- Vulnerability/
- RHSA-2015:0773
RHSA-2015:0773: Important: Red Hat JBoss Data Grid 6.4.1 update
First published: Wed Apr 01 2015(Updated: )
Red Hat JBoss Data Grid is a distributed in-memory data grid, based on<br>Infinispan.<br>This release of Red Hat JBoss Data Grid 6.4.1 serves as a replacement for<br>Red Hat JBoss Data Grid 6.4.0. It includes various bug fixes and<br>enhancements, which are detailed in the Red Hat JBoss Data Grid 6.4.1<br>Release Notes. The Release Notes are available at:<br><a href="https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Data_Grid/" target="_blank">https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Data_Grid/</a> This update also fixes the following security issues:<br>It was found that a prior countermeasure in Apache WSS4J for<br>Bleichenbacher's attack on XML Encryption (CVE-2011-2487) threw an<br>exception that permitted an attacker to determine the failure of the<br>attempted attack, thereby leaving WSS4J vulnerable to the attack.<br>The original flaw allowed a remote attacker to recover the entire plain<br>text form of a symmetric key. (CVE-2015-0226)<br>A resource consumption issue was found in the way Xerces-J handled XML<br>declarations. A remote attacker could use an XML document with a specially<br>crafted declaration using a long pseudo-attribute name that, when parsed by<br>an application using Xerces-J, would cause that application to use an<br>excessive amount of CPU. (CVE-2013-4002)<br>It was found that the RESTEasy DocumentProvider did not set the<br>external-parameter-entities and external-general-entities features<br>appropriately, thus allowing external entity expansion. A remote attacker<br>able to send XML requests to a RESTEasy endpoint could use this flaw to<br>read files accessible to the user running the application server, and<br>potentially perform other more advanced XML eXternal Entity (XXE) attacks.<br>(CVE-2014-7839)<br>It was found that Apache WSS4J permitted bypass of the<br>requireSignedEncryptedDataElements configuration property via XML Signature<br>wrapping attacks. A remote attacker could use this flaw to modify the<br>contents of a signed request. (CVE-2015-0227)<br>It was discovered that under specific conditions the conversation state<br>information stored in a thread-local variable in JBoss Weld was not<br>sanitized correctly when the conversation ended. This could lead to a race<br>condition that could potentially expose sensitive information from a<br>previous conversation to the current conversation. (CVE-2014-8122)<br>Red Hat would like to thank Rune Steinseth of JProfessionals for reporting<br>the CVE-2014-8122 issue.<br>All users of Red Hat JBoss Data Grid 6.4.0 as provided from the Red Hat<br>Customer Portal are advised to upgrade to Red Hat JBoss Data Grid 6.4.1.
| Affected Software | Affected Version | How to fix |
|---|
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1019176
- https://bugzilla.redhat.com/show_bug.cgi?id=1165328
- https://bugzilla.redhat.com/show_bug.cgi?id=1169237
- https://bugzilla.redhat.com/show_bug.cgi?id=1191446
- https://bugzilla.redhat.com/show_bug.cgi?id=1191451
- https://access.redhat.com/security/updates/classification/#important
- https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=data.grid&version=6.4.1
- https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Data_Grid/
- https://access.redhat.com/errata/RHSA-2015:0773 (Advisory)
- collector/redhat-errata
- anchor-id/RHSA-2015:0773
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type