RHSA-2014:0371: Important: Red Hat JBoss BPM Suite 6.0.1 update

First published: Thu Apr 03 2014(Updated: )

Red Hat JBoss BPM Suite is a business rules management system for the<br>management, storage, creation, modification, and deployment of JBoss rules.<br>This release of Red Hat JBoss BPM Suite 6.0.1 serves as a replacement for<br>Red Hat JBoss BPM Suite 6.0.0, and includes bug fixes and enhancements.<br>Refer to the Red Hat JBoss BPM Suite 6.0.1 Release Notes for information on<br>the most significant of these changes. The Release Notes will be available<br>at <a href="https://access.redhat.com/site/documentation/Red_Hat_JBoss_BPM_Suite/" target="_blank">https://access.redhat.com/site/documentation/Red_Hat_JBoss_BPM_Suite/</a> The following security issues are fixed with this release:<br>It was discovered that JBoss BPM Suite allowed remote authenticated users<br>to submit arbitrary Java code in MVFLEX Expression Language (MVEL) or JBoss<br>Rules expressions, resulting in arbitrary code execution within the<br>security context of the application server. Refer to the Solution section<br>for details on the fix for this issue. (CVE-2013-6468)<br>It was found that XStream could deserialize arbitrary user-supplied XML<br>content, representing objects of any type. A remote attacker able to pass<br>XML to XStream could use this flaw to perform a variety of attacks,<br>including remote code execution in the context of the server running the<br>XStream application. (CVE-2013-7285)<br>It was found that the Apache Camel XSLT component allowed XSL stylesheets<br>to call external Java methods. A remote attacker able to submit messages to<br>a Camel route could use this flaw to perform arbitrary remote code<br>execution in the context of the Camel server process. (CVE-2014-0003)<br>It was found that RESTEasy was vulnerable to XML External Entity (XXE)<br>attacks. If a remote attacker submitted a request containing an external<br>XML entity to a RESTEasy endpoint, the entity would be resolved, allowing<br>the attacker to read files accessible to the user running the application<br>server. This flaw affected DOM (Document Object Model) Document and JAXB<br>(Java Architecture for XML Binding) input. (CVE-2011-5245, CVE-2012-0818)<br>It was discovered that bouncycastle leaked timing information when<br>decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites<br>were used. A remote attacker could possibly use this flaw to retrieve plain<br>text from the encrypted packets by using a TLS/SSL server as a padding<br>oracle. (CVE-2013-1624)<br>It was found that the Apache Camel XSLT component would resolve entities in<br>XML messages when transforming them using an XSLT route. A remote attacker<br>able to submit messages to an XSLT Camel route could use this flaw to read<br>files accessible to the user running the application server and,<br>potentially, perform other more advanced XML External Entity (XXE) attacks.<br>(CVE-2014-0002)<br>The CVE-2014-0002 and CVE-2014-0003 issues were discovered by David Jorm of<br>the Red Hat Security Response Team, and the CVE-2013-6468 issue was<br>discovered by Marc Schoenefeld of the Red Hat Security Response Team.<br>Red Hat would like to thank Grégory Draperi for independently reporting<br>CVE-2013-6468.<br>All users of Red Hat JBoss BPM Suite 6.0.0 as provided from the Red Hat<br>Customer Portal are advised to upgrade to Red Hat JBoss BPM Suite 6.0.1.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/redhat-errata
• anchor-id/RHSA-2014:0371
• agent/severity
• agent/type
• agent/event
• agent/first-publish-date
• agent/last-modified-date
• agent/title
• agent/remedy
• agent/references
• agent/tags
• agent/softwarecombine
• agent/description
• agent/guess-ai
• agent/software-canonical-lookup