Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Low: Red Hat JBoss Enterprise Application Platform 6.2.0 update

Related Vulnerabilities: CVE-2013-2035   CVE-2013-2133   CVE-2013-2035   CVE-2013-2133  

Source

Synopsis

Low: Red Hat JBoss Enterprise Application Platform 6.2.0 update

Type/Severity

Security Advisory: Low

Topic

Updated Red Hat JBoss Enterprise Application Platform 6.2.0 packages that
fix two security issues, several bugs, and add various enhancements are now
available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having low
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Description

Red Hat JBoss Enterprise Application Platform 6 is a platform for Java
applications based on JBoss Application Server 7.

The HawtJNI Library class wrote native libraries to a predictable file name
in /tmp/ when the native libraries were bundled in a JAR file, and no
custom library path was specified. A local attacker could overwrite these
native libraries with malicious versions during the window between when
HawtJNI writes them and when they are executed. (CVE-2013-2035)

A flaw was found in the way method-level authorization for JAX-WS Service
endpoints was performed by the EJB invocation handler implementation.
Any restrictions declared on EJB methods were ignored when executing the
JAX-WS handlers, and only class-level restrictions were applied. A remote
attacker who is authorized to access the EJB class, could invoke a JAX-WS
handler which they were not authorized to invoke. (CVE-2013-2133)

The CVE-2013-2035 issue was discovered by Florian Weimer of the Red Hat
Product Security Team, and the CVE-2013-2133 issue was discovered by
Richard Opalka and Arun Neelicattu of Red Hat.

This release serves as a replacement for JBoss Enterprise Application
Platform 6.1.1, and includes bug fixes and enhancements. Documentation for
these changes will be available shortly from the JBoss Enterprise
Application Platform 6.2.0 Release Notes, linked to in the References.

All users of JBoss Enterprise Application Platform 6.1.1 on Red Hat
Enterprise Linux 6 are advised to upgrade to these updated packages. The
JBoss server process must be restarted for the update to take effect.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied. Also, back up any customized Red
Hat JBoss Enterprise Application Platform 6 configuration files. On update,
the configuration files that have been locally modified will not be
updated. The updated version of such files will be stored as the rpmnew
files. Make sure to locate any such files after the update and merge any
changes manually.

For more details, refer to the JBoss Enterprise Application Platform 6.2.0
Release Notes, linked to in the References.

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Affected Products

  • JBoss Enterprise Application Platform from RHUI 6 x86_64
  • JBoss Enterprise Application Platform from RHUI 6 i386
  • JBoss Enterprise Application Platform 6.4 for RHEL 6 x86_64
  • JBoss Enterprise Application Platform 6.4 for RHEL 6 i386
  • JBoss Enterprise Application Platform 6 for RHEL 6 x86_64
  • JBoss Enterprise Application Platform 6 for RHEL 6 i386

Fixes

  • BZ - 958618 - CVE-2013-2035 HawtJNI: predictable temporary file name leading to local arbitrary code execution
  • BZ - 969924 - CVE-2013-2133 JBoss WS: EJB3 role restrictions are not applied to jaxws handlers
  • BZ - 996918 - RHEL 6 RPMs: Upgrade resteasy to 2.3.7.Final-redhat-2
  • BZ - 1004035 - Upgrade jbossts to 4.17.15.Final-redhat-4
  • BZ - 1004055 - RHEL 6 RPMs: Upgrade apache-cxf to 2.7.7.redhat-1
  • BZ - 1004058 - RHEL 6 RPMs: Upgrade wss4j to 1.6.12.redhat-1
  • BZ - 1004063 - RHEL 6 RPMs: Upgrade jboss-modules to 1.3.0.Final-redhat-1
  • BZ - 1004067 - RHEL 6 RPMs: Upgrade jboss-remoting3-jmx to 1.1.2.Final-redhat-1
  • BZ - 1004069 - RHEL 6 RPMs: Upgrade jbossws-cxf to 4.2.3.Final-redhat-1
  • BZ - 1004071 - RHEL 6 RPMs: Upgrade jbossws-api to 1.0.2.Final-redhat-1
  • BZ - 1004074 - RHEL6 RPMs: Upgrade jbossws-common to 2.2.3.Final-redhat-1
  • BZ - 1004076 - RHEL 6 RPMs: Upgrade jbossws-common-tools to 1.2.0.Final-redhat-2
  • BZ - 1004077 - RHEL6 RPMs: Upgrade jbossws-spi to 2.2.2.Final-redhat-1
  • BZ - 1004078 - RHEL 6 RPMs: Upgrade jboss-dmr to 1.2.0.Final-redhat-1
  • BZ - 1004079 - RHEL 6 RPMs: Upgrade opensaml to 2.5.3.redhat-1
  • BZ - 1004082 - RHEL 6 RPMs: Upgrade xmltooling to 1.3.4.redhat-1
  • BZ - 1004769 - RHEL 6 RPMs: Upgrade jgroups to 3.2.12.Final-redhat-1
  • BZ - 1004772 - RHEL 6 RPMs: Upgrade jboss-threads to 2.1.1.Final-redhat-1
  • BZ - 1004774 - RHEL 6 RPMs: Upgrade jboss-marshalling to 1.4.2.Final-redhat-1
  • BZ - 1004776 - RHEL 6 RPMs: Upgrade jboss-logmanager to 1.5.1.Final-redhat-1
  • BZ - 1004779 - RHEL 6 RPMs: Upgrade javassist-eap6 to 3.18.1.GA-redhat-1
  • BZ - 1005859 - RHEL 6 RPMs: Upgrade jboss-aesh to 0.33.8.redhat-1
  • BZ - 1005861 - RHEL 6 RPMs: Upgrade jboss-ejb3-ext-api to 2.1.0.redhat-1
  • BZ - 1006489 - RHEL 6 RPMs: Upgrade hornetq to 2.3.12.Final-redhat-1
  • BZ - 1009913 - RHEL 6 RPMs: Upgrade weld-core to 1.1.16.Final-redhat-1
  • BZ - 1010051 - RHEL 6 RPMs: Upgrade jboss-vfs2 to 3.2.2.Final-redhat-1
  • BZ - 1010052 - RHEL 6 RPMs: Upgrade mod_cluster to 1.2.6.Final-redhat-1
  • BZ - 1010073 - RHEL 6 RPMs: Upgrade mod_cluster-native to 1.2.6.Final-redhat-1
  • BZ - 1010808 - Upgrade jboss-as-console to 2.0.6.Final-redhat-1
  • BZ - 1010809 - Upgrade jboss-hal to 2.0.6.Final-redhat-1
  • BZ - 1011556 - RHEL 6 RPMs: Upgrade shrinkwrap to 1.1.2.redhat-1
  • BZ - 1011589 - RHEL 6 RPMs: Upgrade openws to 1.4.4.redhat-2
  • BZ - 1011666 - RHEL 6 RPMs: Upgrade hornetq-native to 2.3.8.Final-redhat-1
  • BZ - 1018553 - Upgrade jboss-remoting3 to 3.2.18.GA-redhat-1
  • BZ - 1019912 - RHEL6 RPMs: Upgrade picketlink-federation to 2.1.9.Final-redhat-1
  • BZ - 1021668 - RHEL6 RPMs: Upgrade scannotation to 1.0.3.redhat-4
  • BZ - 1022848 - RHEL6 RPMs: Upgrade jbossws-native to 4.1.2.Final-redhat-1
  • BZ - 1023181 - RHEL6 RPMs: Upgrade jboss-jacc-api_1.4_spec to 1.0.3.Final-redhat-1
  • BZ - 1023219 - RHEL6 RPMs: Upgrade hibernate4-eap6 to 4.2.7.SP1-redhat-3
  • BZ - 1023464 - RHEL6 RPMs: Upgrade picketbox to 4.0.19.SP2-redhat-1
  • BZ - 1023475 - RHEL6 RPMs: Upgrade jboss-security-negotiation to 2.2.6.Final-redhat-1
  • BZ - 1025282 - RHEL6 RPMs: Upgrade jbossas-javadocs to 7.3.0-3.Final_redhat_14
  • BZ - 1026393 - RHEL6 RPMs: Upgrade jboss-ejb-client to 1.0.24.Final-redhat-1
  • BZ - 1032152 - RHEL6 RPMs: Upgrade jboss-genericjms to 1.0.1.Final-redhat-1
  • BZ - 1032816 - RHEL6 RPMs: Upgrade ironjacamar-eap6 to 1.0.23.Final-redhat-1

CVEs

References

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started