Important: JBoss Enterprise Application Platform 6.0.1 update
Security Advisory: Important
Updated JBoss Enterprise Application Platform 6.0.1 packages that fix
multiple security issues, various bugs, and add enhancements are now
available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
JBoss Enterprise Application Platform 6 is a platform for Java applications
based on JBoss Application Server 7.
This release serves as a replacement for JBoss Enterprise Application
Platform 6.0.0, and includes bug fixes and enhancements. Refer to the 6.0.1
Release Notes for information on the most significant of these changes,
available shortly from https://access.redhat.com/knowledge/docs/
This update removes unused signed JARs; unused SHA1 checksums from JAR
MANIFEST.MF files to reduce the Server memory footprint; adds MANIFEST.MF
to JAR files where it was previously missing; and removes redundant Javadoc
files from the main packages. (BZ#853551)
Security fixes:
Apache CXF checked to ensure XML elements were signed or encrypted by a
Supporting Token, but not whether the correct token was used. A remote
attacker could transmit confidential information without the appropriate
security, and potentially circumvent access controls on web services
exposed via Apache CXF. (CVE-2012-2379)
When using role-based authorization to configure EJB access, JACC
permissions should be used to determine access; however, due to a flaw the
configured authorization modules (JACC, XACML, etc.) were not called, and
the JACC permissions were not used to determine access to an EJB.
(CVE-2012-4550)
A flaw in the way Apache CXF enforced child policies of WS-SecurityPolicy
1.1 on the client side could, in certain cases, lead to a client failing to
sign or encrypt certain elements as directed by the security policy,
leading to information disclosure and insecure information transmission.
(CVE-2012-2378)
A flaw was found in the way IronJacamar authenticated credentials and
returned a valid datasource connection when configured to
"allow-multiple-users". A remote attacker, provided the correct subject,
could obtain a datasource connection that might belong to a privileged
user. (CVE-2012-3428)
It was found that Apache CXF was vulnerable to SOAPAction spoofing attacks
under certain conditions. Note that WS-Policy validation is performed
against the operation being invoked, and an attack must pass validation to
be successful. (CVE-2012-3451)
When there are no allowed roles for an EJB method invocation, the
invocation should be denied for all users. It was found that the
processInvocation() method in
org.jboss.as.ejb3.security.AuthorizationInterceptor incorrectly authorizes
all method invocations to proceed when the list of allowed roles is empty.
(CVE-2012-4549)
It was found that in Mojarra, the FacesContext that is made available
during application startup is held in a ThreadLocal. The reference is not
properly cleaned up in all cases. As a result, if a JavaServer Faces (JSF)
WAR calls FacesContext.getCurrentInstance() during application startup,
another WAR can get access to the leftover context and thus get access to
the other WAR's resources. A local attacker could use this flaw to access
another WAR's resources using a crafted, deployed application.
(CVE-2012-2672)
An input sanitization flaw was found in the mod_negotiation Apache HTTP
Server module. A remote attacker able to upload or create files with
arbitrary names in a directory that has the MultiViews options enabled,
could use this flaw to conduct cross-site scripting attacks against users
visiting the site. (CVE-2008-0455, CVE-2012-2687)
Red Hat would like to thank the Apache CXF project for reporting
CVE-2012-2379, CVE-2012-2378, and CVE-2012-3451. The CVE-2012-4550 issue
was discovered by Josef Cacek of the Red Hat JBoss EAP Quality Engineering
team; CVE-2012-3428 and CVE-2012-4549 were discovered by Arun Neelicattu of
the Red Hat Security Response Team; and CVE-2012-2672 was discovered by
Marek Schmidt and Stan Silvert of Red Hat.
Warning: Before applying this update, back up your existing JBoss
Enterprise Application Platform installation and deployed applications.
Refer to the Solution section for further details.
All users of JBoss Enterprise Application Platform 6.0.0 on Red Hat
Enterprise Linux 5 are advised to upgrade to these updated packages. The
JBoss server process must be restarted for the update to take effect.
Before applying this update, make sure all previously released errata
relevant to your system have been applied. Also, back up any customized
JBoss Enterprise Application Platform 6 configuration files. On update, the
configuration files that have been locally modified will not be updated.
The updated version of such files will be stored as the rpmnew files. Make
sure to locate any such files after the update and merge any changes
manually.
For more details, refer to the Release Notes for JBoss Enterprise
Application Platform 6.0.1, available shortly from
https://access.redhat.com/knowledge/docs/
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258
Vulmon