First published: Thu Apr 16 2015(Updated: )
Red Hat JBoss BPM Suite is a business rules and processes management system<br>for the management, storage, creation, modification, and deployment of<br>JBoss rules and BPMN2-compliant business processes.<br>This release of Red Hat JBoss BPM Suite 6.1.0 serves as a replacement for<br>Red Hat JBoss BPM Suite 6.0.3, and includes bug fixes and enhancements.<br>Refer to the Red Hat JBoss BPM Suite 6.1.0 Release Notes for information on<br>the most significant of these changes. The Release Notes are available at<br><a href="https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_BPM_Suite/" target="_blank">https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_BPM_Suite/</a> The following security issues are also fixed with this release,<br>descriptions of which can be found on the respective CVE pages linked in<br>the References section.<br>CVE-2012-6153 Jakarta Commons httpclient / Apache CXF: SSL hostname<br>verification bypass, incomplete CVE-2012-5783 fix<br>CVE-2013-2133 JBoss WS: EJB3 role restrictions are not applied to jaxws<br>handlers<br>CVE-2013-4517 Apache Santuario XML Security for Java: Java XML Signature<br>DoS Attack<br>CVE-2013-7397 async-http-client: SSL/TLS certificate verification is<br>disabled under certain conditions<br>CVE-2013-7398 async-http-client: missing hostname verification for SSL<br>certificates<br>CVE-2014-0034 Apache CXF: The SecurityTokenService accepts certain invalid<br>SAML Tokens as valid<br>CVE-2014-0035 Apache CXF: UsernameTokens are sent in plaintext with a<br>Symmetric EncryptBeforeSigning policy<br>CVE-2014-0059 JBossSX/PicketBox: World readable audit.log file<br>CVE-2014-0109 Apache CXF: HTML content posted to SOAP endpoint could cause<br>OOM errors<br>CVE-2014-0110 Apache CXF: Large invalid content could cause temporary space<br>to fill<br>CVE-2014-3577 Jakarta Commons httpclient / Apache CXF: SSL hostname<br>verification bypass, incomplete CVE-2012-6153 fix<br>CVE-2014-3623 Apache WSS4J / Apache CXF: Improper security semantics<br>enforcement of SAML SubjectConfirmation methods<br>CVE-2014-7827 JBoss Security: Wrong security context loaded when using<br>SAML2 STS Login Module<br>CVE-2014-7839 RESTeasy: External entities expanded by DocumentProvider<br>CVE-2014-8122 JBoss Weld: Limited information disclosure via stale thread<br>state<br>CVE-2014-8125 jBPM: BPMN2 file processing XXE in Process Execution<br>Red Hat would like to thank Rune Steinseth of JProfessionals for reporting<br>the CVE-2014-8122 issue. The CVE-2012-6153 issue was discovered by Florian<br>Weimer of Red Hat Product Security; the CVE-2014-8125 was discovered by<br>Jeremy Lindop of Red Hat; the CVE-2014-7827 issue was discovered by Ondra<br>Lukas of the Red Hat Quality Engineering Team; the CVE-2013-2133 issue was<br>discovered by Richard Opalka and Arun Neelicattu of Red Hat.<br>All users of Red Hat JBoss BPM Suite 6.0.3 as provided from the Red Hat<br>Customer Portal are advised to upgrade to Red Hat JBoss BPM Suite 6.1.0.
Affected Software | Affected Version | How to fix |
---|
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.