-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0097 Title: JBoss Enterprise SOA Platform 5.3.0 security update [1] Version history: 13.08.2012 Initial publication Summary ======= An update for the JMX Console in JBoss Enterprise SOA Platform 5.3.0 that fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having moderate security impact. CVE-2011-2908 CVSS v2 Base Score:4.6 (MEDIUM) (AV:N/AC:H/Au:S/C:P/I:P/A:P) [2,3] Base Metrics: Vulnerable systems ================== JBoss Enterprise SOA Platform 5.3.0 Original Details ================ It was found that the JMX Console did not protect against Cross-Site Request Forgery (CSRF) attacks. If a remote attacker could trick a user, who was logged into the JMX Console, into visiting a specially-crafted URL, the attacker could perform operations on MBeans, which may lead to arbitrary code execution in the context of the JBoss server process. (CVE-2011-2908) [1] What can you do? ================ Fix is available [1]. Note that it is recommended to halt the JBoss Enterprise SOA Platform server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the JBoss Enterprise SOA Platform server by starting the JBoss Application Server process. What to tell your users? ======================== N/A More information ================ [1] https://rhn.redhat.com/errata/RHSA-2012-1152.html [2] https://access.redhat.com/security/cve/CVE-2011-2908 [3] Information about CVSS: http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJQKRRZAAoJEPpzpNLI8SVoTIgP+wZKSkwC7MQWYXgKi93npgcS uDcMKg1/XiT0ao2cfcEwakcVMZ+ROarDUg1yFh8qu1OSlQxvQYHHTnER8yT5ZyiU /zSj/CYf0s6BlNaLo1F7Z231WWuYOwNE+3Kwm1KupvvHnLLHSVaaVML29XOD7yuY EPsZe8v4JcabTt4EOMHfrzeikD41biC7C57wEzQvpdV47R3db3Ai//Ifr0X632Zb zrn3P+2EP6XCuJCTjyYkkV8UgEIdNuaAjfGrtp0Wr2zQa8D3j5bGmT+297H9xabv CcSy2Uc7FJZ57YJHMXbn0N9Sp/Fe/YWEKDC11SXAdhadP4HiWpZHIPixQqr4xYPQ +rLrryvjTqpwNiJUxWw3c+K/7+UvhkrjZMeJS96RG/FUtDvXlrQ1xA7gfTf7D9OF qmx19TB9UwjBHOIxIKIN42GRIBJBV6HERL6r26H7+5M8TtK2vIumYA2xoUGuHiGO i19EoZc/ymCgfLOLPKpSAsQ40nmGcyarr1Zg8p+hgahsLm1Q4bDlxHvRueaJqitG 7kOuK4S+OCyDwUVQOiyyN963u6CwyvRTCR0KNkvSyWEcpcVD94lhQedzQeyJP2rw ptYBgeq9hc+NIlsA23huEC67gYTeZcAqa4TFTy2ZMANCH9BOgK6fMR/SbVSTXtYC 1xc9AGUX0nHBRHQ006EN =oPZv -----END PGP SIGNATURE-----