RHSA-2014:0400: Moderate: Red Hat JBoss Fuse 6.1.0 update
First published: Mon Apr 14 2014(Updated: )
Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,<br>flexible, open source enterprise service bus and integration platform.<br>Security fixes:<br>A flaw was found in the way Apache Santuario XML Security for Java<br>validated XML signatures. Santuario allowed a signature to specify an<br>arbitrary canonicalization algorithm, which would be applied to the<br>SignedInfo XML fragment. A remote attacker could exploit this to spoof an<br>XML signature via a specially crafted XML signature block. (CVE-2013-2172)<br>A flaw was found in the Apache Hadoop RPC protocol. A man-in-the-middle<br>attacker could possibly use this flaw to unilaterally disable bidirectional<br>authentication between a client and a server, forcing a downgrade to simple<br>(unidirectional) authentication. This flaw only affected users who have<br>enabled Hadoop's Kerberos security features. (CVE-2013-2192)<br>It was discovered that the Spring OXM wrapper did not expose any property<br>for disabling entity resolution when using the JAXB unmarshaller. A remote<br>attacker could use this flaw to conduct XML External Entity (XXE) attacks<br>on web sites, and read files in the context of the user running the<br>application server. (CVE-2013-4152)<br>It was discovered that the Apache Santuario XML Security for Java project<br>allowed Document Type Definitions (DTDs) to be processed when applying<br>Transforms even when secure validation was enabled. A remote attacker could<br>use this flaw to exhaust all available memory on the system, causing a<br>denial of service. (CVE-2013-4517)<br>It was found that the Spring MVC SourceHttpMessageConverter enabled entity<br>resolution by default. A remote attacker could use this flaw to conduct XXE<br>attacks on web sites, and read files in the context of the user running the<br>application server. (CVE-2013-6429)<br>The Spring JavaScript escape method insufficiently escaped some characters.<br>Applications using this method to escape user-supplied content, which would<br>be rendered in HTML5 documents, could be exposed to cross-site scripting<br>(XSS) flaws. (CVE-2013-6430)<br>A denial of service flaw was found in the way Apache Commons FileUpload<br>handled small-sized buffers used by MultipartStream. A remote attacker<br>could use this flaw to create a malformed Content-Type header for a<br>multipart request, causing Apache Commons FileUpload to enter an infinite<br>loop when processing such an incoming request. (CVE-2014-0050)<br>It was found that fixes for the CVE-2013-4152 and CVE-2013-6429 XXE issues<br>in Spring were incomplete. Spring MVC processed user-provided XML and<br>neither disabled XML external entities nor provided an option to disable<br>them, possibly allowing a remote attacker to conduct XXE attacks.<br>(CVE-2014-0054)<br>A cross-site scripting (XSS) flaw was found in the Spring Framework when<br>using Spring MVC. When the action was not specified in a Spring form, the<br>action field would be populated with the requested URI, allowing an<br>attacker to inject malicious content into the form. (CVE-2014-1904)<br>The HawtJNI Library class wrote native libraries to a predictable file name<br>in /tmp when the native libraries were bundled in a JAR file, and no custom<br>library path was specified. A local attacker could overwrite these native<br>libraries with malicious versions during the window between when HawtJNI<br>writes them and when they are executed. (CVE-2013-2035)<br>An information disclosure flaw was found in the way Apache Zookeeper stored<br>the password of an administrative user in the log files. A local user with<br>access to these log files could use the exposed sensitive information to<br>gain administrative access to an application using Apache Zookeeper.<br>(CVE-2014-0085)<br>The CVE-2013-6430 issue was discovered by Jon Passki of Coverity SRL and<br>Arun Neelicattu of the Red Hat Security Response Team, the CVE-2013-2035<br>issue was discovered by Florian Weimer of the Red Hat Product Security<br>Team, and the CVE-2014-0085 issue was discovered by Graeme Colman of<br>Red Hat.<br>
| Affected Software | Affected Version | How to fix |
|---|
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=958618
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=999263
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1000186
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1001326
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1039783
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1045257
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1053290
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1062337
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1067265
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1075296
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1075328
- https://access.redhat.com/security/updates/classification/#moderate
- https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=6.1.0
- https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_Fuse/
- https://access.redhat.com/errata/RHSA-2014:0400 (Advisory)
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- agent/weakness
- collector/redhat-errata
- anchor-id/RHSA-2014:0400