RHSA-2014:2019: Important: Red Hat JBoss Enterprise Application Platform 6.3.2 security update

First published: Thu Dec 18 2014(Updated: )

Red Hat JBoss Enterprise Application Platform 6 is a platform for Java<br>applications based on JBoss Application Server 7.<br>It was discovered that the Apache CXF incorrectly extracted the host name<br>from an X.509 certificate subject's Common Name (CN) field.<br>A man-in-the-middle attacker could use this flaw to spoof an SSL server<br>using a specially crafted X.509 certificate. (CVE-2012-6153, CVE-2014-3577)<br>It was found that Apache WSS4J (Web Services Security for Java), as used by<br>Apache CXF with the TransportBinding, did not, by default, properly enforce<br>all security requirements associated with SAML SubjectConfirmation methods.<br>A remote attacker could use this flaw to perform various types of spoofing<br>attacks on web service endpoints secured by WSS4j that rely on SAML for<br>authentication. (CVE-2014-3623)<br>The CVE-2012-6153 issue was discovered by Florian Weimer of Red Hat<br>Product Security.<br>All users of Red Hat JBoss Enterprise Application Platform 6.3.2 on Red<br>Hat Enterprise Linux 5, 6, and 7 are advised to upgrade to these updated<br>packages. The JBoss server process must be restarted for the update to<br>take effect.<br>

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/description
• agent/event
• agent/first-publish-date
• agent/last-modified-date
• agent/references
• agent/remedy
• agent/severity
• agent/softwarecombine
• agent/tags
• agent/title
• agent/type
• collector/redhat-errata
• anchor-id/RHSA-2014:2019
• package-manager/redhat