- Vulnerability/
- RHSA-2013:0261
RHSA-2013:0261: Important: JBoss Enterprise Application Platform 4.3.0 CP10 security update
First published: Thu Feb 14 2013(Updated: )
JBoss Enterprise Application Platform is a platform for Java applications,<br>which integrates the JBoss Application Server with JBoss Hibernate and<br>JBoss Seam.<br>An attack technique was found against the W3C XML Encryption Standard when<br>block ciphers were used in cipher-block chaining (CBC) mode. A remote<br>attacker could use this flaw to conduct chosen-ciphertext attacks, leading<br>to the recovery of the entire plain text of a particular cryptogram by<br>examining the differences between SOAP (Simple Object Access Protocol)<br>responses sent from JBoss Web Services. (CVE-2011-1096)<br>Red Hat would like to thank Juraj Somorovsky of Ruhr-University Bochum for<br>reporting this issue.<br>Note: Manual action is required to apply this update. The CVE-2011-1096<br>issue is an attack on the WS-Security standard itself. Using new<br>Galois/Counter Mode (GCM) based algorithms for WS-Security encryption is<br>the W3C suggested way of dealing with this issue. To use GCM algorithms in<br>your application, update the encrypt element of all jboss-ws-security<br>configuration to specify a GCM algorithm. The following is an example<br>directive:<br>encrypt type="x509v3" algorithm="aes-128-gcm" alias="wsse"<br>Warning: Before applying this update, back up your existing JBoss<br>Enterprise Application Platform installation (including all applications<br>and configuration files).<br>All users of JBoss Enterprise Application Platform 4.3.0 CP10 as provided<br>from the Red Hat Customer Portal are advised to apply this update.<br>
| Affected Software | Affected Version | How to fix |
|---|
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=681916
- https://access.redhat.com/security/updates/classification/#important
- https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=4.3.0.GA_CP10
- https://access.redhat.com/errata/RHSA-2013:0261 (Advisory)
- collector/redhat-errata
- anchor-id/RHSA-2013:0261
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type