RHSA-2013:1853: Moderate: Red Hat JBoss Operations Network 3.2.0 update
First published: Tue Dec 17 2013(Updated: )
Red Hat JBoss Operations Network is a middleware management solution that<br>provides a single point of control to deploy, manage, and monitor JBoss<br>Enterprise Middleware, applications, and services.<br>This JBoss Operations Network 3.2.0 release serves as a replacement for<br>JBoss Operations Network 3.1.2, and includes several bug fixes. Refer to<br>the JBoss Operations Network 3.2.0 Release Notes for information on the<br>most significant of these changes. The Release Notes will be available<br>shortly from <a href="https://access.redhat.com/site/documentation/" target="_blank">https://access.redhat.com/site/documentation/</a> The following security issues are also fixed with this release:<br>It was found that sending a request without a session identifier to a<br>protected resource could bypass the Cross-Site Request Forgery (CSRF)<br>prevention filter. A remote attacker could use this flaw to perform CSRF<br>attacks against applications that rely on the CSRF prevention filter and do<br>not contain internal mitigation for CSRF. (CVE-2012-4431)<br>The Jakarta Commons HttpClient component did not verify that the server<br>hostname matched the domain name in the subject's Common Name (CN) or<br>subjectAltName field in X.509 certificates. This could allow a<br>man-in-the-middle attacker to spoof an SSL server if they had a certificate<br>that was valid for any domain name. (CVE-2012-5783)<br>A flaw was found in the way Apache Santuario XML Security for Java<br>validated XML signatures. Santuario allowed a signature to specify an<br>arbitrary canonicalization algorithm, which would be applied to the<br>SignedInfo XML fragment. A remote attacker could exploit this to spoof an<br>XML signature via a specially crafted XML signature block. (CVE-2013-2172)<br>Warning: Before applying the update, back up your existing JBoss Operations<br>Network installation (including its databases, applications, configuration<br>files, the JBoss Operations Network server's file system directory, and so<br>on).<br>All users of JBoss Operations Network 3.1.2 as provided from the Red Hat<br>Customer Portal are advised to upgrade to JBoss Operations Network 3.2.0.
| Affected Software | Affected Version | How to fix |
|---|
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=873317
- https://bugzilla.redhat.com/show_bug.cgi?id=883636
- https://bugzilla.redhat.com/show_bug.cgi?id=999263
- https://access.redhat.com/security/updates/classification/#moderate
- https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=em&version=3.2.0
- https://access.redhat.com/site/documentation/Red_Hat_JBoss_Operations_Network/
- https://access.redhat.com/errata/RHSA-2013:1853 (Advisory)
- collector/redhat-errata
- anchor-id/RHSA-2013:1853
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- agent/weakness