RHSA-2013:0198: Important: JBoss Enterprise Web Platform 5.2.0 update
First published: Thu Jan 24 2013(Updated: )
An attack technique against the W3C XML Encryption Standard when block<br>ciphers were used in CBC mode could allow a remote attacker to conduct<br>chosen-ciphertext attacks, leading to the recovery of the entire plain text<br>of a particular cryptogram. (CVE-2011-1096)<br>JBoss Web Services leaked side-channel data when distributing symmetric<br>keys (for XML encryption), allowing a remote attacker to recover the entire<br>plain text form of a symmetric key. (CVE-2011-2487)<br>Spring framework could possibly evaluate Expression Language (EL)<br>expressions twice, allowing a remote attacker to execute arbitrary code in<br>the context of the application server, or to obtain sensitive information<br>from the server. Manual action is required to apply this fix. Refer to the<br>Solution section. (CVE-2011-2730)<br>Apache CXF checked to ensure XML elements were signed or encrypted by a<br>Supporting Token, but not whether the correct token was used. A remote<br>attacker could transmit confidential information without the appropriate<br>security, and potentially circumvent access controls on web services<br>exposed via Apache CXF. Refer to the Solution section for details.<br>(CVE-2012-2379)<br>When an application used FORM authentication, along with another component<br>that calls request.setUserPrincipal() before the call to<br>FormAuthenticator#authenticate() (such as the Single-Sign-On valve), it was<br>possible to bypass the security constraint checks in the FORM authenticator<br>by appending "/j_security_check" to the end of a URL. (CVE-2012-3546)<br>The JMX Console was vulnerable to CSRF attacks, allowing a remote attacker<br>to hijack the authenticated JMX Console session of an administrator.<br>(CVE-2011-2908)<br>An XSS flaw allowed a remote attacker to perform an XSS attack against<br>victims using the JMX Console. (CVE-2011-4575)<br>SecurityAssociation.getCredential() returned the previous credential if<br>no security context was provided. Depending on the deployed applications,<br>this could possibly allow a remote attacker to hijack the credentials of a<br>previously-authenticated user. (CVE-2012-3370)<br>Configuring the JMX Invoker to restrict access to users with specific<br>roles did not actually restrict access, allowing remote attackers with<br>valid JMX Invoker credentials to perform JMX operations accessible to<br>roles they are not a member of. (CVE-2012-5478)<br>twiddle.sh accepted credentials as command line arguments, allowing local<br>users to view them via a process listing. (CVE-2009-5066)<br>The JMXInvokerHAServlet and EJBInvokerHAServlet invoker servlets allow<br>unauthenticated access by default in some profiles. The security<br>interceptor's second layer of authentication prevented direct exploitation<br>of this flaw. If the interceptor was misconfigured or inadvertently<br>disabled, this flaw could lead to arbitrary code execution in the context<br>of the user running the JBoss server. (CVE-2012-0874)<br>The JGroups diagnostics service was enabled with no authentication when a<br>JGroups channel was started, allowing attackers on the adjacent network to<br>read diagnostic information. (CVE-2012-2377)<br>CallerIdentityLoginModule retained the password from the previous call if a<br>null password was provided. In non-default configurations this could<br>possibly lead to a remote attacker hijacking a previously-authenticated<br>user's session. (CVE-2012-3369)<br>Red Hat would like to thank Juraj Somorovsky of Ruhr-University Bochum for<br>reporting CVE-2011-1096 and CVE-2011-2487; the Apache CXF project for<br>reporting CVE-2012-2379; and Tyler Krpata for reporting CVE-2011-4575.<br>CVE-2012-3370 and CVE-2012-3369 were discovered by Carlo de Wolf of Red<br>Hat; CVE-2012-5478 discovered by Derek Horton of Red Hat; CVE-2012-0874<br>discovered by David Jorm of Red Hat; and CVE-2012-2377 was discovered by<br>Red Hat.<br>
| Affected Software | Affected Version | How to fix |
|---|
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=681916
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=713539
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=730176
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=737608
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=760387
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=795645
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=823392
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=826534
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=836451
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=836456
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=842477
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=874349
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=883634
- https://access.redhat.com/security/updates/classification/#important
- https://access.redhat.com/knowledge/docs/
- https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=enterpriseweb.platform&version=5.2.0
- https://access.redhat.com/errata/RHSA-2013:0198 (Advisory)
- collector/redhat-errata
- anchor-id/RHSA-2013:0198
- agent/severity
- agent/references
- agent/title
- agent/weakness
- agent/tags
- agent/type
- agent/event
- agent/description
- agent/first-publish-date
- agent/softwarecombine
- agent/last-modified-date
- agent/remedy