RHSA-2009:1649: Moderate: JBoss Enterprise Application Platform 4.3.0.CP07 update
First published: Wed Dec 09 2009(Updated: )
JBoss Enterprise Application Platform is the market leading platform for<br>innovative and scalable Java applications; integrating the JBoss<br>Application Server, with JBoss Hibernate and JBoss Seam into a complete,<br>simple enterprise solution.<br>This release of JBEAP for Red Hat Enterprise Linux 5 serves as a<br>replacement to JBEAP 4.3.0.CP06.<br>These updated packages include bug fixes and enhancements which are<br>detailed in the Release Notes, available shortly from:<br><a href="http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/" target="_blank">http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/</a> The following security issues are also fixed with this release:<br>A missing check for the recommended minimum length of the truncated form of<br>HMAC-based XML signatures was found in xml-security. An attacker could use<br>this flaw to create a specially-crafted XML file that forges an XML<br>signature, allowing the attacker to bypass authentication that is based on<br>the XML Signature specification. (CVE-2009-0217)<br>Swatej Kumar discovered cross-site scripting (XSS) flaws in the JBoss<br>Application Server Web Console. An attacker could use these flaws to<br>present misleading data to an authenticated user, or execute arbitrary<br>scripting code in the context of the authenticated user's browser session.<br>(CVE-2009-2405)<br>A flaw was found in the way the Apache Xerces2 Java Parser processed the<br>SYSTEM identifier in DTDs. A remote attacker could provide a<br>specially-crafted XML file, which once parsed by an application using the<br>Apache Xerces2 Java Parser, would lead to a denial of service (application<br>hang due to excessive CPU use). (CVE-2009-2625)<br>An information leak flaw was found in the twiddle command line client. The<br>JMX password was logged in plain text to "twiddle.log". (CVE-2009-3554)<br>An XSS flaw was found in the JMX Console. An attacker could use this flaw<br>to present misleading data to an authenticated user, or execute arbitrary<br>scripting code in the context of the authenticated user's browser session.<br>(CVE-2009-1380)<br>Warning: Before applying this update, please backup the JBEAP<br>"server/[configuration]/deploy/" directory, and any other customized<br>configuration files.<br>All users of JBEAP 4.3 on Red Hat Enterprise Linux 5 are advised to upgrade<br>to these updated packages.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/glassfish-jaxb | <2.1.4-1.12.patch03.1.ep1.el5 | 2.1.4-1.12.patch03.1.ep1.el5 |
| redhat/glassfish-jsf | <1.2_13-2.1.ep1.el5 | 1.2_13-2.1.ep1.el5 |
| redhat/hibernate3 | <3.2.4-1.SP1_CP09.0jpp.ep1.2.4.el5 | 3.2.4-1.SP1_CP09.0jpp.ep1.2.4.el5 |
| redhat/hibernate3-annotations | <3.3.1-1.11GA_CP02.ep1.el5 | 3.3.1-1.11GA_CP02.ep1.el5 |
| redhat/hibernate3-entitymanager | <3.3.2-2.5.1.ep1.el5 | 3.3.2-2.5.1.ep1.el5 |
| redhat/jacorb | <2.3.0-1jpp.ep1.9.1.el5 | 2.3.0-1jpp.ep1.9.1.el5 |
| redhat/jboss-aop | <1.5.5-3.CP04.2.ep1.el5 | 1.5.5-3.CP04.2.ep1.el5 |
| redhat/jboss-common | <1.2.1-0jpp.ep1.3.el5.1 | 1.2.1-0jpp.ep1.3.el5.1 |
| redhat/jboss-messaging | <1.4.0-3.SP3_CP09.4.ep1.el5 | 1.4.0-3.SP3_CP09.4.ep1.el5 |
| redhat/jboss-remoting | <2.2.3-3.SP1.ep1.el5 | 2.2.3-3.SP1.ep1.el5 |
| redhat/jboss-seam | <1.2.1-3.JBPAPP_4_3_0_GA.ep1.12.el5.1 | 1.2.1-3.JBPAPP_4_3_0_GA.ep1.12.el5.1 |
| redhat/jboss-seam2 | <2.0.2.FP-1.ep1.18.el5 | 2.0.2.FP-1.ep1.18.el5 |
| redhat/jbossas | <4.3.0-6.GA_CP07.4.2.ep1.el5 | 4.3.0-6.GA_CP07.4.2.ep1.el5 |
| redhat/jbossts | <4.2.3-1.SP5_CP08.1jpp.ep1.1.el5 | 4.2.3-1.SP5_CP08.1jpp.ep1.1.el5 |
| redhat/jbossweb | <2.0.0-6.CP12.0jpp.ep1.2.el5 | 2.0.0-6.CP12.0jpp.ep1.2.el5 |
| redhat/jbossws | <2.0.1-4.SP2_CP07.2.1.ep1.el5 | 2.0.1-4.SP2_CP07.2.1.ep1.el5 |
| redhat/jbossws-common | <1.0.0-2.GA_CP05.1.ep1.el5 | 1.0.0-2.GA_CP05.1.ep1.el5 |
| redhat/jbossws-framework | <2.0.1-1.GA_CP05.1.ep1.el5 | 2.0.1-1.GA_CP05.1.ep1.el5 |
| redhat/jcommon | <1.0.16-1.1.ep1.el5 | 1.0.16-1.1.ep1.el5 |
| redhat/jfreechart | <1.0.13-2.3.1.ep1.el5 | 1.0.13-2.3.1.ep1.el5 |
| redhat/jgroups | <2.4.7-1.ep1.el5 | 2.4.7-1.ep1.el5 |
| redhat/quartz | <1.5.2-1jpp.patch01.ep1.4.1.el5 | 1.5.2-1jpp.patch01.ep1.4.1.el5 |
| redhat/rh-eap-docs | <4.3.0-6.GA_CP07.ep1.3.el5 | 4.3.0-6.GA_CP07.ep1.3.el5 |
| redhat/xml-security | <1.3.0-1.3.patch01.ep1.2.1.el5 | 1.3.0-1.3.patch01.ep1.2.1.el5 |
| redhat/glassfish-jaxb | <2.1.4-1.12.patch03.1.ep1.el5 | 2.1.4-1.12.patch03.1.ep1.el5 |
| redhat/glassfish-jaxb-javadoc | <2.1.4-1.12.patch03.1.ep1.el5 | 2.1.4-1.12.patch03.1.ep1.el5 |
| redhat/glassfish-jsf | <1.2_13-2.1.ep1.el5 | 1.2_13-2.1.ep1.el5 |
| redhat/hibernate3 | <3.2.4-1.SP1_CP09.0jpp.ep1.2.4.el5 | 3.2.4-1.SP1_CP09.0jpp.ep1.2.4.el5 |
| redhat/hibernate3-annotations | <3.3.1-1.11GA_CP02.ep1.el5 | 3.3.1-1.11GA_CP02.ep1.el5 |
| redhat/hibernate3-annotations-javadoc | <3.3.1-1.11GA_CP02.ep1.el5 | 3.3.1-1.11GA_CP02.ep1.el5 |
| redhat/hibernate3-entitymanager | <3.3.2-2.5.1.ep1.el5 | 3.3.2-2.5.1.ep1.el5 |
| redhat/hibernate3-entitymanager-javadoc | <3.3.2-2.5.1.ep1.el5 | 3.3.2-2.5.1.ep1.el5 |
| redhat/hibernate3-javadoc | <3.2.4-1.SP1_CP09.0jpp.ep1.2.4.el5 | 3.2.4-1.SP1_CP09.0jpp.ep1.2.4.el5 |
| redhat/jacorb | <2.3.0-1jpp.ep1.9.1.el5 | 2.3.0-1jpp.ep1.9.1.el5 |
| redhat/jboss-aop | <1.5.5-3.CP04.2.ep1.el5 | 1.5.5-3.CP04.2.ep1.el5 |
| redhat/jboss-common | <1.2.1-0jpp.ep1.3.el5.1 | 1.2.1-0jpp.ep1.3.el5.1 |
| redhat/jboss-messaging | <1.4.0-3.SP3_CP09.4.ep1.el5 | 1.4.0-3.SP3_CP09.4.ep1.el5 |
| redhat/jboss-remoting | <2.2.3-3.SP1.ep1.el5 | 2.2.3-3.SP1.ep1.el5 |
| redhat/jboss-seam | <1.2.1-3.JBPAPP_4_3_0_GA.ep1.12.el5.1 | 1.2.1-3.JBPAPP_4_3_0_GA.ep1.12.el5.1 |
| redhat/jboss-seam-docs | <1.2.1-3.JBPAPP_4_3_0_GA.ep1.12.el5.1 | 1.2.1-3.JBPAPP_4_3_0_GA.ep1.12.el5.1 |
| redhat/jboss-seam2 | <2.0.2.FP-1.ep1.18.el5 | 2.0.2.FP-1.ep1.18.el5 |
| redhat/jboss-seam2-docs | <2.0.2.FP-1.ep1.18.el5 | 2.0.2.FP-1.ep1.18.el5 |
| redhat/jbossas | <4.3.0-6.GA_CP07.4.2.ep1.el5 | 4.3.0-6.GA_CP07.4.2.ep1.el5 |
| redhat/jbossas | <4.3.0.GA_CP07-bin-4.3.0-6.GA_CP07.4.2.ep1.el5 | 4.3.0.GA_CP07-bin-4.3.0-6.GA_CP07.4.2.ep1.el5 |
| redhat/jbossas-client | <4.3.0-6.GA_CP07.4.2.ep1.el5 | 4.3.0-6.GA_CP07.4.2.ep1.el5 |
| redhat/jbossts | <4.2.3-1.SP5_CP08.1jpp.ep1.1.el5 | 4.2.3-1.SP5_CP08.1jpp.ep1.1.el5 |
| redhat/jbossweb | <2.0.0-6.CP12.0jpp.ep1.2.el5 | 2.0.0-6.CP12.0jpp.ep1.2.el5 |
| redhat/jbossws | <2.0.1-4.SP2_CP07.2.1.ep1.el5 | 2.0.1-4.SP2_CP07.2.1.ep1.el5 |
| redhat/jbossws-common | <1.0.0-2.GA_CP05.1.ep1.el5 | 1.0.0-2.GA_CP05.1.ep1.el5 |
| redhat/jbossws-framework | <2.0.1-1.GA_CP05.1.ep1.el5 | 2.0.1-1.GA_CP05.1.ep1.el5 |
| redhat/jbossws-native42 | <2.0.1-4.SP2_CP07.2.1.ep1.el5 | 2.0.1-4.SP2_CP07.2.1.ep1.el5 |
| redhat/jcommon | <1.0.16-1.1.ep1.el5 | 1.0.16-1.1.ep1.el5 |
| redhat/jfreechart | <1.0.13-2.3.1.ep1.el5 | 1.0.13-2.3.1.ep1.el5 |
| redhat/jgroups | <2.4.7-1.ep1.el5 | 2.4.7-1.ep1.el5 |
| redhat/quartz | <1.5.2-1jpp.patch01.ep1.4.1.el5 | 1.5.2-1jpp.patch01.ep1.4.1.el5 |
| redhat/rh-eap-docs | <4.3.0-6.GA_CP07.ep1.3.el5 | 4.3.0-6.GA_CP07.ep1.3.el5 |
| redhat/rh-eap-docs-examples | <4.3.0-6.GA_CP07.ep1.3.el5 | 4.3.0-6.GA_CP07.ep1.3.el5 |
| redhat/xml-security | <1.3.0-1.3.patch01.ep1.2.1.el5 | 1.3.0-1.3.patch01.ep1.2.1.el5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=510023
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=511224
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=511915
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=512921
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=532113
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=539495
- http://www.redhat.com/security/updates/classification/#moderate
- http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/
- https://access.redhat.com/errata/RHSA-2009:1649 (Advisory)
Frequently Asked Questions
What is the severity of RHSA-2009:1649?
The severity of RHSA-2009:1649 is classified as important.
How do I fix RHSA-2009:1649?
To fix RHSA-2009:1649, update the affected packages to the versions specified in the advisory.
What software packages are affected by RHSA-2009:1649?
RHSA-2009:1649 affects several packages including glassfish-jaxb, hibernate3, and jboss-web.
Is there a workaround for RHSA-2009:1649?
There are no specific workarounds provided for RHSA-2009:1649; updating is recommended.
When was RHSA-2009:1649 released?
RHSA-2009:1649 was released on October 27, 2009.
- agent/severity
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- collector/redhat-errata
- source/Red Hat
- anchor-id/RHSA-2009:1649
- agent/software-canonical-lookup
- agent/event
- agent/description
- agent/title
- agent/remedy
- agent/references
- agent/weakness
- agent/trending
- agent/tags
- agent/source
- package-manager/redhat