-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0049 Title: JBoss Enterprise BRMS Platform 5.2.0 update [1] Version history: 04.04.2012 Initial publication Summary ======= JBoss Enterprise BRMS Platform 5.2.0 roll up patch 1, which fixes two security issues, various bugs: - - RESTEasy is vulnerable to XML External Entity (XXE) attacks - CVE-2012-0818 - - Attribute Exchange (AX) extension of OpenID4Java is vulnerable to man-in-the-middle attacks - CVE-2011-4314 These vulnerabilities may lead to access privileged data remotely. The Red Hat Security Response Team has rated this update as having moderate security impact. CVSS v2 Base Score:5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N) [4] Vulnerable systems ================== All users of JBoss Enterprise BRMS Platform 5.2.0 as provided from the Red Hat Customer Portal are advised to apply this roll up patch. Original Details ================ AIt was found that RESTEasy was vulnerable to XML External Entity (XXE) attacks. If a remote attacker submitted a request containing an external XML entity to a RESTEasy endpoint, the entity would be resolved, allowing the attacker to read files accessible to the user running the application server. This flaw affected DOM (Document Object Model) Document and JAXB (Java Architecture for XML Binding) input. (CVE-2012-0818) It was found that the Attribute Exchange (AX) extension of OpenID4Java was not checking to ensure attributes were signed. If AX was being used to receive information that an application only trusts the identity provider to assert, a remote attacker could use this flaw to conduct man-in-the-middle attacks and compromise the integrity of the information via a specially-crafted request. By default, only the JBoss Seam openid example application uses OpenID4Java. (CVE-2011-4314) What can you do? ================ Fix is available [1]. What to tell your users? ======================== N/A More information ================ [1] https://rhn.redhat.com/errata/RHSA-2012-0441.html [2] https://access.redhat.com/security/cve/CVE-2012-0818 [3] https://access.redhat.com/security/cve/CVE-2011-4314 [4] Information about CVSS: http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 (DISCLAIMER: CERT-EU, the CERT for the EU institutions, is currently in its setup phase, until May 2012. Services are provided in a pilot fashion, and are not yet fully functional. Announcements, alerts and warnings are sent out in best effort manner, and to contact information currently known to us. We apologise if you are not the correct recipient, or if you had already been warned about this issue from another source . Format, content and way of alerting are subject to change in the future. Contact information or even the team name may change as well.) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBAgAGBQJPfF58AAoJEPpzpNLI8SVo4dwQAIyRz8pV5IsR4YRmKHb9n1Uw j1k5H7YXtWRRq+udEfs+kuVOPt7DpWahJ1UOE2y8YhH9JD5fd72rWRouEwKDoDVc 2kV2UWxjjl51tvjBkERB8VhekoMNDAzHsnYAjUa+TmDJSSx45hHqSoZMvf1LYMcm SHC41N5ZYMbxQtl6vUwplIcPXF+MK+b1VPc3ABM/D0A83Bjj3LVbDHaEb7B5xc1j X8Y20U9Zn5L7rh794//LDy+yXdv9zMT+GLyruRbgZQ6pmsfHzZlHPRFkhAhEqooq m6kaACpwFZB+eYfMQ53gqOOev23JZMAnV7NiOhzhLVXSb9v61qwrlf02ksrBVrnp 4yA3GvaN4eNdWNkfkw2t2RGKFGtFD31rNm9MspRZBgUp4Vq8AgyeMPC1RKgJzCbY Fl3tdTbDGwiQB7ZyA7wlXvqV+jdxPv8Xma1EiRkfNH2Ef4msEJMkz8bEedDwMh8M ElArhlUfZcDo8Hrf4KvVET8FPkQlqGXvy//r5lNuHm8iG42FpmU37zj6fGTl0MLE M+lFjGLKMRji766kIJO6LgmzHQRNfcqhaD8GH4SUv3w0Cy1lZPtv+yUdYq8bqdS/ UR5a6gQWFA26uFoWrCoJsejdGQ4GLUmceI4Qz+ebVoH6bj3RevNC5WtFgO94ei/J 4GZUIisgYRs0VcZ9Pd26 =KlZg -----END PGP SIGNATURE-----