CWE
79
Advisory Published

RHSA-2009:1649: Moderate: JBoss Enterprise Application Platform 4.3.0.CP07 update

First published: Wed Dec 09 2009(Updated: )

JBoss Enterprise Application Platform is the market leading platform for<br>innovative and scalable Java applications; integrating the JBoss<br>Application Server, with JBoss Hibernate and JBoss Seam into a complete,<br>simple enterprise solution.<br>This release of JBEAP for Red Hat Enterprise Linux 5 serves as a<br>replacement to JBEAP 4.3.0.CP06.<br>These updated packages include bug fixes and enhancements which are<br>detailed in the Release Notes, available shortly from:<br><a href="http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/" target="_blank">http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/</a> The following security issues are also fixed with this release:<br>A missing check for the recommended minimum length of the truncated form of<br>HMAC-based XML signatures was found in xml-security. An attacker could use<br>this flaw to create a specially-crafted XML file that forges an XML<br>signature, allowing the attacker to bypass authentication that is based on<br>the XML Signature specification. (CVE-2009-0217)<br>Swatej Kumar discovered cross-site scripting (XSS) flaws in the JBoss<br>Application Server Web Console. An attacker could use these flaws to<br>present misleading data to an authenticated user, or execute arbitrary<br>scripting code in the context of the authenticated user's browser session.<br>(CVE-2009-2405)<br>A flaw was found in the way the Apache Xerces2 Java Parser processed the<br>SYSTEM identifier in DTDs. A remote attacker could provide a<br>specially-crafted XML file, which once parsed by an application using the<br>Apache Xerces2 Java Parser, would lead to a denial of service (application<br>hang due to excessive CPU use). (CVE-2009-2625)<br>An information leak flaw was found in the twiddle command line client. The<br>JMX password was logged in plain text to "twiddle.log". (CVE-2009-3554)<br>An XSS flaw was found in the JMX Console. An attacker could use this flaw<br>to present misleading data to an authenticated user, or execute arbitrary<br>scripting code in the context of the authenticated user's browser session.<br>(CVE-2009-1380)<br>Warning: Before applying this update, please backup the JBEAP<br>"server/[configuration]/deploy/" directory, and any other customized<br>configuration files.<br>All users of JBEAP 4.3 on Red Hat Enterprise Linux 5 are advised to upgrade<br>to these updated packages.

Affected SoftwareAffected VersionHow to fix
redhat/glassfish-jaxb<2.1.4-1.12.patch03.1.ep1.el5
2.1.4-1.12.patch03.1.ep1.el5
redhat/glassfish-jsf<1.2_13-2.1.ep1.el5
1.2_13-2.1.ep1.el5
redhat/hibernate3<3.2.4-1.SP1_CP09.0jpp.ep1.2.4.el5
3.2.4-1.SP1_CP09.0jpp.ep1.2.4.el5
redhat/hibernate3-annotations<3.3.1-1.11GA_CP02.ep1.el5
3.3.1-1.11GA_CP02.ep1.el5
redhat/hibernate3-entitymanager<3.3.2-2.5.1.ep1.el5
3.3.2-2.5.1.ep1.el5
redhat/jacorb<2.3.0-1jpp.ep1.9.1.el5
2.3.0-1jpp.ep1.9.1.el5
redhat/jboss-aop<1.5.5-3.CP04.2.ep1.el5
1.5.5-3.CP04.2.ep1.el5
redhat/jboss-common<1.2.1-0jpp.ep1.3.el5.1
1.2.1-0jpp.ep1.3.el5.1
redhat/jboss-messaging<1.4.0-3.SP3_CP09.4.ep1.el5
1.4.0-3.SP3_CP09.4.ep1.el5
redhat/jboss-remoting<2.2.3-3.SP1.ep1.el5
2.2.3-3.SP1.ep1.el5
redhat/jboss-seam<1.2.1-3.JBPAPP_4_3_0_GA.ep1.12.el5.1
1.2.1-3.JBPAPP_4_3_0_GA.ep1.12.el5.1
redhat/jboss-seam2<2.0.2.FP-1.ep1.18.el5
2.0.2.FP-1.ep1.18.el5
redhat/jbossas<4.3.0-6.GA_CP07.4.2.ep1.el5
4.3.0-6.GA_CP07.4.2.ep1.el5
redhat/jbossts<4.2.3-1.SP5_CP08.1jpp.ep1.1.el5
4.2.3-1.SP5_CP08.1jpp.ep1.1.el5
redhat/jbossweb<2.0.0-6.CP12.0jpp.ep1.2.el5
2.0.0-6.CP12.0jpp.ep1.2.el5
redhat/jbossws<2.0.1-4.SP2_CP07.2.1.ep1.el5
2.0.1-4.SP2_CP07.2.1.ep1.el5
redhat/jbossws-common<1.0.0-2.GA_CP05.1.ep1.el5
1.0.0-2.GA_CP05.1.ep1.el5
redhat/jbossws-framework<2.0.1-1.GA_CP05.1.ep1.el5
2.0.1-1.GA_CP05.1.ep1.el5
redhat/jcommon<1.0.16-1.1.ep1.el5
1.0.16-1.1.ep1.el5
redhat/jfreechart<1.0.13-2.3.1.ep1.el5
1.0.13-2.3.1.ep1.el5
redhat/jgroups<2.4.7-1.ep1.el5
2.4.7-1.ep1.el5
redhat/quartz<1.5.2-1jpp.patch01.ep1.4.1.el5
1.5.2-1jpp.patch01.ep1.4.1.el5
redhat/rh-eap-docs<4.3.0-6.GA_CP07.ep1.3.el5
4.3.0-6.GA_CP07.ep1.3.el5
redhat/xml-security<1.3.0-1.3.patch01.ep1.2.1.el5
1.3.0-1.3.patch01.ep1.2.1.el5
redhat/glassfish-jaxb<2.1.4-1.12.patch03.1.ep1.el5
2.1.4-1.12.patch03.1.ep1.el5
redhat/glassfish-jaxb-javadoc<2.1.4-1.12.patch03.1.ep1.el5
2.1.4-1.12.patch03.1.ep1.el5
redhat/glassfish-jsf<1.2_13-2.1.ep1.el5
1.2_13-2.1.ep1.el5
redhat/hibernate3<3.2.4-1.SP1_CP09.0jpp.ep1.2.4.el5
3.2.4-1.SP1_CP09.0jpp.ep1.2.4.el5
redhat/hibernate3-annotations<3.3.1-1.11GA_CP02.ep1.el5
3.3.1-1.11GA_CP02.ep1.el5
redhat/hibernate3-annotations-javadoc<3.3.1-1.11GA_CP02.ep1.el5
3.3.1-1.11GA_CP02.ep1.el5
redhat/hibernate3-entitymanager<3.3.2-2.5.1.ep1.el5
3.3.2-2.5.1.ep1.el5
redhat/hibernate3-entitymanager-javadoc<3.3.2-2.5.1.ep1.el5
3.3.2-2.5.1.ep1.el5
redhat/hibernate3-javadoc<3.2.4-1.SP1_CP09.0jpp.ep1.2.4.el5
3.2.4-1.SP1_CP09.0jpp.ep1.2.4.el5
redhat/jacorb<2.3.0-1jpp.ep1.9.1.el5
2.3.0-1jpp.ep1.9.1.el5
redhat/jboss-aop<1.5.5-3.CP04.2.ep1.el5
1.5.5-3.CP04.2.ep1.el5
redhat/jboss-common<1.2.1-0jpp.ep1.3.el5.1
1.2.1-0jpp.ep1.3.el5.1
redhat/jboss-messaging<1.4.0-3.SP3_CP09.4.ep1.el5
1.4.0-3.SP3_CP09.4.ep1.el5
redhat/jboss-remoting<2.2.3-3.SP1.ep1.el5
2.2.3-3.SP1.ep1.el5
redhat/jboss-seam<1.2.1-3.JBPAPP_4_3_0_GA.ep1.12.el5.1
1.2.1-3.JBPAPP_4_3_0_GA.ep1.12.el5.1
redhat/jboss-seam-docs<1.2.1-3.JBPAPP_4_3_0_GA.ep1.12.el5.1
1.2.1-3.JBPAPP_4_3_0_GA.ep1.12.el5.1
redhat/jboss-seam2<2.0.2.FP-1.ep1.18.el5
2.0.2.FP-1.ep1.18.el5
redhat/jboss-seam2-docs<2.0.2.FP-1.ep1.18.el5
2.0.2.FP-1.ep1.18.el5
redhat/jbossas<4.3.0-6.GA_CP07.4.2.ep1.el5
4.3.0-6.GA_CP07.4.2.ep1.el5
redhat/jbossas<4.3.0.GA_CP07-bin-4.3.0-6.GA_CP07.4.2.ep1.el5
4.3.0.GA_CP07-bin-4.3.0-6.GA_CP07.4.2.ep1.el5
redhat/jbossas-client<4.3.0-6.GA_CP07.4.2.ep1.el5
4.3.0-6.GA_CP07.4.2.ep1.el5
redhat/jbossts<4.2.3-1.SP5_CP08.1jpp.ep1.1.el5
4.2.3-1.SP5_CP08.1jpp.ep1.1.el5
redhat/jbossweb<2.0.0-6.CP12.0jpp.ep1.2.el5
2.0.0-6.CP12.0jpp.ep1.2.el5
redhat/jbossws<2.0.1-4.SP2_CP07.2.1.ep1.el5
2.0.1-4.SP2_CP07.2.1.ep1.el5
redhat/jbossws-common<1.0.0-2.GA_CP05.1.ep1.el5
1.0.0-2.GA_CP05.1.ep1.el5
redhat/jbossws-framework<2.0.1-1.GA_CP05.1.ep1.el5
2.0.1-1.GA_CP05.1.ep1.el5
redhat/jbossws-native42<2.0.1-4.SP2_CP07.2.1.ep1.el5
2.0.1-4.SP2_CP07.2.1.ep1.el5
redhat/jcommon<1.0.16-1.1.ep1.el5
1.0.16-1.1.ep1.el5
redhat/jfreechart<1.0.13-2.3.1.ep1.el5
1.0.13-2.3.1.ep1.el5
redhat/jgroups<2.4.7-1.ep1.el5
2.4.7-1.ep1.el5
redhat/quartz<1.5.2-1jpp.patch01.ep1.4.1.el5
1.5.2-1jpp.patch01.ep1.4.1.el5
redhat/rh-eap-docs<4.3.0-6.GA_CP07.ep1.3.el5
4.3.0-6.GA_CP07.ep1.3.el5
redhat/rh-eap-docs-examples<4.3.0-6.GA_CP07.ep1.3.el5
4.3.0-6.GA_CP07.ep1.3.el5
redhat/xml-security<1.3.0-1.3.patch01.ep1.2.1.el5
1.3.0-1.3.patch01.ep1.2.1.el5

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203