-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2011-0031. Title: Multiple vulnerabilities on JBoss Enterprise Portal Platform Version history: 16.12.2011 Initial publication Summary ======= Multiple vulnerabilities have been found in JBoss Enterprise Portal Platform. A patch is available. * Multiple cross-site scripting (XSS) flaws (CVE-2011-4580) * open URL redirect on the login page of the platform * Invoker servlets authentication bypass The Red Hat Security Response Team has rated this update as having moderate security impact. CVE-2011-2941 CVE-2011-4085 CVE-2011-4580 Remote Yes Credibility Vendor Confirmed Ease Exploit Available CVSS[2] v2 Base Score 4.3 (AV:N/AC:M/Au:N/C:P/I:P/A:N) Original technical description ============================== Multiple cross-site scripting (XSS) flaws were found in JBoss Enterprise Portal Platform. If a remote attacker could trick a user, who was logged into the portal, into visiting a specially-crafted URL, it would lead to arbitrary web script execution in the context of the user's portal session. (CVE-2011-4580) It was found that the login page of JBoss Enterprise Portal Platform could be used to perform open URL redirects. A remote attacker could use this flaw to redirect users to arbitrary websites and conduct phishing attacks via a URL passed in the initialURI parameter. (CVE-2011-2941) It was found that the invoker servlets, deployed by default via httpha-invoker, only performed access control on the HTTP GET and POST methods, allowing remote attackers to make unauthenticated requests by using different HTTP methods. Due to the second layer of authentication provided by a security interceptor, this issue is not exploitable on default installations unless an administrator has misconfigured the security interceptor or disabled it. (CVE-2011-4085) More description may be found in [1]. Vulnerable systems ================== JBoss Enterprise Portal Platform prior to 5.2.0. What can you do? ================ Update to JBoss Enterprise Portal Platform 5.2.0 [1] What to tell your users? ======================== Normal security best practices apply. Especially, inform your Web users to be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Users are to be aware not to click on the link in suspicious emails; to immediately forward the suspicious email to the respective IT security officer / contact in your institution. Avoid browsing in multiple site simultanously while logged-in in a sensitive web site. More information ================ [1] https://rhn.redhat.com/errata/RHSA-2011-1822.html [2] Information about CVSS: http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 (DISCLAIMER: CERT-EU, the CERT for the EU institutions, is currently in its setup phase, until May 2012. Services are provided in a pilot fashion, and are not yet fully functional. Announcements, alerts and warnings are sent out in best effort manner, and to contact information currently known to us. We apologise if you are not the correct recipient, or if you had already been warned about this issue from another source . Format, content and way of alerting are subject to change in the future. Contact information or even the team name may change as well.) -----BEGIN PGP SIGNATURE----- Version: BCPG v1.39 iQJXBAEBAgBBBQJO61KPOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4MxPg/8CYgQY/8H 535gmESm+J+k29ImOH+aKnGMV6dIePq5DxvBRQ5anFX9rcNUwV9L9V5u193BnFlg mnHEEicAoKu2/XqLJWEjxY4doeqauS6rAc7yY1Hxzq8RLp4h5GMi4Gfwu+2dEqHg 3SccCAqkEM0WuFoaC0MqEmwLImdpQe1UEUH2GDiWt5E9cE2Ej1ggsTe9yioxthLs j+QzC+ye0uXZqFX0XsTz/UUUIme4nrAJJBZ3VAi9+mixg47EJZkb3/i5HKcBlIM6 jcwpkr2SbhdK0vH5nvpg8Bdem2IH/ojq4+yOPT6mIRj47mjVMqSrQg2sy1PmF1gv in7I9mBuiMfxnGFUIcexFmg/5gWRLb+/cn1chiDJj/3GuXX2GDdR+DHrEJG/mBPL jXWkbnoAnkJkmXoen508Cb4Nskae3v3F8wGTDRr2+Eo5AF1oE3zz3Gb/ZRVEsV3F V7WiHANA3TGKXsyaH51GWVXqo//VOhU2yjhNjmpcGdD5wmnGDno2/qXE8k0IcsyY HQ1AC5W5FUF+JaofGFIufi32JGVD74Wc7dybJ3nWcaErzAPzaCR0SF2DTDry4/V6 pOioK9Qq7fwiZmKCw6jPZ1NF0YsSm4ZVdVTl5YcKvjdq6qEK2GK8oeF5SM1Vlk83 OyfqaP+fvE3Shhh+m40mQzPOfF3BxhberqY= =NYhw -----END PGP SIGNATURE-----