RHSA-2013:1011: Moderate: Red Hat JBoss Web Server 2.0.1 update

First published: Wed Jul 03 2013(Updated: )

Red Hat JBoss Web Server is a fully integrated and certified set of<br>components for hosting Java web applications. It is comprised of the Apache<br>HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector<br>(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat<br>Native library.<br>This release serves as a replacement for Red Hat JBoss Web Server 2.0.0,<br>and includes several bug fixes. Refer to the Red Hat JBoss Web Server 2.0.1<br>Release Notes for information on the most significant of these changes,<br>available shortly from <a href="https://access.redhat.com/site/documentation/" target="_blank">https://access.redhat.com/site/documentation/</a> The following security issues are also fixed with this release:<br>Cross-site scripting (XSS) flaws were found in the Apache HTTP Server<br>mod_proxy_balancer module's manager web interface. If a remote attacker<br>could trick a user, who was logged into the manager web interface, into<br>visiting a specially-crafted URL, it would lead to arbitrary web script<br>execution in the context of the user's manager interface session.<br>(CVE-2012-4558)<br>Cross-site scripting (XSS) flaws were found in the Apache HTTP Server<br>mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp modules. An<br>attacker could possibly use these flaws to perform XSS attacks if they were<br>able to make the victim's browser generate an HTTP request with a<br>specially-crafted Host header. (CVE-2012-3499)<br>A session fixation flaw was found in the Tomcat FormAuthenticator module.<br>During a narrow window of time, if a remote attacker sent requests while a<br>user was logging in, it could possibly result in the attacker's requests<br>being processed as if they were sent by the user. (CVE-2013-2067)<br>A denial of service flaw was found in the way the Tomcat chunked transfer<br>encoding input filter processed CRLF sequences. A remote attacker could<br>use this flaw to send an excessively long request, consuming network<br>bandwidth, CPU, and memory on the Tomcat server. Chunked transfer encoding<br>is enabled by default. (CVE-2012-3544)<br>A flaw was found in the way the Tomcat 7 asynchronous context<br>implementation performed request management in certain circumstances. If an<br>application used AsyncListeners and threw RuntimeExceptions, Tomcat could<br>send a reply that contains information from a different user's request,<br>possibly leading to the disclosure of sensitive information. This issue<br>only affected Tomcat 7. (CVE-2013-2071)<br>Note: Do not install Red Hat JBoss Web Server 2 on a host which has Red Hat<br>JBoss Web Server 1 installed.<br>Warning: Before applying the update, back up your existing Red Hat JBoss<br>Web Server installation (including all applications and configuration<br>files).<br>All users of Red Hat JBoss Web Server 2.0.0 on Red Hat Enterprise Linux 5<br>are advised to upgrade to Red Hat JBoss Web Server 2.0.1. The JBoss server<br>process must be restarted for this update to take effect.<br>

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/redhat-errata
• anchor-id/RHSA-2013:1011
• agent/description
• agent/event
• agent/first-publish-date
• agent/last-modified-date
• agent/references
• agent/remedy
• agent/severity
• agent/softwarecombine
• agent/tags
• agent/title
• agent/type
• agent/weakness
• package-manager/redhat