- Vulnerability/
- RHSA-2010:0379
RHSA-2010:0379: Critical: JBoss Enterprise Application Platform 4.3.0.CP08 update
First published: Tue Apr 27 2010(Updated: )
JBoss Enterprise Application Platform is the market leading platform for<br>innovative and scalable Java applications; integrating the JBoss<br>Application Server, with JBoss Hibernate and JBoss Seam into a complete,<br>simple enterprise solution.<br>This release of JBEAP for Red Hat Enterprise Linux 5 serves as a<br>replacement to JBEAP 4.3.0.CP07.<br>These updated packages include multiple bug fixes which are detailed in the<br>Release Notes. The Release Notes will be available shortly from the link<br>in the References section.<br>The following security issues are also fixed with this release:<br>The JMX Console configuration only specified an authentication requirement<br>for requests that used the GET and POST HTTP "verbs". A remote attacker<br>could create an HTTP request that does not specify GET or POST, causing it<br>to be executed by the default GET handler without authentication. This<br>release contains a JMX Console with an updated configuration that no longer<br>specifies the HTTP verbs. This means that the authentication requirement is<br>applied to all requests. (CVE-2010-0738)<br>For the CVE-2010-0738 issue, if an immediate upgrade is not possible or the<br>server deployment has been customized, a manual fix can be applied. Refer<br>to the "Security" subsection of the "Issues fixed in this release" section<br>(JBPAPP-3952) of the JBEAP Release Notes, linked to in the References, for<br>details. Contact Red Hat JBoss Support for advice before making the changes<br>noted in the Release Notes.<br>Red Hat would like to thank Stefano Di Paola and Giorgio Fedon of Minded<br>Security for responsibly reporting the CVE-2010-0738 issue.<br>Unauthenticated access to the JBoss Application Server Web Console<br>(/web-console) is blocked by default. However, it was found that this block<br>was incomplete, and only blocked GET and POST HTTP verbs. A remote attacker<br>could use this flaw to gain access to sensitive information. This release<br>contains a Web Console with an updated configuration that now blocks all<br>unauthenticated access to it by default. (CVE-2010-1428)<br>The RHSA-2008:0828 update fixed an issue (CVE-2008-3273) where<br>unauthenticated users were able to access the status servlet; however, a<br>bug fix included in the RHSA-2009:0349 update re-introduced the issue. A<br>remote attacker could use this flaw to acquire details about deployed web<br>contexts. (CVE-2010-1429)<br>Warning: Before applying this update, please backup the JBEAP<br>"server/[configuration]/deploy/" directory, and any other customized<br>configuration files.<br>All users of JBEAP 4.3 on Red Hat Enterprise Linux 5 are advised to upgrade<br>to these updated packages.<br>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/hibernate3 | <3.2.4-1.SP1_CP10.0jpp.ep1.1.el5 | 3.2.4-1.SP1_CP10.0jpp.ep1.1.el5 |
| redhat/hibernate3-annotations | <3.3.1-1.12.GA_CP03.ep1.el5 | 3.3.1-1.12.GA_CP03.ep1.el5 |
| redhat/jacorb | <2.3.0-1jpp.ep1.10.1.el5 | 2.3.0-1jpp.ep1.10.1.el5 |
| redhat/jboss-aop | <1.5.5-3.CP05.2.ep1.1.el5 | 1.5.5-3.CP05.2.ep1.1.el5 |
| redhat/jboss-cache | <1.4.1-6.SP14.1.ep1.1.el5 | 1.4.1-6.SP14.1.ep1.1.el5 |
| redhat/jboss-messaging | <1.4.0-3.SP3_CP10.2.ep1.el5 | 1.4.0-3.SP3_CP10.2.ep1.el5 |
| redhat/jboss-remoting | <2.2.3-3.SP2.ep1.1.el5 | 2.2.3-3.SP2.ep1.1.el5 |
| redhat/jboss-seam | <1.2.1-3.JBPAPP_4_3_0_GA.ep1.20.el5.1 | 1.2.1-3.JBPAPP_4_3_0_GA.ep1.20.el5.1 |
| redhat/jboss-seam2 | <2.0.2.FP-1.ep1.23.el5 | 2.0.2.FP-1.ep1.23.el5 |
| redhat/jbossas | <4.3.0-7.GA_CP08.5.ep1.el5 | 4.3.0-7.GA_CP08.5.ep1.el5 |
| redhat/jbossts | <4.2.3-1.SP5_CP09.1jpp.ep1.1.1.el5 | 4.2.3-1.SP5_CP09.1jpp.ep1.1.1.el5 |
| redhat/jbossweb | <2.0.0-6.CP13.0jpp.ep1.1.1.el5 | 2.0.0-6.CP13.0jpp.ep1.1.1.el5 |
| redhat/jbossws | <2.0.1-5.SP2_CP08.1.ep1.1.el5 | 2.0.1-5.SP2_CP08.1.ep1.1.el5 |
| redhat/rh-eap-docs | <4.3.0-7.GA_CP08.ep1.5.el5 | 4.3.0-7.GA_CP08.ep1.5.el5 |
| redhat/hibernate3 | <3.2.4-1.SP1_CP10.0jpp.ep1.1.el5 | 3.2.4-1.SP1_CP10.0jpp.ep1.1.el5 |
| redhat/hibernate3-annotations | <3.3.1-1.12.GA_CP03.ep1.el5 | 3.3.1-1.12.GA_CP03.ep1.el5 |
| redhat/hibernate3-annotations-javadoc | <3.3.1-1.12.GA_CP03.ep1.el5 | 3.3.1-1.12.GA_CP03.ep1.el5 |
| redhat/hibernate3-javadoc | <3.2.4-1.SP1_CP10.0jpp.ep1.1.el5 | 3.2.4-1.SP1_CP10.0jpp.ep1.1.el5 |
| redhat/jacorb | <2.3.0-1jpp.ep1.10.1.el5 | 2.3.0-1jpp.ep1.10.1.el5 |
| redhat/jboss-aop | <1.5.5-3.CP05.2.ep1.1.el5 | 1.5.5-3.CP05.2.ep1.1.el5 |
| redhat/jboss-cache | <1.4.1-6.SP14.1.ep1.1.el5 | 1.4.1-6.SP14.1.ep1.1.el5 |
| redhat/jboss-messaging | <1.4.0-3.SP3_CP10.2.ep1.el5 | 1.4.0-3.SP3_CP10.2.ep1.el5 |
| redhat/jboss-remoting | <2.2.3-3.SP2.ep1.1.el5 | 2.2.3-3.SP2.ep1.1.el5 |
| redhat/jboss-seam | <1.2.1-3.JBPAPP_4_3_0_GA.ep1.20.el5.1 | 1.2.1-3.JBPAPP_4_3_0_GA.ep1.20.el5.1 |
| redhat/jboss-seam-docs | <1.2.1-3.JBPAPP_4_3_0_GA.ep1.20.el5.1 | 1.2.1-3.JBPAPP_4_3_0_GA.ep1.20.el5.1 |
| redhat/jboss-seam2 | <2.0.2.FP-1.ep1.23.el5 | 2.0.2.FP-1.ep1.23.el5 |
| redhat/jboss-seam2-docs | <2.0.2.FP-1.ep1.23.el5 | 2.0.2.FP-1.ep1.23.el5 |
| redhat/jbossas | <4.3.0-7.GA_CP08.5.ep1.el5 | 4.3.0-7.GA_CP08.5.ep1.el5 |
| redhat/jbossas | <4.3.0.GA_CP08-bin-4.3.0-7.GA_CP08.5.ep1.el5 | 4.3.0.GA_CP08-bin-4.3.0-7.GA_CP08.5.ep1.el5 |
| redhat/jbossas-client | <4.3.0-7.GA_CP08.5.ep1.el5 | 4.3.0-7.GA_CP08.5.ep1.el5 |
| redhat/jbossts | <4.2.3-1.SP5_CP09.1jpp.ep1.1.1.el5 | 4.2.3-1.SP5_CP09.1jpp.ep1.1.1.el5 |
| redhat/jbossweb | <2.0.0-6.CP13.0jpp.ep1.1.1.el5 | 2.0.0-6.CP13.0jpp.ep1.1.1.el5 |
| redhat/jbossws | <2.0.1-5.SP2_CP08.1.ep1.1.el5 | 2.0.1-5.SP2_CP08.1.ep1.1.el5 |
| redhat/rh-eap-docs | <4.3.0-7.GA_CP08.ep1.5.el5 | 4.3.0-7.GA_CP08.ep1.5.el5 |
| redhat/rh-eap-docs-examples | <4.3.0-7.GA_CP08.ep1.5.el5 | 4.3.0-7.GA_CP08.ep1.5.el5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=571905
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=574105
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=585899
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=585900
- http://www.redhat.com/security/updates/classification/#critical
- http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.3.0.cp08/html-single/Release_Notes/index.html
- https://access.redhat.com/errata/RHSA-2010:0379 (Advisory)
Frequently Asked Questions
What is the severity of RHSA-2010:0379?
The severity of RHSA-2010:0379 is classified as important.
How do I fix the issues described in RHSA-2010:0379?
To fix the issues in RHSA-2010:0379, update the affected packages to their remedied versions specified in the advisory.
Which products are affected by RHSA-2010:0379?
RHSA-2010:0379 affects various JBoss packages, including hibernate3, jboss-aop, jboss-cache, and others.
What is the nature of vulnerabilities addressed in RHSA-2010:0379?
The vulnerabilities in RHSA-2010:0379 pertain to security flaws that could allow for unauthorized access or denial of service.
When was RHSA-2010:0379 released?
RHSA-2010:0379 was released on May 12, 2010.
- collector/redhat-errata
- anchor-id/RHSA-2010:0379
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- package-manager/redhat