-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Reference: CERT-EU Security Advisory 2012-0012
 
Title: Multiple vulnerabilities in JBoss Web server [1]
 
Version history:
01.02.2012 Initial publication

Summary
=======
Red Hat has released fixes to JBoss Communications Platform [5] and JBoss Web, the web container of JBoss Enterprise Application Platform [1-4]. These vulnerabilities can allow remote attackers to access sensitive information or cause a denial of service.

CVE-2011-1184, CVE-2011-2526, CVE-2011-4610, CVE-2011-4858, CVE-2011-5062, CVE-2011-5063, CVE-2011-5064, CVE-2012-0022

These vulnerabilities are rated as "Important" by the Vendor 
CVSS v2 Base Score:5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:N/I:N/A:P)[6])  Please see [1-5] for further details.

Vulnerable systems
==================
JBoss Enterprise Application Platform 5 EL4
JBoss Enterprise Application Platform 5 EL5
JBoss Enterprise Application Platform 5 EL6
JBoss Enterprise Application Platform 5 for RHEL 4 AS - noarch
JBoss Enterprise Application Platform 5 for RHEL 4 ES - noarch
JBoss Enterprise Application Platform 5 for RHEL 5 Server - noarch
JBoss Enterprise Application Platform 5 for RHEL 6 Server - noarch
JBoss Communications Platform 5.1.2 

Original Details
================
A flaw was found in the way JBoss Web handled UTF-8 surrogate pair
characters. If JBoss Web was hosting an application with UTF-8 character
encoding enabled, or that included user-supplied UTF-8 strings in a
response, a remote attacker could use this flaw to cause a denial of
service (infinite loop) on the JBoss Web server. (CVE-2011-4610)

It was found that the Java hashCode() method implementation was
susceptible to predictable hash collisions. A remote attacker could use
this flaw to cause JBoss Web to use an excessive amount of CPU time by
sending an HTTP request with a large number of parameters whose names map
to the same hash value. This update introduces a limit on the number of
parameters and headers processed per request to mitigate this issue. The
default limit is 512 for parameters and 128 for headers. These defaults
can be changed by setting the
org.apache.tomcat.util.http.Parameters.MAX_COUNT and
org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties in
"jboss-as/server/[PROFILE]/deploy/properties-service.xml". (CVE-2011-4858)

It was found that JBoss Web did not handle large numbers of parameters and
large parameter values efficiently. A remote attacker could make a JBoss
Web server use an excessive amount of CPU time by sending an HTTP request
containing a large number of parameters or large parameter values. This
update introduces limits on the number of parameters and headers processed
per request to address this issue. Refer to the CVE-2011-4858 description
for information about the org.apache.tomcat.util.http.Parameters.MAX_COUNT
and org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties.
(CVE-2012-0022)

Multiple flaws were found in the way JBoss Web handled HTTP DIGEST
authentication. These flaws weakened the JBoss Web HTTP DIGEST
authentication implementation, subjecting it to some of the weaknesses of
HTTP BASIC authentication, for example, allowing remote attackers to
perform session replay attacks. (CVE-2011-1184, CVE-2011-5062,
CVE-2011-5063, CVE-2011-5064)

A flaw was found in the way JBoss Web handled sendfile request attributes
when using the HTTP APR (Apache Portable Runtime) or NIO (Non-Blocking I/O)
connector. A malicious web application running on a JBoss Web instance
could use this flaw to bypass security manager restrictions and gain access
to files it would otherwise be unable to access, or possibly terminate the
Java Virtual Machine (JVM). (CVE-2011-2526)

What can you do?
================
This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259
See [1-5] for further details.

Warning: Before applying the update, back up your JBoss Enterprise
Application Platform's "jboss-as/server/[PROFILE]/deploy/" directory, along
with all other customized configuration files.

What to tell your users?
========================
N/A

More information
================
[1]https://rhn.redhat.com/errata/RHSA-2012-0074.html
[2]https://rhn.redhat.com/errata/RHSA-2012-0075.html
[3]https://rhn.redhat.com/errata/RHSA-2012-0076.html
[4]https://rhn.redhat.com/errata/RHSA-2012-0077.html
[5]https://rhn.redhat.com/errata/RHSA-2012-0078.html
[6]Information about CVSS: http://www.first.org/cvss/cvss-guide.html


Best regards,
CERT-EU
CERT-EU Pre-configuration Team (http://cert.europa.eu)
Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu
PGP KeyID 0x46AC4383
FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383

(DISCLAIMER: CERT-EU, the CERT for the EU institutions, is currently in its setup phase, until May 2012. Services are provided in a pilot fashion, and are not yet fully functional. Announcements, alerts and warnings are sent out in best effort manner, and to contact information currently known to us. We apologise if you are not the correct recipient, or if you had already been warned about this issue from another source . Format, content and way of alerting are subject to change in the future. Contact information or even the team name may change as well.)
-----BEGIN PGP SIGNATURE-----
Version: BCPG v1.39

iQJXBAEBAgBBBQJPKVPzOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp
b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4OScQ//VEEY59Zc
+qB3w9jurrn5y9JojMr7gdBgfzmA2rZRYoyyB6SIPZBrAWUcS7md8oeTVdL3m0m/
YaONmo/4gNSCH2V8WwolGxzVRXTHkfV40uGdl6iRviCBEveKIzmbI31flWnm/xwG
Pab/LzInuxU7QnuWbapL26M7a4UL3UW60M0LFpPdqjVzJFf1Viarv/F52ysjal+A
QB9fsBPab6pPfpZn4Cg97yaZ6+mwFuz0x7qfmwMvA+gbP3oS37yPdX9r8OXXJ62Z
n5zFu3AGwWEyYZVDaNq5Yg8F2m7a+314JN4DZ/Ir/oeuLk6m2eLxFncWzaBhG5L6
7GsOkcVTJ2t3Y2fWyj+fWniE5gzKT8N+SSLy/S6Xx5kFnEu3QO3PDy9LsZscYLfu
8eNXe/lG0vpjEelADHYZjtwfRyYayOYIEGaGIZXE/ZQmF4P9r/fdhReTxILiqZxL
wDXfsLzeHw+CTeQ+U+TFRXbvkoSZALZXlF5zpr9MCP+tv9CdrSeXlkRmacfQiP2J
Wk0vNFNoQE5WIzBFrT4o2bvS8mSUH/H5A9C2JmvzODU/pOwmTsFaOVUgdU0Sx0/R
E/sH2Vo1isFeeOPir+ak7alOSWG5+XyhOX5Tmkr4O40+eGdx4sI6p20tU3y8yzRV
L/cwcVrxXvD+NjCgyz5VcyQVUtNb/iHb6X8=
=H/hm
-----END PGP SIGNATURE-----