First published: Tue Feb 17 2015(Updated: )
Red Hat JBoss BRMS is a business rules management system for the<br>management, storage, creation, modification, and deployment of JBoss<br>Rules.<br>This roll up patch serves as a cumulative upgrade for Red Hat JBoss BRMS<br>6.0.3, and includes bug fixes and enhancements. It includes various bug<br>fixes, which are listed in the README file included with the patch files.<br>The following security issues are also fixed with this release,<br>descriptions of which can be found on the respective CVE pages linked in<br>the References section.<br>CVE-2012-6153 Apache HttpComponents client: SSL hostname verification<br>bypass, incomplete CVE-2012-5783 fix<br>CVE-2014-3577 Apache HttpComponents client: SSL hostname verification<br>bypass, incomplete CVE-2012-6153 fix<br>CVE-2013-4002 xerces-j2: Xerces-J2 OpenJDK: XML parsing Denial of Service<br>(JAXP, 8017298)<br>CVE-2013-5855 Mojarra JSF: XSS due to insufficient escaping of<br>user-supplied content in outputText tags and EL expressions<br>CVE-2014-0005 security: PicketBox/JBossSX: Unauthorized access to and<br>modification of application server configuration and state by application<br>CVE-2014-0075 jbossweb: tomcat: Limited DoS in chunked transfer encoding<br>input filter<br>CVE-2014-0096 jbossweb: Apache Tomcat: XXE vulnerability via user supplied<br>XSLTs<br>CVE-2014-0099 jbossweb: Apache Tomcat: Request smuggling via malicious<br>content length header<br>CVE-2014-0119 jbossweb: Apache Tomcat 6: XML parser hijack by malicious web<br>application<br>CVE-2014-0193 netty: DoS via memory exhaustion during data aggregation<br>CVE-2014-0227 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding input filter<br>CVE-2014-3472 jboss-as-controller: JBoss AS Security: Invalid EJB caller<br>role check implementation<br>CVE-2014-3490 RESTEasy: XXE via parameter entities<br>CVE-2014-3530 PicketLink: XXE via insecure DocumentBuilderFactory usage<br>CVE-2014-3558 hibernate-validator: Hibernate Validator: JSM bypass via<br>ReflectionHelper<br>CVE-2014-3578 spring: Spring Framework: Directory traversal<br>CVE-2014-3625 spring: Spring Framework: directory traversal flaw<br>CVE-2014-3682 jbpm-designer: XXE in BPMN2 import<br>CVE-2014-8114 UberFire: Information disclosure and RCE via insecure file<br>upload/download servlets<br>CVE-2014-8115 KIE Workbench: Insufficient authorization constraints<br>Red Hat would like to thank James Roper of Typesafe for reporting the<br>CVE-2014-0193 issue; CA Technologies for reporting the CVE-2014-3472 issue;<br>Alexander Papadakis for reporting the CVE-2014-3530 issue; and David Jorm<br>for reporting the CVE-2014-8114 and CVE-2014-8115 issues. The CVE-2012-6153<br>issue was discovered by Florian Weimer of Red Hat Product Security; the<br>CVE-2014-0005 issue was discovered by Josef Cacek of the Red Hat JBoss EAP<br>Quality Engineering team; and the CVE-2014-0075, CVE-2014-3490, and<br>CVE-2014-3682 issues were discovered by David Jorm of Red Hat Product<br>Security.<br>All users of Red Hat JBoss BRMS 6.0.3 as provided from the Red Hat Customer<br>Portal are advised to apply this roll up patch.
Affected Software | Affected Version | How to fix |
---|
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.