-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0089 Title: jbossas security update Version history: 25.07.2012 Initial publication Summary ======= An update for JBoss Enterprise Portal Platform 4.3 CP07 that fixes one security issue is now available from the Red Hat Customer Portal. All users of JBoss Enterprise Portal Platform 4.3 CP07 as provided from the Red Hat Customer Portal are advised to install this update. CVE-2011-4605 CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) [1] Vulnerable systems ================== Releases before 5.3.15 and 5.4.5 Original Details ================ It was found that the JBoss JNDI service allowed unauthenticated, remote write access by default. The JNDI and HA-JNDI services, and the HAJNDIFactory invoker servlet were all affected. A remote attacker able to access the JNDI service (port 1099), HA-JNDI service (port 1100), or the HAJNDIFactory invoker servlet on a JBoss server could use this flaw to add, delete, and modify items in the JNDI tree. This could have various application-specific impacts. (CVE-2011-4605) What can you do? ================ Fix is available [3] Warning: Before applying this update, back up all applications deployed on JBoss Enterprise Portal Platform, along with all customized configuration files. What to tell your users? ======================== N/A More information ================ [1] Information about CVSS: http://www.first.org/cvss/cvss-guide.html [2] https://rhn.redhat.com/errata/RHSA-2012-1109.html [3] https://www.redhat.com/security/data/cve/CVE-2011-4605.html Best regards, CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJQECscAAoJEPpzpNLI8SVobGYP/RtKiaCxZDH7dnww/+xYk9YP WPWhTg7+KwdN5lHwwy0W81RufKmWhN8Xx/7zanJao/4CCtjTcsXP5VdueAWljhay A4enGjIpQakEFspxOaE1OObTCc2Pg2QAgUa4o9OUaDs68dU/keHMXQouesIYphxN 5vb7QohaYXQYNowb0/yxPwnH9/BYVS2i3DPAzqg/s+/OLE+nf/1tkroCoNa/odcM wRreJhUpeFpHB2QlAOyQGr00wKOxkwlgDwxtlqEQKHUGOBPrdkAdXt1xxy6kNS2w Lmz0f3/bK1yLeRRtznjQR5lQAg+d883/6j2xW0O7fjbcXX6kFOEJfMgtWaykbWRn MpHxywyXGx26zqAUQFDg//72/16Eg5c5+xB/zlJLxFjFWvj7ufCPdMQmH8YwR4if 1hwLA5EaRqVuAec8V4sXqAIVe+EqP6VlNg8LkvqUhcd2iU6BxzVpp1mRSstewEL9 Hf1uUNwuMQw81CJlMmKpnXFvsrD6kM/Ty3N9L/Bw4PEyjtdDAWLnsN55yp+Lf0qy YQPCdKAGAbrBp2BoFZ0q2ER32hCkxMsWzdDGfBhw28CIRMkeyb26dEnlbSrMCo5s eVZztqGa8BSEikpEdXjXC0q68uEPtD17joVeI6HN3U3YWEJ5Yttz/Qwg0jz1qT2B wLmFYF3Dzeb5TDl6d5uD =WNln -----END PGP SIGNATURE-----