-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Reference: CERT-EU Security Advisory 2013-0095

Title: JBoss Enterprice Aplication Platform update [1]

Version history:
06.12.2013 Initial publication


Summary
=======
An update for Red Hat JBoss Enterprise Application Platform 6.2.0, which fixes two security issues, several bugs, and adds various enhancements, is now available from the Red Hat Customer Portal.


CVE numbers: 
CVE-2013-2035 CVSS v2 Base Score:4.4 (MEDIUM) (AV:L/AC:M/Au:N/C:P/I:P/A:P) [2]
CVE-2013-2133

Affected Versions
=================
JBoss Enterprise Application Platform 6.2.0

Original Details
================

The HawtJNI Library class wrote native libraries to a predictable file name in /tmp/ when the native libraries were bundled in a JAR file, and no custom library path was specified. A local attacker could overwrite these native libraries with malicious versions during the window between when HawtJNI writes them and when they are executed. (CVE-2013-2035)

A flaw was found in the way method-level authorization for JAX-WS Service endpoints was performed by the EJB invocation handler implementation. Any restrictions declared on EJB methods were ignored when executing the JAX-WS handlers, and only class-level restrictions were applied. A remote attacker who is authorized to access the EJB class, could invoke a JAX-WS handler which they were not authorized to invoke. (CVE-2013-2133)


What can you do?
================
This update is available via the Red Hat Network. [3]


What to tell your users
=======================

N/A

More information
================
[1]  
https://rhn.redhat.com/errata/RHSA-2013-1784.html
https://rhn.redhat.com/errata/RHSA-2013-1785.html
https://rhn.redhat.com/errata/RHSA-2013-1786.html

[2]  

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2035

[3]  

https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=distributions

Best regards,

CERT-EU Team (http://cert.europa.eu)
Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu
PGP KeyID 0x46AC4383
FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383
Privacy Statement:
http://cert.europa.eu/cert/plainedition/en/cert_privacy.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJSodT5AAoJEPpzpNLI8SVoNasQAL2Rt82dSSFLWjJ9jWaaXaog
rHKSF51F/2qMEB5qHM8Fei04Sa61WrvKA/wRictp6V6S/e9xyh4ZJd8DblMha/vo
9Bk0Eoqq05iLGnNWYH/V2SVvw5fo5knJ5Mtgg1Mw8pGgJIJL72Som75tUzkB6/bg
Vqx2A3irJHdvGXIgBiy13bE6uwQnzr1e956iafkc+/POhanHPokABa14iVz7yJMn
yC5oLmvYe9xc7k67vbU1/9RLICdVi7B3quU5Sa2eeP+HXewb3z025LTgOIvr8+tc
JwGU2o/79UvFMv4k7FKIgO78F4gImAfItuHgUUO/nGrZZ6Gt8PapK8GZD+bjsXdK
WAsh5sHEL6DBbH/SaGKfgW2DkRNcS0jrsKmajD76S5d5NzQuxL7k+jfJNFu+gr0d
UGcrQ+1Aw3cYwGenBMPUElRaIoRsWJix8bdKowxZCk7gbAFgZMr/c60YhQ59JNPq
KXmtYKpCnR1gE0gTC79khIlP9b/R9o4rvYHulZLYO/j7/dIafEyqDuJp21RFcS/7
foo8AdQx1jo75sa0HuuWe/zqKB6DiFCPOzD3LlLhrEKcfRjsJp2rz/Mmdayt3X00
oB3OUga1074d7sDi/QooZFqGe2zQKO5Ae4FRPfppo2ntdcEUJIQu9cWQNirsNivj
4ZRLwqoWpHGdKB16v/5X
=6RKA
-----END PGP SIGNATURE-----