RHSA-2015:0234: Important: Red Hat JBoss BPM Suite 6.0.3 security update

First published: Tue Feb 17 2015(Updated: )

Red Hat JBoss BPM Suite is a business rules and processes management system<br>for the management, storage, creation, modification, and deployment of<br>JBoss rules and BPMN2-compliant business processes.<br>This roll up patch serves as a cumulative upgrade for Red Hat JBoss BPM<br>Suite 6.0.3, and includes bug fixes and enhancements. It includes various<br>bug fixes, which are listed in the README file included with the patch<br>files.<br>The following security issues are also fixed with this release,<br>descriptions of which can be found on the respective CVE pages linked in<br>the References section.<br>CVE-2012-6153 Apache HttpComponents client: SSL hostname verification<br>bypass, incomplete CVE-2012-5783 fix<br>CVE-2014-3577 Apache HttpComponents client: SSL hostname verification<br>bypass, incomplete CVE-2012-6153 fix<br>CVE-2013-4002 xerces-j2: Xerces-J2 OpenJDK: XML parsing Denial of Service<br>(JAXP, 8017298)<br>CVE-2013-5855 Mojarra JSF: XSS due to insufficient escaping of<br>user-supplied content in outputText tags and EL expressions<br>CVE-2014-0005 security: PicketBox/JBossSX: Unauthorized access to and<br>modification of application server configuration and state by application<br>CVE-2014-0075 jbossweb: tomcat: Limited DoS in chunked transfer encoding<br>input filter<br>CVE-2014-0096 jbossweb: Apache Tomcat: XXE vulnerability via user supplied<br>XSLTs<br>CVE-2014-0099 jbossweb: Apache Tomcat: Request smuggling via malicious<br>content length header<br>CVE-2014-0119 jbossweb: Apache Tomcat 6: XML parser hijack by malicious web<br>application<br>CVE-2014-0193 netty: DoS via memory exhaustion during data aggregation<br>CVE-2014-0227 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding input filter<br>CVE-2014-3472 jboss-as-controller: JBoss AS Security: Invalid EJB caller<br>role check implementation<br>CVE-2014-3490 RESTEasy: XXE via parameter entities<br>CVE-2014-3530 PicketLink: XXE via insecure DocumentBuilderFactory usage<br>CVE-2014-3558 hibernate-validator: Hibernate Validator: JSM bypass via<br>ReflectionHelper<br>CVE-2014-3578 spring: Spring Framework: Directory traversal<br>CVE-2014-3625 spring: Spring Framework: directory traversal flaw<br>CVE-2014-3682 jbpm-designer: XXE in BPMN2 import<br>CVE-2014-8114 UberFire: Information disclosure and RCE via insecure file<br>upload/download servlets<br>CVE-2014-8115 KIE Workbench: Insufficient authorization constraints<br>Red Hat would like to thank James Roper of Typesafe for reporting the<br>CVE-2014-0193 issue, CA Technologies for reporting the CVE-2014-3472 issue,<br>Alexander Papadakis for reporting the CVE-2014-3530 issue, and David Jorm<br>for reporting the CVE-2014-8114 and CVE-2014-8115 issues. The CVE-2012-6153<br>issue was discovered by Florian Weimer of Red Hat Product Security; the<br>CVE-2014-0005 issue was discovered by Josef Cacek of the Red Hat JBoss EAP<br>Quality Engineering team; the CVE-2014-0075, CVE-2014-3490, and<br>CVE-2014-3682 issues were discovered by David Jorm of Red Hat Product<br>Security.<br>All users of Red Hat JBoss BPM Suite 6.0.3 as provided from the Red Hat<br>Customer Portal are advised to apply this roll up patch.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/redhat-errata
• anchor-id/RHSA-2015:0234
• agent/description
• agent/event
• agent/first-publish-date
• agent/last-modified-date
• agent/references
• agent/remedy
• agent/severity
• agent/softwarecombine
• agent/tags
• agent/title
• agent/type
• agent/weakness