RHSA-2013:0833: Important: JBoss Enterprise Application Platform 6.1.0 update
First published: Mon May 20 2013(Updated: )
JBoss Enterprise Application Platform 6 is a platform for Java applications<br>based on JBoss Application Server 7.<br>This release serves as a replacement for JBoss Enterprise Application<br>Platform 6.0.1, and includes bug fixes and enhancements. Refer to the 6.1.0<br>Release Notes for information on the most significant of these changes,<br>available shortly from <a href="https://access.redhat.com/site/documentation/" target="_blank">https://access.redhat.com/site/documentation/</a> Security fixes:<br>XML encryption backwards compatibility attacks were found against various<br>frameworks, including Apache CXF. An attacker could force a server to use<br>insecure, legacy cryptosystems, even when secure cryptosystems were enabled<br>on endpoints. By forcing the use of legacy cryptosystems, flaws such as<br>CVE-2011-1096 and CVE-2011-2487 would be exposed, allowing plain text to be<br>recovered from cryptograms and symmetric keys. (CVE-2012-5575)<br>Note: Automatic checks to prevent CVE-2012-5575 are only run when<br>WS-SecurityPolicy is used to enforce security requirements. It is best<br>practice to use WS-SecurityPolicy to enforce security requirements.<br>A NULL pointer dereference flaw was found in the OCSP response verification<br>in OpenSSL. A malicious OCSP server could use this flaw to crash<br>applications performing OCSP verification by sending a specially-crafted<br>response. (CVE-2013-0166)<br>It was discovered that OpenSSL leaked timing information when decrypting<br>TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites<br>were used. A remote attacker could possibly use this flaw to retrieve plain<br>text from the encrypted packets by using a TLS/SSL or DTLS server as a<br>padding oracle. (CVE-2013-0169)<br>When applications running on JBoss Web used the COOKIE session tracking<br>method, the org.apache.catalina.connector.Response.encodeURL() method<br>returned the URL with the jsessionid appended as a query string parameter<br>when processing the first request of a session. An attacker could possibly<br>exploit this flaw by performing a man-in-the-middle attack to obtain a<br>user's jsessionid and hijack their session, or by extracting the jsessionid<br>from log files. Note that no session tracking method is used by default,<br>one must be configured. (CVE-2012-4529)<br>If multiple applications used the same custom authorization module class<br>name, and provided their own implementations of it, the first application<br>to be loaded will have its implementation used for all other applications<br>using the same custom authorization module class name. A local attacker<br>could use this flaw to deploy a malicious application that provides<br>implementations of custom authorization modules that permit or deny user<br>access according to rules supplied by the attacker. (CVE-2012-4572)<br>The GUI installer created a world-readable auto-install XML file containing<br>both the JBoss Enterprise Application Platform administrator password and<br>the sucker password for the selected messaging system in plain text. A<br>local user able to access the directory where the GUI installer was run<br>could use this flaw to gain administrative access to the JBoss Enterprise<br>Application Platform instance. (CVE-2013-0218)<br>Red Hat would like to thank Tibor Jager, Kenneth G. Paterson and Juraj<br>Somorovsky of Ruhr-University Bochum for reporting CVE-2012-5575.<br>CVE-2012-4572 was discovered by Josef Cacek of the Red Hat JBoss EAP<br>Quality Engineering team, and CVE-2013-0218 was discovered by Arun<br>Neelicattu of the Red Hat Security Response Team.<br>Warning: Before applying this update, back up your existing JBoss<br>Enterprise Application Platform installation and deployed applications.<br>Users of JBoss Enterprise Application Platform 6.0.1 as provided from the<br>Red Hat Customer Portal are advised to upgrade to JBoss Enterprise<br>Application Platform 6.1.0.
| Affected Software | Affected Version | How to fix |
|---|
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=868202
- https://bugzilla.redhat.com/show_bug.cgi?id=872059
- https://bugzilla.redhat.com/show_bug.cgi?id=880443
- https://bugzilla.redhat.com/show_bug.cgi?id=903073
- https://bugzilla.redhat.com/show_bug.cgi?id=907589
- https://bugzilla.redhat.com/show_bug.cgi?id=908052
- https://access.redhat.com/security/updates/classification/#important
- https://access.redhat.com/site/documentation/
- https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=distributions
- http://cxf.apache.org/cve-2012-5575.html
- https://access.redhat.com/errata/RHSA-2013:0833 (Advisory)
- collector/redhat-errata
- anchor-id/RHSA-2013:0833
- agent/severity
- agent/references
- agent/title
- agent/weakness
- agent/tags
- agent/type
- agent/event
- agent/description
- agent/remedy
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date