- Vulnerability/
- RHSA-2015:1177
RHSA-2015:1177: Important: Red Hat JBoss A-MQ 6.2.0 update
First published: Tue Jun 23 2015(Updated: )
Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant<br>messaging system that is tailored for use in mission critical applications.<br>Red Hat JBoss A-MQ 6.2.0 is a minor product release that updates Red Hat<br>JBoss A-MQ 6.1.0 and includes several bug fixes and enhancements. Refer to<br>the Release Notes document, available from the link in the References<br>section, for a list of changes.<br>The following security issues are resolved with this update:<br>It was found that the fix for CVE-2012-6153 was incomplete: the code added to check that the server hostname matches the domain name in a subject's Common Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. (CVE-2014-3577)<br>It was found that JBoss Fuse would allow any user defined in the users.properties file to access the HawtIO console without having a valid admin role. This could allow a remote attacker to bypass intended authentication HawtIO console access restrictions. (CVE-2014-8175)<br>It was found that a prior countermeasure in Apache WSS4J for Bleichenbacher's attack on XML Encryption (CVE-2011-2487) threw an exception that permitted an attacker to determine the failure of the attempted attack, thereby leaving WSS4J vulnerable to the attack. The original flaw allowed a remote attacker to recover the entire plain text form of a symmetric key. (CVE-2015-0226)<br>It was found that Apache WSS4J permitted bypass of the requireSignedEncryptedDataElements configuration property via XML Signature wrapping attacks. A remote attacker could use this flaw to modify the contents of a signed request. (CVE-2015-0227)<br>It was found that PKIX trust components allowed an X509 credential to be trusted if no trusted names were available for the entityID. An attacker could use a certificate issued by a shibmd:KeyAuthority trust anchor to impersonate an entity within the scope of that keyAuthority. (CVE-2015-1796)<br>The CVE-2014-8175 issue was reported by Jay Kumar SenSharma of Red Hat.<br>All users of Red Hat JBoss A-MQ 6.1.0 as provided from the Red Hat Customer<br>Portal are advised to apply this update.
| Affected Software | Affected Version | How to fix |
|---|
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1129074
- https://bugzilla.redhat.com/show_bug.cgi?id=1191446
- https://bugzilla.redhat.com/show_bug.cgi?id=1191451
- https://bugzilla.redhat.com/show_bug.cgi?id=1196619
- https://bugzilla.redhat.com/show_bug.cgi?id=1205112
- https://access.redhat.com/security/updates/classification/#important
- https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq&downloadType=distributions&version=6.2.0
- https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_A-MQ/
- https://access.redhat.com/errata/RHSA-2015:1177 (Advisory)
- collector/redhat-errata
- anchor-id/RHSA-2015:1177
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type