- Vulnerability/
- RHSA-2014:0818
RHSA-2014:0818: Important: Red Hat JBoss BRMS 6.0.2 update
First published: Mon Jun 30 2014(Updated: )
Red Hat JBoss BRMS is a business rules management system for the<br>management, storage, creation, modification, and deployment of JBoss Rules.<br>This release of Red Hat JBoss BRMS 6.0.2 serves as a replacement for Red<br>Hat JBoss BRMS 6.0.1, and includes bug fixes and enhancements. Refer to the<br>Red Hat JBoss BRMS 6.0.2 Release Notes for information on the most<br>significant of these changes. The Release Notes will be available shortly<br>at <a href="https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_BRMS/" target="_blank">https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_BRMS/</a> The following security issues are fixed with this release:<br>It was found that the secure processing feature of Xalan-Java had<br>insufficient restrictions defined for certain properties and features.<br>A remote attacker able to provide Extensible Stylesheet Language<br>Transformations (XSLT) content to be processed by an application using<br>Xalan-Java could use this flaw to bypass the intended constraints of the<br>secure processing feature. Depending on the components available in the<br>classpath, this could lead to arbitrary remote code execution in the<br>context of the application server running the application that uses<br>Xalan-Java. (CVE-2014-0107)<br>It was found that the ServerTrustManager in the Smack XMPP API did not<br>verify basicConstraints and nameConstraints in X.509 certificate chains.<br>A man-in-the-middle attacker could use this flaw to spoof servers and<br>obtain sensitive information. (CVE-2014-0363)<br>It was found that the ParseRoster component in the Smack XMPP API did not<br>verify the From attribute of a roster-query IQ stanza. A remote attacker<br>could use this flaw to spoof IQ responses. (CVE-2014-0364)<br>A flaw was found in the WebSocket08FrameDecoder implementation that could<br>allow a remote attacker to trigger an Out Of Memory Exception by issuing a<br>series of TextWebSocketFrame and ContinuationWebSocketFrames. Depending on<br>the server configuration, this could lead to a denial of service.<br>(CVE-2014-0193)<br>Red Hat would like to thank James Roper of Typesafe for reporting the<br>CVE-2014-0193 issue.<br>All users of Red Hat JBoss BRMS 6.0.1 as provided from the Red Hat Customer<br>Portal are advised to upgrade to Red Hat JBoss BRMS 6.0.2.
| Affected Software | Affected Version | How to fix |
|---|
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1080248
- https://bugzilla.redhat.com/show_bug.cgi?id=1092783
- https://bugzilla.redhat.com/show_bug.cgi?id=1093273
- https://bugzilla.redhat.com/show_bug.cgi?id=1093276
- https://access.redhat.com/security/updates/classification/#important
- https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=distributions&version=6.0.2
- https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_BRMS/
- https://access.redhat.com/errata/RHSA-2014:0818 (Advisory)
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- collector/redhat-errata
- anchor-id/RHSA-2014:0818