RHSA-2013:0221: Important: JBoss Enterprise BRMS Platform 5.3.1 update

First published: Thu Jan 31 2013(Updated: )

Security fixes:<br>An attack technique against the W3C XML Encryption Standard when block<br>ciphers were used in CBC mode could allow a remote attacker to conduct<br>chosen-ciphertext attacks, leading to the recovery of the entire plain text<br>of a particular cryptogram. (CVE-2011-1096)<br>JBoss Web Services leaked side-channel data when distributing symmetric<br>keys (for XML encryption), allowing a remote attacker to recover the entire<br>plain text form of a symmetric key. (CVE-2011-2487)<br>Spring framework could possibly evaluate Expression Language (EL)<br>expressions twice, allowing a remote attacker to execute arbitrary code in<br>the context of the application server, or to obtain sensitive information<br>from the server. Manual action is required to apply this fix. Refer to the<br>Solution section. (CVE-2011-2730)<br>When an application used FORM authentication, along with another component<br>that calls request.setUserPrincipal() before the call to<br>FormAuthenticator#authenticate() (such as the Single-Sign-On valve), it was<br>possible to bypass the security constraint checks in the FORM authenticator<br>by appending "/j_security_check" to the end of a URL. (CVE-2012-3546)<br>An XSS flaw allowed a remote attacker to perform an XSS attack against<br>victims using the JMX Console. (CVE-2011-4575)<br>SecurityAssociation.getCredential() returned the previous credential if no<br>security context was provided. Depending on the deployed applications, this<br>could possibly allow a remote attacker to hijack the credentials of a<br>previously-authenticated user. (CVE-2012-3370)<br>Configuring the JMX Invoker to restrict access to users with specific roles<br>did not actually restrict access, allowing remote attackers with valid JMX<br>Invoker credentials to perform JMX operations accessible to roles they are<br>not a member of. (CVE-2012-5478)<br>twiddle.sh accepted credentials as command line arguments, allowing local<br>users to view them via a process listing. (CVE-2009-5066)<br>It was found that NonManagedConnectionFactory would log the username and<br>password in plain text when an exception was thrown. This could lead to the<br>exposure of authentication credentials if local users had permissions to<br>read the log file. (CVE-2012-0034)<br>The JMXInvokerHAServlet and EJBInvokerHAServlet invoker servlets allow<br>unauthenticated access by default in some profiles. The security<br>interceptor's second layer of authentication prevented direct exploitation<br>of this flaw. If the interceptor was misconfigured or inadvertently<br>disabled, this flaw could lead to arbitrary code execution in the context<br>of the user running the JBoss server. (CVE-2012-0874)<br>CallerIdentityLoginModule retained the password from the previous call if a<br>null password was provided. In non-default configurations this could<br>possibly lead to a remote attacker hijacking a previously-authenticated<br>user's session. (CVE-2012-3369)<br>Red Hat would like to thank Juraj Somorovsky of Ruhr-University Bochum for<br>reporting CVE-2011-1096 and CVE-2011-2487, and Tyler Krpata for reporting<br>CVE-2011-4575. CVE-2012-3370 and CVE-2012-3369 were discovered by Carlo de<br>Wolf of Red Hat; CVE-2012-5478 discovered by Derek Horton of Red Hat; and<br>CVE-2012-0874 was discovered by David Jorm of the Red Hat Security Response<br>Team.<br>

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/redhat-errata
• anchor-id/RHSA-2013:0221
• agent/severity
• agent/references
• agent/title
• agent/weakness
• agent/tags
• agent/description
• agent/type
• agent/event
• agent/first-publish-date
• agent/softwarecombine
• agent/last-modified-date
• agent/remedy