RHSA-2013:0533: Important: JBoss Enterprise SOA Platform 5.3.1 update
First published: Wed Feb 20 2013(Updated: )
Security:<br>JBoss Web Services leaked side-channel data when distributing symmetric<br>keys (for XML encryption), allowing a remote attacker to recover the entire<br>plain text form of a symmetric key. (CVE-2011-2487)<br>Spring framework could possibly evaluate Expression Language (EL)<br>expressions twice, allowing a remote attacker to execute arbitrary code in<br>the context of the application server, or to obtain sensitive information<br>from the server. (CVE-2011-2730)<br>Note: Manual action is required to apply the fix for CVE-2011-2730. If your<br>system has deployed applications which use Spring framework, the context<br>parameter "springJspExpressionSupport" must be set to "false" to mitigate<br>this flaw, for example, in the application's web.xml file. This will<br>prevent the double-evaluation of EL expressions that led to this flaw.<br>An XSS flaw allowed a remote attacker to perform an XSS attack against<br>victims using the JMX Console. (CVE-2011-4575)<br>SecurityAssociation.getCredential() returned the previous credential if<br>no security context was provided. Depending on the deployed applications,<br>this could possibly allow a remote attacker to hijack the credentials of a<br>previously-authenticated user. (CVE-2012-3370)<br>A denial of service flaw was found in the implementation of associative<br>arrays (hashes) in JRuby. An attacker able to supply a large number of<br>inputs to a JRuby application (such as HTTP POST request parameters sent to<br>a web application) that are used as keys when inserting data into an array<br>could trigger multiple hash function collisions, making array operations<br>take an excessive amount of CPU time. To mitigate this issue, the Murmur<br>hash function has been replaced with the Perl hash function.<br>(CVE-2012-5370)<br>Note: JBoss Enterprise SOA Platform only provides JRuby as a dependency of<br>the scripting_chain quickstart example application. The CVE-2012-5370 flaw<br>is not exposed unless the version of JRuby shipped with that quickstart is<br>used by a deployed, custom application.<br>Configuring the JMX Invoker to restrict access to users with specific<br>roles did not actually restrict access, allowing remote attackers with<br>valid JMX Invoker credentials to perform JMX operations accessible to<br>roles they are not a member of. (CVE-2012-5478)<br>twiddle.sh accepted credentials as command line arguments, allowing local<br>users to view them via a process listing. (CVE-2009-5066)<br>NonManagedConnectionFactory logged the username and password in plain text<br>when an exception was thrown. This could lead to the exposure of<br>authentication credentials if local users had permissions to read the log<br>file. (CVE-2012-0034)<br>The JMXInvokerHAServlet and EJBInvokerHAServlet invoker servlets allow<br>unauthenticated access by default in some profiles. The security<br>interceptor's second layer of authentication prevented direct exploitation<br>of this flaw. If the interceptor was misconfigured or inadvertently<br>disabled, this flaw could lead to arbitrary code execution in the context<br>of the user running the JBoss server. (CVE-2012-0874)<br>CallerIdentityLoginModule retained the password from the previous call if a<br>null password was provided. In non-default configurations this could<br>possibly lead to a remote attacker hijacking a previously-authenticated<br>user's session. (CVE-2012-3369)<br>Red Hat would like to thank Juraj Somorovsky of Ruhr-University Bochum<br>for reporting CVE-2011-2487, and Tyler Krpata for reporting CVE-2011-4575.<br>The CVE-2012-3370 and CVE-2012-3369 issues were discovered by Carlo de Wolf<br>of Red Hat; CVE-2012-5478 was discovered by Derek Horton of Red Hat; and <br>CVE-2012-0874 was discovered by David Jorm of the Red Hat Security Response<br>Team.<br>Warning: Before applying the update, back up your existing JBoss Enterprise<br>SOA Platform installation (including its databases, applications,<br>configuration files, and so on).<br>All users of JBoss Enterprise SOA Platform 5.3.0 as provided from the Red<br>Hat Customer Portal are advised to upgrade to JBoss Enterprise SOA Platform<br>5.3.1.<br>
| Affected Software | Affected Version | How to fix |
|---|
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=713539
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=737608
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=760387
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=772835
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=795645
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=836451
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=836456
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=842477
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=874349
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=880671
- https://access.redhat.com/security/updates/classification/#important
- https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform&downloadType=distributions
- https://access.redhat.com/knowledge/docs/
- https://access.redhat.com/errata/RHSA-2013:0533 (Advisory)
- collector/redhat-errata
- anchor-id/RHSA-2013:0533
- agent/references
- agent/severity
- agent/tags
- agent/weakness
- agent/title
- agent/type
- agent/description
- agent/event
- agent/first-publish-date
- agent/softwarecombine
- agent/last-modified-date
- agent/remedy