[RHSA-2016:0062-01] Moderate: Red Hat JBoss Web Server 2.1.0 security update

bugzilla at redhat.com bugzilla at redhat.com
Thu Jan 21 15:55:59 UTC 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat JBoss Web Server 2.1.0 security update
Advisory ID:       RHSA-2016:0062-01
Product:           Red Hat JBoss Web Server
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2016-0062.html
Issue date:        2016-01-21
CVE Names:         CVE-2012-0876 CVE-2012-1148 CVE-2013-5704 
                   CVE-2015-3183 
=====================================================================

1. Summary:

An update for Red Hat JBoss Web Server 2.1.0 that fixes four security
issues is now available from the Red Hat Customer Portal.

Red Hat Product Security has rated this update as having Moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores, 
which give detailed severity ratings, are available for each vulnerability 
from the CVE links in the References section.

2. Description:

Red Hat JBoss Web Server is a fully integrated and certified set of 
components for hosting Java web applications. It is comprised of the Apache
HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector 
(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat 
Native library.

Multiple flaws were found in the way httpd parsed HTTP requests and
responses using chunked transfer encoding. A remote attacker could use
these flaws to create a specially crafted request, which httpd would decode
differently from an HTTP proxy software in front of it, possibly leading to
HTTP request smuggling attacks. (CVE-2015-3183)

A denial of service flaw was found in the implementation of hash arrays in 
Expat. An attacker could use this flaw to make an application using Expat 
consume an excessive amount of CPU time by providing a specially-crafted
XML file that triggers multiple hash function collisions. To mitigate this
issue, randomization has been added to the hash function to reduce the
chance of an attacker successfully causing intentional collisions.
(CVE-2012-0876)

A memory leak flaw was found in Expat. If an XML file processed by an 
application linked against Expat triggered a memory re-allocation failure, 
Expat failed to free the previously allocated memory. This could cause the 
application to exit unexpectedly or crash when all available memory is 
exhausted. (CVE-2012-1148)

A flaw was found in the way httpd handled HTTP Trailer headers when 
processing requests using chunked encoding. A malicious client could use 
Trailer headers to set additional HTTP headers after header processing was 
performed by other modules. This could, for example, lead to a bypass of 
header restrictions defined with mod_headers. (CVE-2013-5704)

All users of Red Hat JBoss Web Server 2.1.0 as provided from the Red Hat 
Customer Portal are advised to apply this update. The Red Hat JBoss Web 
Server process must be restarted for the update to take effect.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Before applying the update, back up your
existing Red Hat JBoss Web Server installation (including all applications
and configuration files).

4. Bugs fixed (https://bugzilla.redhat.com/):

786617 - CVE-2012-0876 expat: hash table collisions CPU usage DoS
801648 - CVE-2012-1148 expat: Memory leak in poolGrow
1082903 - CVE-2013-5704 httpd: bypass of mod_headers rules via chunked requests
1243887 - CVE-2015-3183 httpd: HTTP request smuggling attack against chunked request parser

5. References:

https://access.redhat.com/security/cve/CVE-2012-0876
https://access.redhat.com/security/cve/CVE-2012-1148
https://access.redhat.com/security/cve/CVE-2013-5704
https://access.redhat.com/security/cve/CVE-2015-3183
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=2.1.0

6. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFWoP+OXlSAg2UNWIIRAmwSAJ9P8tubWwCMgf0/pn0FHW0+9lJi5gCfRjzk
uZNZSNVSpGDhmFbDwlBzdyw=
=oXVf
-----END PGP SIGNATURE-----

More information about the Jboss-watch-list mailing list