RHSA-2015:0720: Important: Red Hat JBoss Fuse Service Works 6.0.0 security update

First published: Tue Mar 24 2015(Updated: )

Red Hat JBoss Fuse Service Works is the next-generation ESB and business<br>process automation infrastructure.<br>This roll up patch serves as a cumulative upgrade for Red Hat JBoss Fuse<br>Service Works 6.0.0. It includes various bug fixes, which are listed in the<br>README file included with the patch files.<br>The following security issues are also fixed with this release,<br>descriptions of which can be found on the respective CVE pages linked in<br>the References section.<br>CVE-2012-6153 Apache HttpComponents client: SSL hostname verification<br>bypass, incomplete CVE-2012-5783 fix<br>CVE-2014-3577 Apache HttpComponents client: SSL hostname verification<br>bypass, incomplete CVE-2012-6153 fix<br>CVE-2014-3625 spring: Spring Framework: directory traversal flaw<br>CVE-2014-3578 spring: Spring Framework: Directory traversal<br>CVE-2014-3558 hibernate-validator: Hibernate Validator: JSM bypass via<br>ReflectionHelper<br>CVE-2014-3530 PicketLink: XXE via insecure DocumentBuilderFactory usage<br>CVE-2014-3490 RESTEasy: XXE via parameter entities<br>CVE-2014-3481 jboss-as-jaxrs: JBoss AS JAX-RS: Information disclosure via<br>XML eXternal Entity (XXE)<br>CVE-2014-3472 jboss-as-controller: JBoss AS Security: Invalid EJB caller<br>role check implementation<br>CVE-2014-0227 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding<br>input filter<br>CVE-2014-0193 netty: DoS via memory exhaustion during data aggregation<br>CVE-2014-0119 jbossweb: Apache Tomcat 6: XML parser hijack by malicious web<br>application<br>CVE-2014-0099 jbossweb: Apache Tomcat: Request smuggling via malicious<br>content length header<br>CVE-2014-0096 jbossweb: Apache Tomcat: XXE vulnerability via user supplied<br>XSLTs<br>CVE-2014-0075 jbossweb: tomcat: Limited DoS in chunked transfer encoding<br>input filter<br>CVE-2014-0005 security: PicketBox/JBossSX: Unauthorized access to and<br>modification of application server configuration and state by application<br>CVE-2013-5855 Mojarra JSF: XSS due to insufficient escaping of<br>user-supplied content in outputText tags and EL expressions<br>CVE-2013-4002 xerces-j2: Xerces-J2 OpenJDK: XML parsing Denial of Service<br>(JAXP, 8017298)<br>Red Hat would like to thank James Roper of Typesafe for reporting the<br>CVE-2014-0193 issue; CA Technologies for reporting the CVE-2014-3472<br>issue; and Alexander Papadakis for reporting the CVE-2014-3530 issue. The<br>CVE-2012-6153 issue was discovered by Florian Weimer of Red Hat Product<br>Security; the CVE-2014-0005 issue was discovered by Josef Cacek of the Red<br>Hat JBoss EAP Quality Engineering team; the CVE-2014-3481 issue was<br>discovered by the Red Hat JBoss Enterprise Application Platform QE team;<br>and the CVE-2014-0075 and CVE-2014-3490 issues were discovered by David<br>Jorm of Red Hat Product Security.<br>All users of Red Hat JBoss Fuse Service Works 6.0.0 as provided from the<br>Red Hat Customer Portal are advised to apply this roll up patch.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/redhat-errata
• anchor-id/RHSA-2015:0720
• agent/description
• agent/event
• agent/first-publish-date
• agent/last-modified-date
• agent/references
• agent/remedy
• agent/severity
• agent/softwarecombine
• agent/tags
• agent/title
• agent/type
• agent/weakness