RHSA-2014:1904: Important: Red Hat JBoss Operations Network 3.3.0 update

First published: Tue Nov 25 2014(Updated: )

Red Hat JBoss Operations Network is a middleware management solution that<br>provides a single point of control to deploy, manage, and monitor JBoss<br>Enterprise Middleware, applications, and services.<br>This JBoss Operations Network 3.3.0 release serves as a replacement for<br>JBoss Operations Network 3.2.3, and includes several bug fixes. Refer to<br>the JBoss Operations Network 3.3.0 Release Notes for information on the<br>most significant of these changes. The Release Notes will be available<br>shortly from <a href="https://access.redhat.com/documentation/en-US/" target="_blank">https://access.redhat.com/documentation/en-US/</a> The following security issues are also fixed with this release:<br>It was found that the fix for CVE-2012-5783 was incomplete: the code added<br>to check that the server host name matches the domain name in a subject's<br>Common Name (CN) field in X.509 certificates was flawed. A<br>man-in-the-middle attacker could use this flaw to spoof an SSL server<br>using a specially crafted X.509 certificate. (CVE-2012-6153, CVE-2014-3577)<br>It was found that the default context parameters as provided to RESTEasy<br>deployments by JBoss EAP did not explicitly disable external entity<br>expansion for RESTEasy. A remote attacker could use this flaw to perform<br>XML External Entity (XXE) attacks on RESTEasy applications accepting XML<br>input. (CVE-2014-3481)<br>It was found that the fix for CVE-2012-0818 was incomplete: external<br>parameter entities were not disabled when the<br>resteasy.document.expand.entity.references parameter was set to false.<br>A remote attacker able to send XML requests to a RESTEasy endpoint could<br>use this flaw to read files accessible to the user running the application<br>server, and potentially perform other more advanced XXE attacks.<br>(CVE-2014-3490)<br>The HawtJNI Library class wrote native libraries to a predictable file name<br>in /tmp when the native libraries were bundled in a JAR file, and no custom<br>library path was specified. A local attacker could overwrite these native<br>libraries with malicious versions during the window between when HawtJNI<br>writes them and when they are executed. (CVE-2013-2035)<br>It was found that the security auditing functionality provided by PicketBox<br>and JBossSX, both security frameworks for Java applications, used a<br>world-readable audit.log file to record sensitive information. A local user<br>could possibly use this flaw to gain access to the sensitive information in<br>the audit.log file. (CVE-2014-0059)<br>The CVE-2013-2035 and CVE-2012-6153 issues were discovered by Florian<br>Weimer of Red Hat Product Security. The CVE-2014-3481 issue was discovered<br>by the Red Hat JBoss Enterprise Application Platform QE team. The<br>CVE-2014-3490 issue was discovered by David Jorm of Red Hat Product<br>Security.<br>All users of JBoss Operations Network 3.2.3 as provided from the Red Hat<br>Customer Portal are advised to upgrade to JBoss Operations Network 3.3.0.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/redhat-errata
• anchor-id/RHSA-2014:1904
• agent/description
• agent/event
• agent/first-publish-date
• agent/last-modified-date
• agent/references
• agent/remedy
• agent/severity
• agent/softwarecombine
• agent/tags
• agent/title
• agent/type