Advisory Published

RHSA-2010:0119: Low: JBoss Enterprise Web Server 1.0.1 update

First published: Tue Feb 23 2010(Updated: )

JBoss Enterprise Web Server is a fully integrated and certified set<br>of components for hosting Java web applications. It is comprised of the<br>industry's leading web server (Apache HTTP Server), the popular Apache<br>Tomcat servlet container, as well as the mod_jk connector and the Tomcat<br>Native library.<br>This 1.0.1 release of JBoss Enterprise Web Server serves as a replacement<br>to JBoss Enterprise Web Server 1.0.0 GA. These updated packages include<br>a number of bug fixes. For detailed component, installation, and bug fix<br>information, refer to the JBoss Enterprise Web Server 1.0.1 Release Notes,<br>available shortly from the link in the References section of this erratum.<br>The following security issues are also fixed with this release:<br>A directory traversal flaw was found in the Tomcat deployment process. An<br>attacker could create a specially-crafted WAR file, which once deployed<br>by a local, unsuspecting user, would lead to attacker-controlled content<br>being deployed outside of the web root, into directories accessible to the<br>Tomcat process. (CVE-2009-2693)<br>A second directory traversal flaw was found in the Tomcat deployment<br>process. WAR file names were not sanitized, which could allow an attacker<br>to create a specially-crafted WAR file that could delete files in the<br>Tomcat host's work directory. (CVE-2009-2902)<br>A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure<br>Sockets Layer) protocols handle session renegotiation. A man-in-the-middle<br>attacker could use this flaw to prefix arbitrary plain text to a client's<br>session (for example, an HTTPS connection to a website). This could force<br>the server to process an attacker's request as if authenticated using the<br>victim's credentials. (CVE-2009-3555)<br>This update provides a mitigation for this flaw in the following<br>components:<br>tomcat5 and tomcat6: A new attribute, allowUnsafeLegacyRenegotiation, is<br>available for the blocking IO (BIO) connector using JSSE, to enable or<br>disable TLS session renegotiation. The default value is "false", meaning<br>session renegotiation, both client- and server-initiated, is disabled by<br>default.<br>tomcat-native: Client-initiated renegotiation is now rejected by the native<br>connector. Server-initiated renegotiation is still allowed.<br>Refer to the following Knowledgebase article for additional details about<br>the CVE-2009-3555 flaw: <a href="http://kbase.redhat.com/faq/docs/DOC-20491" target="_blank">http://kbase.redhat.com/faq/docs/DOC-20491</a> All users of JBoss Enterprise Web Server 1.0.0 on Red Hat Enterprise Linux<br>4 and 5 are advised to upgrade to these updated packages.

Affected SoftwareAffected VersionHow to fix
redhat/glassfish-jsf<1.2_13-3.ep5.el5
1.2_13-3.ep5.el5
redhat/httpd<2.2.14-1.2.1.ep5.el5
2.2.14-1.2.1.ep5.el5
redhat/jakarta-commons-chain<1.2-2.1.1.ep5.el5
1.2-2.1.1.ep5.el5
redhat/jakarta-commons-io<1.4-1.1.ep5.el5
1.4-1.1.ep5.el5
redhat/jakarta-oro<2.0.8-3.1.ep5.el5
2.0.8-3.1.ep5.el5
redhat/struts12<1.2.9-2.ep5.el5
1.2.9-2.ep5.el5
redhat/tomcat-native<1.1.19-2.0.1.ep5.el5
1.1.19-2.0.1.ep5.el5
redhat/tomcat5<5.5.28-7.1.ep5.el5
5.5.28-7.1.ep5.el5
redhat/tomcat6<6.0.24-2.1.ep5.el5
6.0.24-2.1.ep5.el5
redhat/glassfish-jsf<1.2_13-3.ep5.el5
1.2_13-3.ep5.el5
redhat/httpd<2.2.14-1.2.1.ep5.el5
2.2.14-1.2.1.ep5.el5
redhat/httpd-devel<2.2.14-1.2.1.ep5.el5
2.2.14-1.2.1.ep5.el5
redhat/httpd-manual<2.2.14-1.2.1.ep5.el5
2.2.14-1.2.1.ep5.el5
redhat/jakarta-commons-chain<1.2-2.1.1.ep5.el5
1.2-2.1.1.ep5.el5
redhat/jakarta-commons-io<1.4-1.1.ep5.el5
1.4-1.1.ep5.el5
redhat/jakarta-oro<2.0.8-3.1.ep5.el5
2.0.8-3.1.ep5.el5
redhat/struts12<1.2.9-2.ep5.el5
1.2.9-2.ep5.el5
redhat/tomcat-native<1.1.19-2.0.1.ep5.el5
1.1.19-2.0.1.ep5.el5
redhat/tomcat5<5.5.28-7.1.ep5.el5
5.5.28-7.1.ep5.el5
redhat/tomcat5-admin-webapps<5.5.28-7.1.ep5.el5
5.5.28-7.1.ep5.el5
redhat/tomcat5-common-lib<5.5.28-7.1.ep5.el5
5.5.28-7.1.ep5.el5
redhat/tomcat5-jasper<5.5.28-7.1.ep5.el5
5.5.28-7.1.ep5.el5
redhat/tomcat5-jasper-eclipse<5.5.28-7.1.ep5.el5
5.5.28-7.1.ep5.el5
redhat/tomcat5-jasper-javadoc<5.5.28-7.1.ep5.el5
5.5.28-7.1.ep5.el5
redhat/tomcat5-jsp<2.0-api-5.5.28-7.1.ep5.el5
2.0-api-5.5.28-7.1.ep5.el5
redhat/tomcat5-jsp<2.0-api-javadoc-5.5.28-7.1.ep5.el5
2.0-api-javadoc-5.5.28-7.1.ep5.el5
redhat/tomcat5-parent<5.5.28-7.1.ep5.el5
5.5.28-7.1.ep5.el5
redhat/tomcat5-server-lib<5.5.28-7.1.ep5.el5
5.5.28-7.1.ep5.el5
redhat/tomcat5-servlet<2.4-api-5.5.28-7.1.ep5.el5
2.4-api-5.5.28-7.1.ep5.el5
redhat/tomcat5-servlet<2.4-api-javadoc-5.5.28-7.1.ep5.el5
2.4-api-javadoc-5.5.28-7.1.ep5.el5
redhat/tomcat5-webapps<5.5.28-7.1.ep5.el5
5.5.28-7.1.ep5.el5
redhat/tomcat6<6.0.24-2.1.ep5.el5
6.0.24-2.1.ep5.el5
redhat/tomcat6-admin-webapps<6.0.24-2.1.ep5.el5
6.0.24-2.1.ep5.el5
redhat/tomcat6-docs-webapp<6.0.24-2.1.ep5.el5
6.0.24-2.1.ep5.el5
redhat/tomcat6-el<1.0-api-6.0.24-2.1.ep5.el5
1.0-api-6.0.24-2.1.ep5.el5
redhat/tomcat6-javadoc<6.0.24-2.1.ep5.el5
6.0.24-2.1.ep5.el5
redhat/tomcat6-jsp<2.1-api-6.0.24-2.1.ep5.el5
2.1-api-6.0.24-2.1.ep5.el5
redhat/tomcat6-lib<6.0.24-2.1.ep5.el5
6.0.24-2.1.ep5.el5
redhat/tomcat6-log4j<6.0.24-2.1.ep5.el5
6.0.24-2.1.ep5.el5
redhat/tomcat6-servlet<2.5-api-6.0.24-2.1.ep5.el5
2.5-api-6.0.24-2.1.ep5.el5
redhat/tomcat6-webapps<6.0.24-2.1.ep5.el5
6.0.24-2.1.ep5.el5
redhat/httpd-devel<2.2.14-1.2.1.ep5.el5
2.2.14-1.2.1.ep5.el5
redhat/httpd-manual<2.2.14-1.2.1.ep5.el5
2.2.14-1.2.1.ep5.el5

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203