-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0035 Title: JBOSS Security Updates [1] Version history: 13.03.2012 Initial publication Summary ======= JBoss Enterprise SOA Platform 5.2.0 roll up patch 1, which fixes one security issue and various bugs, is now available from the Red Hat Customer Portal.[1] CVE-2011-4314 CVSS v2 Base Score:4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N)[2][5] Vulnerable systems ================== JBoss Enterprise SOA Platform 5.2 [2] Original Details ================ It was found that the Attribute Exchange (AX) extension of OpenID4Java was not checking to ensure attributes were signed. If AX was being used to receive information that an application only trusts the identity provider to assert, a remote attacker could use this flaw to conduct man-in-the-middle attacks and compromise the integrity of the information via a specially-crafted request. By default, only the JBoss Seam openid example application uses OpenID4Java. (CVE-2011-4314) What can you do? ================ Fix is available via the Red Hat Network. For more details on how to use the Red Hat Network to apply this update see references [1-4] Warning: Before applying the update, back up your JBoss Enterprise Application Platform's "jboss-as/server/[PROFILE]/deploy/" directory, along with all other customized configuration files. What to tell your users? ======================== N/A More information ================ [1]https://rhn.redhat.com/errata/RHSA-2012-0378.html [2]https://access.redhat.com/security/cve/CVE-2011-4314 [3]https://bugzilla.redhat.com/show_bug.cgi?id=754386 [4]https://www.redhat.com/wapps/sso/login.html?redirect=https%3A%2F%2Faccess.redhat.com%2Fjbossnetwork%2F%2Frestricted%2FlistSoftware.html%3Fproduct%3Dsoaplatform%26downloadType%3DsecurityPatches%26version%3D5.2.0+GA [5]Information about CVSS: http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 (DISCLAIMER: CERT-EU, the CERT for the EU institutions, is currently in its setup phase, until May 2012. Services are provided in a pilot fashion, and are not yet fully functional. Announcements, alerts and warnings are sent out in best effort manner, and to contact information currently known to us. We apologise if you are not the correct recipient, or if you had already been warned about this issue from another source . Format, content and way of alerting are subject to change in the future. Contact information or even the team name may change as well.) -----BEGIN PGP SIGNATURE----- Version: BCPG v1.39 iQJXBAEBAgBBBQJPYHloOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4OD6xAAs9bVONnG 07wP2lkdc772h229tBM5jEMzBC0wF0fqk56H2IFLUJTzROk+u1vPTVbd6S/hYPd6 Ag4CMS6YF2wrkdMYYNEzyw/Ociebjq4uLyUibK1is7H6Ur+abdhH2fqAtc0hda/s lhbGyRqJoLvh/ER6VFHbIGzp7sVsLXfHja7tn9S9T4/35hS8SI/1+j6nDxIe3XJh TfX2owa8lgkw4grQb/F/Ux3259f3dV1F6JTjUkjZwt5tmYME8YYCjy3KhJb/6MAE RJzTIxrmx6HB0s7BkKAm9IJNpdpxxML83JxocD9XcfdkwMRfhNXvsCbKLWsaEmpR K3FqV76E1r/yFJCiJUnuGCxZCA3zWPkwAegnY4HyuStnpII9z8hCuRinJQL9U0nq TD58fJFV0QzyJWVDMo/6QlICLo9qhGq1xetEZBzmAR3Pyz8UWjvWqM5ks1Pt79X2 px7ptPberVxxvxaUAbuFyiHmUysF9T2JOQfXZ2jdJaqByA0V0iCJjlOAwzCdIk2E XaStIPTR9SBl8rLClk7JoLdHXZ6wQOHrAdqfOQMOInK7WwnqC3hCcPoisyMRrVhP lYM3wjUHOeQIZ0S4K3Q++hVWIIHOVD9pJO1H0AFPsVk0ZQqq2AVqZWUn9dlu+vFa zaRkkSZRRzvQzu4JlIFUlVALd/qPg7SciWs= =DXWN -----END PGP SIGNATURE-----