-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0149 Title: JBoss Enterprise SOA Platform 5.3.0 update [1] Version history: 20.12.2012 Initial publication Summary ======= JBoss Enterprise SOA Platform 5.3.0 roll up patch 2, which fixes one security issue and various bugs, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. CVE numbers [2]: CVE-2012-2379 Affected Versions ================= JBoss Enterprise SOA Platform 5.3.0 Original Details ================ A flaw was found in the way Apache CXF verified that XML elements were signed or encrypted by a particular Supporting Token. Apache CXF checked to ensure these elements were signed or encrypted by a Supporting Token, but not whether the correct token was used. A remote attacker could use this flaw to transmit confidential information without the appropriate security, and potentially circumvent access controls on web services exposed via Apache CXF. (CVE-2012-2379) What can you do? ================ This update is now available from the Red Hat Customer Portal. [3] What to tell your users ======================= N/A More information ================ [1] https://rhn.redhat.com/errata/RHSA-2012-1593.html [2] https://www.redhat.com/security/data/cve/CVE-2012-2379.html [3] https://access.redhat.com/jbossnetwork/restricted/listSoftware.html product=soaplatform&downloadType=securityPatches&version=5.3.0+GA Best regards, CERT-EU Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJQ0x2YAAoJEPpzpNLI8SVorcQP/1ysI0vyREnpxF/9iMj4ghnE HlNUHpF43kblWOo4KXZ8W51DyK4F0k9Qv/y/zBYHV32z7/UtiVyfuYtqrBxblsqw dkbv5d4x+FJCLPn0mAIWe9EB+J10HPMKCAGY9tjwbv/5Ah3wVPHKmN2bhwxRY8SY xg9sd/lKGp2nDoztlfVkT/vJykZChsdT2bRy4fNaUBIw850kG0ud6FsmSA/jjQ+k 3ZsDeqkmyjgN+f4YqpP07mI/EkwttBqtXJbTJDVBOBmHzyXCpWziwp1zwGRsQrEO alZZGmzVMnFxZ74O+ALRq1iZerxq11jO7Smvq/ni6Dl+Pjx6wGGAZzjTHnFLBb2+ 20FckgFz3Ds6fak5QntSQWaS+2PMxCLmMcO2mdbdjsT8OWa+ZEiVrEyhxHZTjZHH 2apgjp5rT0q78z/ByE2Gy7oqH2OnrRNvkvAUxXtriaakYHMlA83OVi0xH6uO3+26 mqxc+x/F9HQGbz90LpaUH9j0I80NNTrn+VsAmnfXDd2ZJszKKoWn+VSnsr0RbxkH BJAnq2YTBTxUFyCjoHGV8ilTSTm9cn3y9ffrLYZlJuUJzNl0zQsSdXgA9gsqqSgY FaXlBrTXEp6S8ICwTQnYeYpsZP0yUFuErqqNCulax48lJPKXAssXTfKs1jIsVFFQ DfulEhrmYMvDC0D0oO4G =lg9P -----END PGP SIGNATURE-----