-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2013-0095 Title: JBoss Enterprice Aplication Platform update [1] Version history: 06.12.2013 Initial publication Summary ======= An update for Red Hat JBoss Enterprise Application Platform 6.2.0, which fixes two security issues, several bugs, and adds various enhancements, is now available from the Red Hat Customer Portal. CVE numbers: CVE-2013-2035 CVSS v2 Base Score:4.4 (MEDIUM) (AV:L/AC:M/Au:N/C:P/I:P/A:P) [2] CVE-2013-2133 Affected Versions ================= JBoss Enterprise Application Platform 6.2.0 Original Details ================ The HawtJNI Library class wrote native libraries to a predictable file name in /tmp/ when the native libraries were bundled in a JAR file, and no custom library path was specified. A local attacker could overwrite these native libraries with malicious versions during the window between when HawtJNI writes them and when they are executed. (CVE-2013-2035) A flaw was found in the way method-level authorization for JAX-WS Service endpoints was performed by the EJB invocation handler implementation. Any restrictions declared on EJB methods were ignored when executing the JAX-WS handlers, and only class-level restrictions were applied. A remote attacker who is authorized to access the EJB class, could invoke a JAX-WS handler which they were not authorized to invoke. (CVE-2013-2133) What can you do? ================ This update is available via the Red Hat Network. [3] What to tell your users ======================= N/A More information ================ [1] https://rhn.redhat.com/errata/RHSA-2013-1784.html https://rhn.redhat.com/errata/RHSA-2013-1785.html https://rhn.redhat.com/errata/RHSA-2013-1786.html [2] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2035 [3] https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=distributions Best regards, CERT-EU Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJSodT5AAoJEPpzpNLI8SVoNasQAL2Rt82dSSFLWjJ9jWaaXaog rHKSF51F/2qMEB5qHM8Fei04Sa61WrvKA/wRictp6V6S/e9xyh4ZJd8DblMha/vo 9Bk0Eoqq05iLGnNWYH/V2SVvw5fo5knJ5Mtgg1Mw8pGgJIJL72Som75tUzkB6/bg Vqx2A3irJHdvGXIgBiy13bE6uwQnzr1e956iafkc+/POhanHPokABa14iVz7yJMn yC5oLmvYe9xc7k67vbU1/9RLICdVi7B3quU5Sa2eeP+HXewb3z025LTgOIvr8+tc JwGU2o/79UvFMv4k7FKIgO78F4gImAfItuHgUUO/nGrZZ6Gt8PapK8GZD+bjsXdK WAsh5sHEL6DBbH/SaGKfgW2DkRNcS0jrsKmajD76S5d5NzQuxL7k+jfJNFu+gr0d UGcrQ+1Aw3cYwGenBMPUElRaIoRsWJix8bdKowxZCk7gbAFgZMr/c60YhQ59JNPq KXmtYKpCnR1gE0gTC79khIlP9b/R9o4rvYHulZLYO/j7/dIafEyqDuJp21RFcS/7 foo8AdQx1jo75sa0HuuWe/zqKB6DiFCPOzD3LlLhrEKcfRjsJp2rz/Mmdayt3X00 oB3OUga1074d7sDi/QooZFqGe2zQKO5Ae4FRPfppo2ntdcEUJIQu9cWQNirsNivj 4ZRLwqoWpHGdKB16v/5X =6RKA -----END PGP SIGNATURE-----