-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2013-0065 Title: JBoss SOA Platform 5.3.1 security update [1] Version history: 09.08.2013 Initial publication Summary ======= Red Hat JBoss SOA Platform 5.3.1 roll up patch 3, which fixes three security issues and various bugs, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having moderate security impact. CVE numbers: CVE-2012-5783 CVE-2013-0269 CVE-2013-1821 [2] Affected Versions ================= JBoss SOA Platform 5.3.1 Original Details ================ Security fixes: The Jakarta Commons HttpClient component did not verify that the server hostname matched the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name. (CVE-2012-5783) A flaw in JRuby's JSON gem allowed remote attacks by creating different types of malicious objects. For example, it could initiate a denial of service attack through resource consumption by using a JSON document to create arbitrary Ruby symbols, which were never garbage collected. It could also be exploited to create internal objects which could allow a SQL injection attack. (CVE-2013-0269) It was discovered that JRuby's REXML library did not properly restrict XML entity expansion. An attacker could use this flaw to cause a denial of service by tricking a Ruby application using REXML to read text nodes from specially-crafted XML content, which will result in REXML consuming large amounts of system memory. (CVE-2013-1821) What can you do? ================ This update is available via the Red Hat Network. [3] What to tell your users ======================= N/A More information ================ [1] https://rhn.redhat.com/errata/RHSA-2013-1147.html [2] https://www.redhat.com/security/data/cve/CVE-2012-5783.html https://www.redhat.com/security/data/cve/CVE-2013-0269.html https://www.redhat.com/security/data/cve/CVE-2013-1821.html [3] https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=5.3.1+GA Best regards, CERT-EU Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJSBL88AAoJEPpzpNLI8SVo+c8P/32UPMvLCRJ+DttwIFjF6fmH 4d2J7V9lDpgyneCaANG/w/UkeIRQLYYbAGDRHMsyBFUNhenv/vKlA0az8lopsrrP lJ00ruW4s5A/Hvx0vYA8kJWjmpL4lKep4F9BCb6kypuO9q7+bibyUeMM5Wc2AkpT 0lQqQjiKcyZciUf8iHZcPzTlvxGOjuHgHgq8zzpi290PUMLgHTeN58byYaA3mT++ f7bp4H5UdtcjcVeMU+UiknvfCpipFsNga4a7SBjtNeb+QSrfMJkd9wwoPPem2/uY hIDWnWdgUB1DC8M2PDCVt7tk4NdEJcE5Vfje1ilU+EU6gcLA/7sBJHMdFeTp0pBR Y+rZLp0AqdQItj2cATyFGTgjcqv0e/NBs0lXnEkuihIU2387gHtD0PM2/ADgwZhi o1HCFoUxpkHd8LtcbUjQUIIEPm1HQaxw960glIsKhaU5/EHvrDCkzO8b2nYUKEba hx2aWvd1b5vGtwesYIg7YzNTDfTiJWfkjEm3gBrvUNhyfpPFaBASQziCe2wXqd1i eLMb3B1tCeMWre0HtJ8IMZc367lfmqIZb3g3DC05b2ckm8s9sG8V/uo2a0tUQfJ7 VicGTV0VntIN8CDc+xVfwHget2jTEVRHU8t/5mG/Y2Wo/nUkdy0p0E9on884BD3H QZR8ujiyqKf57PnLlm8R =E8gJ -----END PGP SIGNATURE-----