+e8n26hwoCOB2H3veOFSxgCdH7jI yZeqYAwfbn7mH4bbWe81q8k= =8Gbn -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Oct 15 16:50:38 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 15 Oct 2015 12:50:38 -0400 Subject: [RHSA-2015:1905-01] Important: Red Hat JBoss Enterprise Application Platform 6.4.4 update Message-ID: <201510151650.t9FGoc13030869@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 6.4.4 update Advisory ID: RHSA-2015:1905-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1905.html Issue date: 2015-10-15 CVE Names: CVE-2015-5178 CVE-2015-5188 CVE-2015-5220 ===================================================================== 1. Summary: Updated packages that provide Red Hat JBoss Enterprise Application Platform 6.4.4 and fix three security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 6.4 for RHEL 6 - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was discovered that sending requests containing large headers to the Web Console produced a Java OutOfMemoryError in the HTTP management interface. An attacker could use this flaw to cause a denial of service. (CVE-2015-5220) It was discovered that the EAP Management Console could be opened in an IFRAME, which made it possible to intercept and manipulate requests. An attacker could use this flaw to trick a user into performing arbitrary actions in the Console (clickjacking). (CVE-2015-5178) Note: Resolving this issue required a change in the way http requests are sent in the Console; this change may affect users. See the Release Notes linked to in the References section for details about this change. It was discovered that when uploading a file using a multipart/form-data submission to the EAP Web Console, the Console was vulnerable to Cross-Site Request Forgery (CSRF). This meant that an attacker could use the flaw together with a forgery attack to make changes to an authenticated instance. (CVE-2015-5188) The CVE-2015-5220 issue was discovered by Aaron Ogburn of Red Hat GSS Middleware Team, and the CVE-2015-5188 issue was discovered by Jason Greene of the Red Hat Middleware Engineering Team. This release serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.3, and includes bug fixes and enhancements. Documentation for these changes is available from the link in the References section. All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1250552 - CVE-2015-5178 JBoss AS/WildFly: missing X-Frame-Options header leading to clickjacking 1252885 - CVE-2015-5188 JBoss EAP: CSRF vulnerability in EAP & WildFly Web Console 1255597 - CVE-2015-5220 OOME from EAP 6 http management console 1256985 - RHEL6 RPMs: Upgrade jboss-security-negotiation to 2.3.8.redhat-1 1261574 - RHEL6 RPMs: Upgrade infinispan to 5.2.15.Final-redhat-1 1261579 - RHEL6 RPMs: Upgrade jboss-vfs2 to 3.2.10.Final-redhat-1 1261583 - RHEL6 RPMs: Upgrade jboss-aesh to 0.33.16.redhat-1 1261587 - RHEL6 RPMs: Upgrade jbossweb to 7.5.11.Final-redhat-1 1261598 - RHEL6 RPMs: Upgrade jboss-as-console to 2.5.10.Final-redhat-2 1261603 - RHEL6 RPMs: Upgrade jboss-hal to 2.5.10.Final-redhat-2 1261618 - RHEL6 RPMs: Upgrade jboss-weld-1.1-api to 1.1.0.Final-redhat-7 1261622 - RHEL6 RPMs: Upgrade weld-cdi-1.0-api to 1.0.0.SP4-redhat-6 1261625 - RHEL6 RPMs: Upgrade weld-core to 1.1.31.Final-redhat-1 1261990 - RHEL6 RPMs: Upgrade apache-cxf to 2.7.17.redhat-1 1262021 - RHEL6 RPMs: Upgrade jbossws-cxf to 4.3.5.Final-redhat-3 1263379 - RHEL6 RPMs: Upgrade httpserver to 1.0.5.Final-redhat-1 6. Package List: Red Hat JBoss EAP 6.4 for RHEL 6: Source: apache-cxf-2.7.17-1.redhat_1.1.ep6.el6.src.rpm httpserver-1.0.5-1.Final_redhat_1.1.ep6.el6.src.rpm infinispan-5.2.15-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-aesh-0.33.16-1.redhat_1.1.ep6.el6.src.rpm jboss-as-appclient-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-cli-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-client-all-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-clustering-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-cmp-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-configadmin-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-connector-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-console-2.5.10-4.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-controller-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-controller-client-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-core-security-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-deployment-repository-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-deployment-scanner-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-domain-http-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-domain-management-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-ee-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-ee-deployment-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-ejb3-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-embedded-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-host-controller-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-jacorb-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-jaxr-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-jaxrs-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-jdr-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-jmx-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-jpa-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-jsf-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-jsr77-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-logging-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-mail-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-management-client-content-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-messaging-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-modcluster-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-naming-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-network-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-osgi-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-osgi-configadmin-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-osgi-service-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-picketlink-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-platform-mbean-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-pojo-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-process-controller-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-protocol-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-remoting-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-sar-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-security-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-server-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-system-jmx-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-threads-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-transactions-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-version-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-web-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-webservices-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-weld-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-xts-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-hal-2.5.10-2.Final_redhat_2.2.ep6.el6.src.rpm jboss-security-negotiation-2.3.8-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-vfs2-3.2.10-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-weld-1.1-api-1.1.0-2.Final_redhat_7.1.ep6.el6.src.rpm jbossas-appclient-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jbossas-bundles-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jbossas-core-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jbossas-domain-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jbossas-javadocs-7.5.4-4.Final_redhat_4.1.ep6.el6.src.rpm jbossas-modules-eap-7.5.4-3.Final_redhat_4.1.ep6.el6.src.rpm jbossas-product-eap-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jbossas-standalone-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jbossas-welcome-content-eap-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jbossweb-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jbossws-cxf-4.3.5-4.Final_redhat_3.1.ep6.el6.src.rpm weld-cdi-1.0-api-1.0.0-2.SP4_redhat_6.1.ep6.el6.src.rpm weld-core-1.1.31-1.Final_redhat_1.1.ep6.el6.src.rpm noarch: apache-cxf-2.7.17-1.redhat_1.1.ep6.el6.noarch.rpm httpserver-1.0.5-1.Final_redhat_1.1.ep6.el6.noarch.rpm infinispan-5.2.15-1.Final_redhat_1.1.ep6.el6.noarch.rpm infinispan-cachestore-jdbc-5.2.15-1.Final_redhat_1.1.ep6.el6.noarch.rpm infinispan-cachestore-remote-5.2.15-1.Final_redhat_1.1.ep6.el6.noarch.rpm infinispan-client-hotrod-5.2.15-1.Final_redhat_1.1.ep6.el6.noarch.rpm infinispan-core-5.2.15-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-aesh-0.33.16-1.redhat_1.1.ep6.el6.noarch.rpm jboss-as-appclient-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-cli-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-client-all-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-clustering-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-cmp-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-configadmin-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-connector-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-console-2.5.10-4.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-controller-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-controller-client-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-core-security-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-deployment-repository-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-deployment-scanner-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-domain-http-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-domain-management-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-ee-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-ee-deployment-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-ejb3-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-embedded-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-host-controller-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-jacorb-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-jaxr-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-jaxrs-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-jdr-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-jmx-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-jpa-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-jsf-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-jsr77-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-logging-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-mail-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-management-client-content-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-messaging-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-modcluster-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-naming-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-network-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-osgi-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-osgi-configadmin-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-osgi-service-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-picketlink-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-platform-mbean-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-pojo-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-process-controller-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-protocol-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-remoting-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-sar-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-security-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-server-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-system-jmx-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-threads-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-transactions-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-version-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-web-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-webservices-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-weld-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-xts-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-hal-2.5.10-2.Final_redhat_2.2.ep6.el6.noarch.rpm jboss-security-negotiation-2.3.8-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-vfs2-3.2.10-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-weld-1.1-api-1.1.0-2.Final_redhat_7.1.ep6.el6.noarch.rpm jbossas-appclient-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jbossas-bundles-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jbossas-core-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jbossas-domain-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jbossas-javadocs-7.5.4-4.Final_redhat_4.1.ep6.el6.noarch.rpm jbossas-modules-eap-7.5.4-3.Final_redhat_4.1.ep6.el6.noarch.rpm jbossas-product-eap-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jbossas-standalone-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jbossas-welcome-content-eap-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jbossweb-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jbossws-cxf-4.3.5-4.Final_redhat_3.1.ep6.el6.noarch.rpm weld-cdi-1.0-api-1.0.0-2.SP4_redhat_6.1.ep6.el6.noarch.rpm weld-core-1.1.31-1.Final_redhat_1.1.ep6.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-5178 https://access.redhat.com/security/cve/CVE-2015-5188 https://access.redhat.com/security/cve/CVE-2015-5220 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWH9lcXlSAg2UNWIIRAhoJAKCZuJvaHSSP52Y47E9YobyarAGbqQCeIZGJ Ha1Pv8WMSr/Bij7u05M33Uo= =5+lL -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Oct 15 17:08:56 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 15 Oct 2015 13:08:56 -0400 Subject: [RHSA-2015:1906-01] Important: Red Hat JBoss Enterprise Application Platform 6.4.4 update Message-ID: <201510151708.t9FH8uxq029670@int-mx13.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 6.4.4 update Advisory ID: RHSA-2015:1906-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1906.html Issue date: 2015-10-15 CVE Names: CVE-2015-5178 CVE-2015-5188 CVE-2015-5220 ===================================================================== 1. Summary: Updated packages that provide Red Hat JBoss Enterprise Application Platform 6.4.4 and fix three security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 6 for RHEL 7 Server - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was discovered that sending requests containing large headers to the Web Console produced a Java OutOfMemoryError in the HTTP management interface. An attacker could use this flaw to cause a denial of service. (CVE-2015-5220) It was discovered that the EAP Management Console could be opened in an IFRAME, which made it possible to intercept and manipulate requests. An attacker could use this flaw to trick a user into performing arbitrary actions in the Console (clickjacking). (CVE-2015-5178) Note: Resolving this issue required a change in the way http requests are sent in the Console; this change may affect users. See the Release Notes linked to in the References section for details about this change. It was discovered that when uploading a file using a multipart/form-data submission to the EAP Web Console, the Console was vulnerable to Cross-Site Request Forgery (CSRF). This meant that an attacker could use the flaw together with a forgery attack to make changes to an authenticated instance. (CVE-2015-5188) The CVE-2015-5220 issue was discovered by Aaron Ogburn of Red Hat GSS Middleware Team, and the CVE-2015-5188 issue was discovered by Jason Greene of the Red Hat Middleware Engineering Team. This release serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.3, and includes bug fixes and enhancements. Documentation for these changes is available from the link in the References section. All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 7 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1250552 - CVE-2015-5178 JBoss AS/WildFly: missing X-Frame-Options header leading to clickjacking 1252885 - CVE-2015-5188 JBoss EAP: CSRF vulnerability in EAP & WildFly Web Console 1255597 - CVE-2015-5220 OOME from EAP 6 http management console 1256987 - RHEL7 RPMs: Upgrade jboss-security-negotiation to 2.3.8.redhat-1 1261576 - RHEL7 RPMs: Upgrade infinispan to 5.2.15.Final-redhat-1 1261581 - RHEL7 RPMs: Upgrade jboss-vfs2 to 3.2.10.Final-redhat-1 1261585 - RHEL7 RPMs: Upgrade jboss-aesh to 0.33.16.redhat-1 1261589 - RHEL7 RPMs: Upgrade jbossweb to 7.5.11.Final-redhat-1 1261600 - RHEL7 RPMs: Upgrade jboss-as-console to 2.5.10.Final-redhat-2 1261605 - RHEL7 RPMs: Upgrade jboss-hal to 2.5.10.Final-redhat-2 1261620 - RHEL7 RPMs: Upgrade jboss-weld-1.1-api to 1.1.0.Final-redhat-7 1261624 - RHEL7 RPMs: Upgrade weld-cdi-1.0-api to 1.0.0.SP4-redhat-6 1261627 - RHEL7 RPMs: Upgrade weld-core to 1.1.31.Final-redhat-1 1261992 - RHEL7 RPMs: Upgrade apache-cxf to 2.7.17.redhat-1 1262023 - RHEL7 RPMs: Upgrade jbossws-cxf to 4.3.5.Final-redhat-3 1263381 - RHEL7 RPMs: Upgrade httpserver to 1.0.5.Final-redhat-1 6. Package List: Red Hat JBoss Enterprise Application Platform 6 for RHEL 7 Server: Source: apache-cxf-2.7.17-1.redhat_1.1.ep6.el7.src.rpm httpserver-1.0.5-1.Final_redhat_1.1.ep6.el7.src.rpm infinispan-5.2.15-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-aesh-0.33.16-1.redhat_1.1.ep6.el7.src.rpm jboss-as-appclient-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-cli-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-client-all-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-clustering-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-cmp-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-configadmin-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-connector-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-console-2.5.10-4.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-controller-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-controller-client-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-core-security-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-deployment-repository-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-deployment-scanner-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-domain-http-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-domain-management-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-ee-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-ee-deployment-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-ejb3-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-embedded-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-host-controller-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-jacorb-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-jaxr-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-jaxrs-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-jdr-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-jmx-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-jpa-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-jsf-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-jsr77-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-logging-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-mail-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-management-client-content-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-messaging-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-modcluster-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-naming-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-network-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-osgi-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-osgi-configadmin-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-osgi-service-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-picketlink-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-platform-mbean-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-pojo-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-process-controller-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-protocol-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-remoting-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-sar-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-security-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-server-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-system-jmx-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-threads-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-transactions-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-version-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-web-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-webservices-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-weld-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-xts-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-hal-2.5.10-2.Final_redhat_2.2.ep6.el7.src.rpm jboss-security-negotiation-2.3.8-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-vfs2-3.2.10-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-weld-1.1-api-1.1.0-2.Final_redhat_7.1.ep6.el7.src.rpm jbossas-appclient-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jbossas-bundles-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jbossas-core-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jbossas-domain-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jbossas-javadocs-7.5.4-4.Final_redhat_4.1.ep6.el7.src.rpm jbossas-modules-eap-7.5.4-3.Final_redhat_4.1.ep6.el7.src.rpm jbossas-product-eap-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jbossas-standalone-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jbossas-welcome-content-eap-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jbossweb-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jbossws-cxf-4.3.5-4.Final_redhat_3.1.ep6.el7.src.rpm weld-cdi-1.0-api-1.0.0-2.SP4_redhat_6.1.ep6.el7.src.rpm weld-core-1.1.31-1.Final_redhat_1.1.ep6.el7.src.rpm noarch: apache-cxf-2.7.17-1.redhat_1.1.ep6.el7.noarch.rpm httpserver-1.0.5-1.Final_redhat_1.1.ep6.el7.noarch.rpm infinispan-5.2.15-1.Final_redhat_1.1.ep6.el7.noarch.rpm infinispan-cachestore-jdbc-5.2.15-1.Final_redhat_1.1.ep6.el7.noarch.rpm infinispan-cachestore-remote-5.2.15-1.Final_redhat_1.1.ep6.el7.noarch.rpm infinispan-client-hotrod-5.2.15-1.Final_redhat_1.1.ep6.el7.noarch.rpm infinispan-core-5.2.15-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-aesh-0.33.16-1.redhat_1.1.ep6.el7.noarch.rpm jboss-as-appclient-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-cli-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-client-all-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-clustering-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-cmp-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-configadmin-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-connector-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-console-2.5.10-4.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-controller-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-controller-client-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-core-security-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-deployment-repository-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-deployment-scanner-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-domain-http-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-domain-management-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-ee-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-ee-deployment-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-ejb3-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-embedded-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-host-controller-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-jacorb-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-jaxr-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-jaxrs-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-jdr-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-jmx-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-jpa-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-jsf-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-jsr77-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-logging-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-mail-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-management-client-content-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-messaging-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-modcluster-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-naming-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-network-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-osgi-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-osgi-configadmin-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-osgi-service-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-picketlink-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-platform-mbean-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-pojo-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-process-controller-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-protocol-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-remoting-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-sar-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-security-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-server-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-system-jmx-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-threads-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-transactions-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-version-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-web-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-webservices-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-weld-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-xts-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-hal-2.5.10-2.Final_redhat_2.2.ep6.el7.noarch.rpm jboss-security-negotiation-2.3.8-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-vfs2-3.2.10-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-weld-1.1-api-1.1.0-2.Final_redhat_7.1.ep6.el7.noarch.rpm jbossas-appclient-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jbossas-bundles-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jbossas-core-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jbossas-domain-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jbossas-javadocs-7.5.4-4.Final_redhat_4.1.ep6.el7.noarch.rpm jbossas-modules-eap-7.5.4-3.Final_redhat_4.1.ep6.el7.noarch.rpm jbossas-product-eap-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jbossas-standalone-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jbossas-welcome-content-eap-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jbossweb-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jbossws-cxf-4.3.5-4.Final_redhat_3.1.ep6.el7.noarch.rpm weld-cdi-1.0-api-1.0.0-2.SP4_redhat_6.1.ep6.el7.noarch.rpm weld-core-1.1.31-1.Final_redhat_1.1.ep6.el7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-5178 https://access.redhat.com/security/cve/CVE-2015-5188 https://access.redhat.com/security/cve/CVE-2015-5220 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWH92mXlSAg2UNWIIRAjgvAJ0d2SjrMrbrHDw0Zn39mFK6cDzdaQCeLvcV Sj2GUBHExVXaosdDIAIBUiw= =G/J1 -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Oct 15 17:09:05 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 15 Oct 2015 13:09:05 -0400 Subject: [RHSA-2015:1907-01] Important: Red Hat JBoss Enterprise Application Platform 6.4.4 jboss-ec2-eap update Message-ID: <201510151709.t9FH95Y0027765@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 6.4.4 jboss-ec2-eap update Advisory ID: RHSA-2015:1907-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1907.html Issue date: 2015-10-15 CVE Names: CVE-2015-5178 CVE-2015-5188 CVE-2015-5220 ===================================================================== 1. Summary: Updated jboss-ec2-eap packages that fix three security issues, several bugs, and add various enhancements are now available for Red Hat JBoss Enterprise Application Platform 6.4.4 on Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 6.4 for RHEL 6 - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was discovered that sending requests containing large headers to the Web Console produced a Java OutOfMemoryError in the HTTP management interface. An attacker could use this flaw to cause a denial of service. (CVE-2015-5220) It was discovered that the EAP Management Console could be opened in an IFRAME, which made it possible to intercept and manipulate requests. An attacker could use this flaw to trick a user into performing arbitrary actions in the Console (clickjacking). (CVE-2015-5178) Note: Resolving this issue required a change in the way http requests are sent in the Console; this change may affect users. See the Release Notes linked to in the References section for details about this change. It was discovered that when uploading a file using a multipart/form-data submission to the EAP Web Console, the Console was vulnerable to Cross-Site Request Forgery (CSRF). This meant that an attacker could use the flaw together with a forgery attack to make changes to an authenticated instance. (CVE-2015-5188) The CVE-2015-5220 issue was discovered by Aaron Ogburn of Red Hat GSS Middleware Team, and the CVE-2015-5188 issue was discovered by Jason Greene of the Red Hat Middleware Engineering Team. * The jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). With this update, the packages have been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 6.4.4. Documentation for these changes is available from the link in the References section. All jboss-ec2-eap users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Also, make sure to back up any modified configuration files, deployments, and all user data. After applying the update, restart the instance of Red Hat JBoss Enterprise Application Platform for the changes to take effect. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1250552 - CVE-2015-5178 JBoss AS/WildFly: missing X-Frame-Options header leading to clickjacking 1252885 - CVE-2015-5188 JBoss EAP: CSRF vulnerability in EAP & WildFly Web Console 1255597 - CVE-2015-5220 OOME from EAP 6 http management console 6. Package List: Red Hat JBoss EAP 6.4 for RHEL 6: Source: jboss-ec2-eap-7.5.4-1.Final_redhat_4.ep6.el6.src.rpm noarch: jboss-ec2-eap-7.5.4-1.Final_redhat_4.ep6.el6.noarch.rpm jboss-ec2-eap-samples-7.5.4-1.Final_redhat_4.ep6.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-5178 https://access.redhat.com/security/cve/CVE-2015-5188 https://access.redhat.com/security/cve/CVE-2015-5220 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWH92vXlSAg2UNWIIRAh2EAKC/I+sQmEZuvUwv5DV+ZEzSgcLN0QCeKDF6 W7fAOpCHQh3kMjUY3WKgYck= =Hm1/ -----END PGP SIGNATURE----- From bugzilla at redhat.com Fri Oct 16 14:36:16 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 16 Oct 2015 14:36:16 +0000 Subject: [RHSA-2015:1908-01] Important: Red Hat JBoss Enterprise Application Platform 6.4.4 update Message-ID: <201510161436.t9GEaHOv030097@int-mx13.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 6.4.4 update Advisory ID: RHSA-2015:1908-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1908.html Issue date: 2015-10-15 CVE Names: CVE-2015-5178 CVE-2015-5188 CVE-2015-5220 ===================================================================== 1. Summary: Updated packages that provide Red Hat JBoss Enterprise Application Platform 6.4.4 and fix three security issues, several bugs, and add various enhancements are now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was discovered that sending requests containing large headers to the Web Console produced a Java OutOfMemoryError in the HTTP management interface. An attacker could use this flaw to cause a denial of service. (CVE-2015-5220) It was discovered that the EAP Management Console could be opened in an IFRAME, which made it possible to intercept and manipulate requests. An attacker could use this flaw to trick a user into performing arbitrary actions in the Console (clickjacking). (CVE-2015-5178) Note: Resolving this issue required a change in the way http requests are sent in the Console; this change may affect users. See the Release Notes linked to in the References section for details about this change. It was discovered that when uploading a file using a multipart/form-data submission to the EAP Web Console, the Console was vulnerable to Cross-Site Request Forgery (CSRF). This meant that an attacker could use the flaw together with a forgery attack to make changes to an authenticated instance. (CVE-2015-5188) The CVE-2015-5220 issue was discovered by Aaron Ogburn of Red Hat GSS Middleware Team, and the CVE-2015-5188 issue was discovered by Jason Greene of the Red Hat Middleware Engineering Team. This release serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.3, and includes bug fixes and enhancements. Documentation for these changes is available from the link in the References section. All users of Red Hat JBoss Enterprise Application Platform 6.4 as provided from the Red Hat Customer Portal are advised to apply this update. The JBoss server process must be restarted for the update to take effect. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. 4. Bugs fixed (https://bugzilla.redhat.com/): 1250552 - CVE-2015-5178 JBoss AS/WildFly: missing X-Frame-Options header leading to clickjacking 1252885 - CVE-2015-5188 JBoss EAP: CSRF vulnerability in EAP & WildFly Web Console 1255597 - CVE-2015-5220 OOME from EAP 6 http management console 1256987 - RHEL7 RPMs: Upgrade jboss-security-negotiation to 2.3.8.redhat-1 1261576 - RHEL7 RPMs: Upgrade infinispan to 5.2.15.Final-redhat-1 1261581 - RHEL7 RPMs: Upgrade jboss-vfs2 to 3.2.10.Final-redhat-1 1261585 - RHEL7 RPMs: Upgrade jboss-aesh to 0.33.16.redhat-1 1261589 - RHEL7 RPMs: Upgrade jbossweb to 7.5.11.Final-redhat-1 1261600 - RHEL7 RPMs: Upgrade jboss-as-console to 2.5.10.Final-redhat-2 1261605 - RHEL7 RPMs: Upgrade jboss-hal to 2.5.10.Final-redhat-2 1261620 - RHEL7 RPMs: Upgrade jboss-weld-1.1-api to 1.1.0.Final-redhat-7 1261624 - RHEL7 RPMs: Upgrade weld-cdi-1.0-api to 1.0.0.SP4-redhat-6 1261627 - RHEL7 RPMs: Upgrade weld-core to 1.1.31.Final-redhat-1 1261992 - RHEL7 RPMs: Upgrade apache-cxf to 2.7.17.redhat-1 1262023 - RHEL7 RPMs: Upgrade jbossws-cxf to 4.3.5.Final-redhat-3 1263381 - RHEL7 RPMs: Upgrade httpserver to 1.0.5.Final-redhat-1 5. References: https://access.redhat.com/security/cve/CVE-2015-5178 https://access.redhat.com/security/cve/CVE-2015-5188 https://access.redhat.com/security/cve/CVE-2015-5220 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.4 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWIQtSXlSAg2UNWIIRAqNUAKCauAdfn5JYH1jVpCc4EDx4gonkpwCgraIL Mk0I/DpEaUnoulWOiKlrgpQ= =INdN -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Oct 28 14:38:46 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 28 Oct 2015 10:38:46 -0400 Subject: [RHSA-2015:1947-01] Important: Red Hat JBoss Operations Network 3.3.4 update Message-ID: <201510281438.t9SEckYi009851@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Operations Network 3.3.4 update Advisory ID: RHSA-2015:1947-01 Product: Red Hat JBoss Operations Network Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1947.html Issue date: 2015-10-28 CVE Names: CVE-2015-0225 ===================================================================== 1. Summary: Red Hat JBoss Operations Network 3.3 update 4, which fixes one security issue and several bugs, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: Red Hat JBoss Operations Network is a Middleware management solution that provides a single point of control to deploy, manage, and monitor JBoss Enterprise Middleware, applications, and services. This JBoss Operations Network 3.3.4 release serves as a replacement for JBoss Operations Network 3.3.3, and includes several bug fixes. Refer to the Customer Portal page linked in the References section for information on the most significant of these changes. The following security issue is also fixed with this release: It was found that Apache Cassandra bound an unauthenticated JMX/RMI interface to all network interfaces. A remote attacker able to access the RMI, an API for the transport and remote execution of serialized Java, could use this flaw to execute arbitrary code as the user running Cassandra. (CVE-2015-0225) All users of JBoss Operations Network 3.3.3 as provided from the Red Hat Customer Portal are advised to upgrade to JBoss Operations Network 3.3.4. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing JBoss Operations Network installation (including its databases, applications, configuration files, the JBoss Operations Network server's file system directory, and so on). Refer to the JBoss Operations Network 3.3.4 Release Notes for installation information. 4. Bugs fixed (https://bugzilla.redhat.com/): 1035481 - Port 9999 is already in use or unavailable when starting/installing/upgrading 1208181 - CVE-2015-0225 Cassandra: remote code execution via unauthenticated JMX/RMI interface 1212407 - RejectedExecutionException during installation of JON server which has been previously patched 1230411 - Storage node results in 1000s of configuration changes filling up the database 1232847 - Increase timeout for repair operation 1234651 - Remove unsupported alert-scripts/README.txt and alert-scripts/example.rb files from product distribution 1234912 - Do not authenticate against new storage node when replication_factor of system_auth keyspace is wrong 1243545 - Assigned resource group list cleared when using group assignment search function 1244941 - Group inventory pages (compatible, mixed, all) fail to display groups due to UI timeouts 1247311 - The patch will fail on windows when it is trying to copy files with too long paths due to windows path length limitation 1251503 - Creation and group association of bundle fails with IllegalArgumentException: Token did not result in valid file when deploy.xml uses rhq handover 1252136 - Initial drift definition snapshot is not taken and breaks drift 1252142 - Creation and group association of bundle fails with timeout followed by IllegalArgumentException: Token did not result in valid file 1252458 - Rebase container upon EAP 6.4 update-03 1255821 - Expose deleteBundleDestination for BundleManagerRemote in JBoss ON CLI 1256329 - JON upgrade from 3.3.2 to JON 3.3.3 does not remove files introduced with JON 3.3.0 upgrade 02 1258870 - It is not possible to delete events using JBoss ON CLI 1259555 - Changing the Storage Node JMX port does not update the JMX connection URL 1265309 - Operations running longer than 24hours should not be considered as not started 5. References: https://access.redhat.com/security/cve/CVE-2015-0225 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em&downloadType=securityPatches&version=3.3 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWMN30XlSAg2UNWIIRAi+4AKCzsp2O2K8KV7KTeLnCHT/zW4tiIQCgw0l6 t9ViqX1oTMS7sWxrvuQuHIo= =smmd -----END PGP SIGNATURE-----