[RHSA-2016:2036-01] Important: Red Hat JBoss A-MQ 6.3 security update

bugzilla at redhat.com bugzilla at redhat.com
Thu Oct 6 16:19:12 UTC 2016

Hash: SHA1

                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss A-MQ 6.3 security update
Advisory ID:       RHSA-2016:2036-01
Product:           Red Hat JBoss A-MQ
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2016-2036.html
Issue date:        2016-10-06
CVE Names:         CVE-2015-3192 CVE-2015-7940 CVE-2016-4437 

1. Summary:

Red Hat JBoss A-MQ 6.3, which fixes multiple security issues and includes
several bug fixes and enhancements, is now available from the Red Hat
Customer Portal.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant
messaging system that is tailored for use in mission critical applications.

Red Hat JBoss A-MQ 6.3 is a minor product release that updates Red Hat
JBoss A-MQ 6.2.1, and includes several bug fixes and enhancements. Refer to
the Release Notes document, available from the Product Documentation link
in the References section, for a list of these changes.

Security Fix(es):

It was found that Apache Shiro uses a default cipher key for its "remember
me" feature. An attacker could use this to devise a malicious request
parameter and gain access to unauthorized content. (CVE-2016-4437)

A denial of service flaw was found in the way Spring processes inline DTD
declarations. A remote attacker could submit a specially crafted XML file
that would cause out-of-memory errors when parsed. (CVE-2015-3192)

It was found that bouncycastle is vulnerable to an invalid curve attack. An
attacker could extract private keys used in elliptic curve cryptography
with a few thousand queries. (CVE-2015-7940)

Refer to the Product Documentation link in the References section for
installation instructions.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

1239002 - CVE-2015-3192 Spring Framework: denial-of-service attack with XML input
1276272 - CVE-2015-7940 bouncycastle: Invalid curve attack allowing to extract private keys
1343346 - CVE-2016-4437 shiro: Security constraint bypass

5. References:


6. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2016 Red Hat, Inc.
Version: GnuPG v1


More information about the Jboss-watch-list mailing list