First published: Tue Feb 23 2010(Updated: )
JBoss Enterprise Web Server is a fully integrated and certified set<br>of components for hosting Java web applications. It is comprised of the<br>industry's leading web server (Apache HTTP Server), the popular Apache<br>Tomcat servlet container, as well as the mod_jk connector and the Tomcat<br>Native library.<br>This 1.0.1 release of JBoss Enterprise Web Server serves as a replacement<br>to JBoss Enterprise Web Server 1.0.0 GA. These updated packages include<br>a number of bug fixes. For detailed component, installation, and bug fix<br>information, refer to the JBoss Enterprise Web Server 1.0.1 Release Notes,<br>available shortly from the link in the References section of this erratum.<br>The following security issues are also fixed with this release:<br>A directory traversal flaw was found in the Tomcat deployment process. An<br>attacker could create a specially-crafted WAR file, which once deployed<br>by a local, unsuspecting user, would lead to attacker-controlled content<br>being deployed outside of the web root, into directories accessible to the<br>Tomcat process. (CVE-2009-2693)<br>A second directory traversal flaw was found in the Tomcat deployment<br>process. WAR file names were not sanitized, which could allow an attacker<br>to create a specially-crafted WAR file that could delete files in the<br>Tomcat host's work directory. (CVE-2009-2902)<br>A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure<br>Sockets Layer) protocols handle session renegotiation. A man-in-the-middle<br>attacker could use this flaw to prefix arbitrary plain text to a client's<br>session (for example, an HTTPS connection to a website). This could force<br>the server to process an attacker's request as if authenticated using the<br>victim's credentials. (CVE-2009-3555)<br>This update provides a mitigation for this flaw in the following<br>components:<br>tomcat5 and tomcat6: A new attribute, allowUnsafeLegacyRenegotiation, is<br>available for the blocking IO (BIO) connector using JSSE, to enable or<br>disable TLS session renegotiation. The default value is "false", meaning<br>session renegotiation, both client- and server-initiated, is disabled by<br>default.<br>tomcat-native: Client-initiated renegotiation is now rejected by the native<br>connector. Server-initiated renegotiation is still allowed.<br>Refer to the following Knowledgebase article for additional details about<br>the CVE-2009-3555 flaw: <a href="http://kbase.redhat.com/faq/docs/DOC-20491" target="_blank">http://kbase.redhat.com/faq/docs/DOC-20491</a> All users of JBoss Enterprise Web Server 1.0.0 on Red Hat Enterprise Linux<br>4 and 5 are advised to upgrade to these updated packages.
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/glassfish-jsf | <1.2_13-3.ep5.el5 | 1.2_13-3.ep5.el5 |
redhat/httpd | <2.2.14-1.2.1.ep5.el5 | 2.2.14-1.2.1.ep5.el5 |
redhat/jakarta-commons-chain | <1.2-2.1.1.ep5.el5 | 1.2-2.1.1.ep5.el5 |
redhat/jakarta-commons-io | <1.4-1.1.ep5.el5 | 1.4-1.1.ep5.el5 |
redhat/jakarta-oro | <2.0.8-3.1.ep5.el5 | 2.0.8-3.1.ep5.el5 |
redhat/struts12 | <1.2.9-2.ep5.el5 | 1.2.9-2.ep5.el5 |
redhat/tomcat-native | <1.1.19-2.0.1.ep5.el5 | 1.1.19-2.0.1.ep5.el5 |
redhat/tomcat5 | <5.5.28-7.1.ep5.el5 | 5.5.28-7.1.ep5.el5 |
redhat/tomcat6 | <6.0.24-2.1.ep5.el5 | 6.0.24-2.1.ep5.el5 |
redhat/glassfish-jsf | <1.2_13-3.ep5.el5 | 1.2_13-3.ep5.el5 |
redhat/httpd | <2.2.14-1.2.1.ep5.el5 | 2.2.14-1.2.1.ep5.el5 |
redhat/httpd-devel | <2.2.14-1.2.1.ep5.el5 | 2.2.14-1.2.1.ep5.el5 |
redhat/httpd-manual | <2.2.14-1.2.1.ep5.el5 | 2.2.14-1.2.1.ep5.el5 |
redhat/jakarta-commons-chain | <1.2-2.1.1.ep5.el5 | 1.2-2.1.1.ep5.el5 |
redhat/jakarta-commons-io | <1.4-1.1.ep5.el5 | 1.4-1.1.ep5.el5 |
redhat/jakarta-oro | <2.0.8-3.1.ep5.el5 | 2.0.8-3.1.ep5.el5 |
redhat/struts12 | <1.2.9-2.ep5.el5 | 1.2.9-2.ep5.el5 |
redhat/tomcat-native | <1.1.19-2.0.1.ep5.el5 | 1.1.19-2.0.1.ep5.el5 |
redhat/tomcat5 | <5.5.28-7.1.ep5.el5 | 5.5.28-7.1.ep5.el5 |
redhat/tomcat5-admin-webapps | <5.5.28-7.1.ep5.el5 | 5.5.28-7.1.ep5.el5 |
redhat/tomcat5-common-lib | <5.5.28-7.1.ep5.el5 | 5.5.28-7.1.ep5.el5 |
redhat/tomcat5-jasper | <5.5.28-7.1.ep5.el5 | 5.5.28-7.1.ep5.el5 |
redhat/tomcat5-jasper-eclipse | <5.5.28-7.1.ep5.el5 | 5.5.28-7.1.ep5.el5 |
redhat/tomcat5-jasper-javadoc | <5.5.28-7.1.ep5.el5 | 5.5.28-7.1.ep5.el5 |
redhat/tomcat5-jsp | <2.0-api-5.5.28-7.1.ep5.el5 | 2.0-api-5.5.28-7.1.ep5.el5 |
redhat/tomcat5-jsp | <2.0-api-javadoc-5.5.28-7.1.ep5.el5 | 2.0-api-javadoc-5.5.28-7.1.ep5.el5 |
redhat/tomcat5-parent | <5.5.28-7.1.ep5.el5 | 5.5.28-7.1.ep5.el5 |
redhat/tomcat5-server-lib | <5.5.28-7.1.ep5.el5 | 5.5.28-7.1.ep5.el5 |
redhat/tomcat5-servlet | <2.4-api-5.5.28-7.1.ep5.el5 | 2.4-api-5.5.28-7.1.ep5.el5 |
redhat/tomcat5-servlet | <2.4-api-javadoc-5.5.28-7.1.ep5.el5 | 2.4-api-javadoc-5.5.28-7.1.ep5.el5 |
redhat/tomcat5-webapps | <5.5.28-7.1.ep5.el5 | 5.5.28-7.1.ep5.el5 |
redhat/tomcat6 | <6.0.24-2.1.ep5.el5 | 6.0.24-2.1.ep5.el5 |
redhat/tomcat6-admin-webapps | <6.0.24-2.1.ep5.el5 | 6.0.24-2.1.ep5.el5 |
redhat/tomcat6-docs-webapp | <6.0.24-2.1.ep5.el5 | 6.0.24-2.1.ep5.el5 |
redhat/tomcat6-el | <1.0-api-6.0.24-2.1.ep5.el5 | 1.0-api-6.0.24-2.1.ep5.el5 |
redhat/tomcat6-javadoc | <6.0.24-2.1.ep5.el5 | 6.0.24-2.1.ep5.el5 |
redhat/tomcat6-jsp | <2.1-api-6.0.24-2.1.ep5.el5 | 2.1-api-6.0.24-2.1.ep5.el5 |
redhat/tomcat6-lib | <6.0.24-2.1.ep5.el5 | 6.0.24-2.1.ep5.el5 |
redhat/tomcat6-log4j | <6.0.24-2.1.ep5.el5 | 6.0.24-2.1.ep5.el5 |
redhat/tomcat6-servlet | <2.5-api-6.0.24-2.1.ep5.el5 | 2.5-api-6.0.24-2.1.ep5.el5 |
redhat/tomcat6-webapps | <6.0.24-2.1.ep5.el5 | 6.0.24-2.1.ep5.el5 |
redhat/httpd-devel | <2.2.14-1.2.1.ep5.el5 | 2.2.14-1.2.1.ep5.el5 |
redhat/httpd-manual | <2.2.14-1.2.1.ep5.el5 | 2.2.14-1.2.1.ep5.el5 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.