RHSA-2013:0196: Important: JBoss Enterprise Web Platform 5.2.0 update

First published: Thu Jan 24 2013(Updated: )

An attack technique against the W3C XML Encryption Standard when block<br>ciphers were used in CBC mode could allow a remote attacker to conduct<br>chosen-ciphertext attacks, leading to the recovery of the entire plain text<br>of a particular cryptogram. (CVE-2011-1096)<br>JBoss Web Services leaked side-channel data when distributing symmetric<br>keys (for XML encryption), allowing a remote attacker to recover the entire<br>plain text form of a symmetric key. (CVE-2011-2487)<br>Spring framework could possibly evaluate Expression Language (EL)<br>expressions twice, allowing a remote attacker to execute arbitrary code in<br>the context of the application server, or to obtain sensitive information<br>from the server. Manual action is required to apply this fix. Refer to the<br>Solution section. (CVE-2011-2730)<br>Apache CXF checked to ensure XML elements were signed or encrypted by a<br>Supporting Token, but not whether the correct token was used. A remote<br>attacker could transmit confidential information without the appropriate<br>security, and potentially circumvent access controls on web services<br>exposed via Apache CXF. Refer to the Solution section for details.<br>(CVE-2012-2379)<br>When an application used FORM authentication, along with another component<br>that calls request.setUserPrincipal() before the call to<br>FormAuthenticator#authenticate() (such as the Single-Sign-On valve), it was<br>possible to bypass the security constraint checks in the FORM authenticator<br>by appending "/j_security_check" to the end of a URL. (CVE-2012-3546)<br>The JMX Console was vulnerable to CSRF attacks, allowing a remote attacker<br>to hijack the authenticated JMX Console session of an administrator.<br>(CVE-2011-2908)<br>An XSS flaw allowed a remote attacker to perform an XSS attack against<br>victims using the JMX Console. (CVE-2011-4575)<br>SecurityAssociation.getCredential() returned the previous credential if<br>no security context was provided. Depending on the deployed applications,<br>this could possibly allow a remote attacker to hijack the credentials of a<br>previously-authenticated user. (CVE-2012-3370)<br>Configuring the JMX Invoker to restrict access to users with specific<br>roles did not actually restrict access, allowing remote attackers with<br>valid JMX Invoker credentials to perform JMX operations accessible to<br>roles they are not a member of. (CVE-2012-5478)<br>twiddle.sh accepted credentials as command line arguments, allowing local<br>users to view them via a process listing. (CVE-2009-5066)<br>NonManagedConnectionFactory logged the username and password in plain text<br>when an exception was thrown. This could lead to the exposure of<br>authentication credentials if local users had permissions to read the log<br>file. (CVE-2012-0034)<br>The JMXInvokerHAServlet and EJBInvokerHAServlet invoker servlets allow<br>unauthenticated access by default in some profiles. The security<br>interceptor's second layer of authentication prevented direct exploitation<br>of this flaw. If the interceptor was misconfigured or inadvertently<br>disabled, this flaw could lead to arbitrary code execution in the context<br>of the user running the JBoss server. (CVE-2012-0874)<br>The JGroups diagnostics service was enabled with no authentication when a<br>JGroups channel was started, allowing attackers on the adjacent network to<br>read diagnostic information. (CVE-2012-2377)<br>CallerIdentityLoginModule retained the password from the previous call if a<br>null password was provided. In non-default configurations this could<br>possibly lead to a remote attacker hijacking a previously-authenticated<br>user's session. (CVE-2012-3369)<br>Red Hat would like to thank Juraj Somorovsky of Ruhr-University Bochum for<br>reporting CVE-2011-1096 and CVE-2011-2487; the Apache CXF project for<br>reporting CVE-2012-2379; and Tyler Krpata for reporting CVE-2011-4575.<br>CVE-2012-3370 and CVE-2012-3369 were discovered by Carlo de Wolf of Red<br>Hat; CVE-2012-5478 discovered by Derek Horton of Red Hat; CVE-2012-0874<br>discovered by David Jorm of Red Hat; and CVE-2012-2377 was discovered by<br>Red Hat.<br>

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/redhat-errata
• anchor-id/RHSA-2013:0196
• agent/weakness
• agent/severity
• agent/title
• agent/references
• agent/tags
• agent/description
• agent/type
• agent/event
• agent/first-publish-date
• agent/softwarecombine
• agent/remedy
• agent/last-modified-date
• package-manager/redhat