-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0148 Title: JBoss Enterprise Application Platform 6.0.1 update for RHEL 5 and RHEL 6 [1] Version history: 19.12.2012 Initial publication Summary ======= Updated JBoss Enterprise Application Platform 6.0.1 packages that fix multiple security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. CVE numbers [2]: CVE-2008-0455 CVE-2012-2378 CVE-2012-2379 CVE-2012-2672 CVE-2012-2687 CVE-2012-3428 CVE-2012-3451 CVE-2012-4549 CVE-2012-4550 Affected Versions ================= JBoss Enterprise Application Platform 6.0.1 for for RHEL 5 and RHEL 6 Original Details ================ This release serves as a replacement for JBoss Enterprise Application Platform 6.0.0, and includes bug fixes and enhancements. Security fixes: Apache CXF checked to ensure XML elements were signed or encrypted by a Supporting Token, but not whether the correct token was used. A remote attacker could transmit confidential information without the appropriate security, and potentially circumvent access controls on web services exposed via Apache CXF. (CVE-2012-2379) When using role-based authorization to configure EJB access, JACC permissions should be used to determine access; however, due to a flaw the configured authorization modules (JACC, XACML, etc.) were not called, and the JACC permissions were not used to determine access to an EJB. (CVE-2012-4550) A flaw in the way Apache CXF enforced child policies of WS-SecurityPolicy 1.1 on the client side could, in certain cases, lead to a client failing to sign or encrypt certain elements as directed by the security policy, leading to information disclosure and insecure information transmission. (CVE-2012-2378) A flaw was found in the way IronJacamar authenticated credentials and returned a valid datasource connection when configured to "allow-multiple-users". A remote attacker, provided the correct subject, could obtain a datasource connection that might belong to a privileged user. (CVE-2012-3428) It was found that Apache CXF was vulnerable to SOAPAction spoofing attacks under certain conditions. Note that WS-Policy validation is performed against the operation being invoked, and an attack must pass validation to be successful. (CVE-2012-3451) When there are no allowed roles for an EJB method invocation, the invocation should be denied for all users. It was found that the processInvocation() method in org.jboss.as.ejb3.security.AuthorizationInterceptor incorrectly authorizes all method invocations to proceed when the list of allowed roles is empty. (CVE-2012-4549) It was found that in Mojarra, the FacesContext that is made available during application startup is held in a ThreadLocal. The reference is not properly cleaned up in all cases. As a result, if a JavaServer Faces (JSF) WAR calls FacesContext.getCurrentInstance() during application startup, another WAR can get access to the leftover context and thus get access to the other WAR's resources. A local attacker could use this flaw to access another WAR's resources using a crafted, deployed application. (CVE-2012-2672) An input sanitization flaw was found in the mod_negotiation Apache HTTP Server module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use this flaw to conduct cross-site scripting attacks against users visiting the site. (CVE-2008-0455, CVE-2012-2687) What can you do? ================ This update is available via the Red Hat Network. [3] What to tell your users ======================= N/A More information ================ [1] https://rhn.redhat.com/errata/RHSA-2012-1591.html https://rhn.redhat.com/errata/RHSA-2012-1592.html [2] https://www.redhat.com/security/data/cve/CVE-2012-2378.html https://www.redhat.com/security/data/cve/CVE-2012-2379.html https://www.redhat.com/security/data/cve/CVE-2012-2672.html https://www.redhat.com/security/data/cve/CVE-2012-2687.html https://www.redhat.com/security/data/cve/CVE-2012-3428.html https://www.redhat.com/security/data/cve/CVE-2012-3451.html https://www.redhat.com/security/data/cve/CVE-2012-4549.html https://www.redhat.com/security/data/cve/CVE-2012-4550.html https://www.redhat.com/security/data/cve/CVE-2008-0455.html [3] https://access.redhat.com/knowledge/articles/11258 Best regards, CERT-EU Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJQ0fBGAAoJEPpzpNLI8SVoixUP+wRwfTJ1mhl+JzvCFMBxSpe1 lS87i0Pnxg++3/l2BEvDRa7hvH0UCxekzcMId/pU1mixUo9QhLQ/AOFL6X6Wp9lG l8TgXYPdOisdS4GOSPYg1KRVMLGhnBGo9ol0Son6BHMLLxoTM76DjSnMBEgRpABm UnyExABD52yhLxBQacJ6QchBD4NwV7OekXMGUPEgqIbBm+THWZ8x8md+W1RMfY5+ fe/sIu2lW6iX1+bqdsEtoXxiA5TrCa5d9V9sdldm/PgOwsm8xpROBs7DAEE2nWJ7 aMCwT0l0lLVDuODLBINnLYPwe7vDm1tbYE6FR8FxZePChsLUPWK7+Awn0eDxkKrT WeEM/R/svySfnHlO/sCrtP5NahVRycGSorbNeTvfwXV2lLfAyXhLUVU3gIbMx6h1 tuyaWa0elBOH7Nx7miWbh7pwAPIOqhNH0uOXdyGBTmLQkL3FvBBn98k2ZZv9NDoT GgO71D94EOBng+cfhe8SZK+vPJKHkRKGI3oVk0O+HvjsoQdvP5C/muCc+kuP3KLO F94vYNGYVvfoBSL6S0BwrwvS8auT6txwtqYPG5ehH23q8KrWtk0X98lLl8ABRKqJ nqiiT9WqTv6ayHabLRD/uTy/ui1sbTX4JMucUEVlLq1rSTu7nDPBvhoUsZ/vNr3f OhQ/Wg27FUZqMCzM8sQW =pwOL -----END PGP SIGNATURE-----