- Vulnerability/
- RHSA-2013:0569
RHSA-2013:0569: Important: JBoss Web Services security update
First published: Tue Feb 26 2013(Updated: )
JBoss Enterprise SOA Platform is the next-generation ESB and business<br>process automation infrastructure. JBoss Enterprise Portal Platform is the<br>open source implementation of the Java EE suite of services and Portal<br>services running atop JBoss Enterprise Application Platform.<br>An attack technique was found against the W3C XML Encryption Standard when<br>block ciphers were used in cipher-block chaining (CBC) mode. A remote<br>attacker could use this flaw to conduct chosen-ciphertext attacks, leading<br>to the recovery of the entire plain text of a particular cryptogram by<br>examining the differences between SOAP (Simple Object Access Protocol)<br>responses sent from JBoss Web Services. (CVE-2011-1096)<br>Red Hat would like to thank Juraj Somorovsky of Ruhr-University Bochum for<br>reporting this issue.<br>Note: Manual action is required to apply this update. The CVE-2011-1096<br>issue is an attack on the WS-Security standard itself. Using new<br>Galois/Counter Mode (GCM) based algorithms for WS-Security encryption is<br>the W3C suggested way of dealing with this issue. To use GCM algorithms in<br>your application, update the encrypt element of all jboss-ws-security<br>configuration to specify a GCM algorithm. The following is an example<br>directive:<br>encrypt type="x509v3" algorithm="aes-128-gcm" alias="wsse"<br>Warning: Before applying this update, back up your JBoss installation,<br>including any databases, database settings, applications, configuration<br>files, and so on.<br>All users of JBoss Enterprise SOA Platform 4.3 CP05 and JBoss Enterprise<br>Portal Platform 4.3 CP07 as provided from the Red Hat Customer Portal are<br>advised to apply this update.<br>
| Affected Software | Affected Version | How to fix |
|---|
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=681916
- https://access.redhat.com/security/updates/classification/#important
- https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform&downloadType=securityPatches&version=4.3.0.GA_CP05
- https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal&downloadType=securityPatches&version=4.3+CP07
- https://access.redhat.com/errata/RHSA-2013:0569 (Advisory)
- collector/redhat-errata
- anchor-id/RHSA-2013:0569
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type