- Vulnerability/
- RHSA-2014:0819
RHSA-2014:0819: Important: Red Hat JBoss BPM Suite 6.0.2 update
First published: Mon Jun 30 2014(Updated: )
Red Hat JBoss BPM Suite is a business rules and processes management system<br>for the management, storage, creation, modification, and deployment of<br>JBoss rules and BPMN2-compliant business processes.<br>This release of Red Hat JBoss BPM Suite 6.0.2 serves as a replacement for<br>Red Hat JBoss BPM Suite 6.0.1, and includes bug fixes and enhancements.<br>Refer to the Red Hat JBoss BPM Suite 6.0.2 Release Notes for information<br>on the most significant of these changes. The Release Notes will be<br>available shortly at<br><a href="https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_BPM_Suite/" target="_blank">https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_BPM_Suite/</a> The following security issues are fixed with this release:<br>It was found that the secure processing feature of Xalan-Java had<br>insufficient restrictions defined for certain properties and features. A<br>remote attacker able to provide Extensible Stylesheet Language<br>Transformations (XSLT) content to be processed by an application using<br>Xalan-Java could use this flaw to bypass the intended constraints of the<br>secure processing feature. Depending on the components available in the<br>classpath, this could lead to arbitrary remote code execution in the<br>context of the application server running the application that uses<br>Xalan-Java. (CVE-2014-0107)<br>It was found that the ServerTrustManager in the Smack XMPP API did not<br>verify basicConstraints and nameConstraints in X.509 certificate chains. A<br>man-in-the-middle attacker could use this flaw to spoof servers and obtain<br>sensitive information. (CVE-2014-0363)<br>It was found that the ParseRoster component in the Smack XMPP API did not<br>verify the From attribute of a roster-query IQ stanza. A remote attacker<br>could use this flaw to spoof IQ responses. (CVE-2014-0364)<br>All users of Red Hat JBoss BPM Suite 6.0.1 as provided from the Red Hat<br>Customer Portal are advised to upgrade to Red Hat JBoss BPM Suite 6.0.2.
| Affected Software | Affected Version | How to fix |
|---|
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1080248
- https://bugzilla.redhat.com/show_bug.cgi?id=1093273
- https://bugzilla.redhat.com/show_bug.cgi?id=1093276
- https://access.redhat.com/security/updates/classification/#important
- https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=distributions&version=6.0.2
- https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_BPM_Suite/
- https://access.redhat.com/errata/RHSA-2014:0819 (Advisory)
- collector/redhat-errata
- anchor-id/RHSA-2014:0819
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type