RHSA-2015:0675: Important: Red Hat JBoss Data Virtualization 6.1.0 update

First published: Wed Mar 11 2015(Updated: )

Red Hat JBoss Data Virtualization is a lean data integration solution that<br>provides easy, real-time, and unified data access across disparate sources<br>to multiple applications and users. JBoss Data Virtualization makes data<br>spread across physically distinct systems—such as multiple databases, XML<br>files, and even Hadoop systems—appear as a set of tables in a local<br>database.<br>The release of Red Hat JBoss Data Virtualization 6.1.0 serves as a<br>replacement for Red Hat JBoss Data Virtualization 6.0.0. It includes<br>various bug fixes, which are listed in the README file included with the<br>patch files.<br>The following security issues are also fixed with this release,<br>descriptions of which can be found on the respective CVE pages linked in<br>the References section.<br>CVE-2012-6153 Apache HttpComponents client / Apache CXF: SSL hostname<br>verification bypass, incomplete CVE-2012-5783 fix<br>CVE-2014-3577 Apache HttpComponents client / Apache CXF: SSL hostname<br>verification bypass, incomplete CVE-2012-6153 fix<br>CVE-2013-4002 Xerces-J2 OpenJDK: XML parsing Denial of Service (JAXP,<br>8017298)<br>CVE-2013-4517 Apache Santuario XML Security for Java: Java XML Signature<br>DoS Attack<br>CVE-2013-5855 Mojarra JSF: XSS due to insufficient escaping of<br>user-supplied content in outputText tags and EL expressions<br>CVE-2014-0059 JBossSX/PicketBox: World readable audit.log file<br>CVE-2014-0075 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding<br>input filter<br>CVE-2014-0096 Tomcat/JBossWeb: XXE vulnerability via user supplied XSLTs<br>CVE-2014-0099 Tomcat/JBossWeb: Request smuggling via malicious content<br>length header<br>CVE-2014-0119 Tomcat/JBossWeb: XML parser hijack by malicious web<br>application<br>CVE-2014-0193 netty: DoS via memory exhaustion during data aggregation<br>CVE-2014-0227 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding<br>input filter<br>CVE-2014-3481 JBoss AS JAX-RS: Information disclosure via XML eXternal<br>Entity (XXE)<br>CVE-2014-3490 RESTEasy: XXE via parameter entities<br>CVE-2014-3530 PicketLink: XXE via insecure DocumentBuilderFactory usage<br>CVE-2014-3623 Apache WSS4J / Apache CXF: Improper security semantics<br>enforcement of SAML SubjectConfirmation methods<br>CVE-2014-7839 RESTeasy: External entities expanded by DocumentProvider<br>CVE-2014-8122 JBoss Weld: Limited information disclosure via stale thread<br>state<br>Red Hat would like to thank James Roper of Typesafe for reporting<br>CVE-2014-0193, Alexander Papadakis for reporting CVE-2014-3530, and Rune<br>Steinseth of JProfessionals for reporting CVE-2014-8122. The CVE-2012-6153<br>issue was discovered by Florian Weimer of Red Hat Product Security, the<br>CVE-2014-0075 and CVE-2014-3490 issues were discovered by David Jorm of Red<br>Hat Product Security, and the CVE-2014-3481 issue was discovered by the Red<br>Hat JBoss Enterprise Application Platform QE team.<br>All users of Red Hat JBoss Data Virtualization 6.0.0 as provided from the<br>Red Hat Customer Portal are advised to apply this roll up patch.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/redhat-errata
• anchor-id/RHSA-2015:0675
• agent/description
• agent/event
• agent/first-publish-date
• agent/last-modified-date
• agent/references
• agent/remedy
• agent/severity
• agent/softwarecombine
• agent/tags
• agent/title
• agent/type
• agent/weakness