-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Reference: CERT-EU Security Advisory 2013-0023

Title: JBoss Enterprise Application Platform 5.2.0 security update [1]

Version history:
19.02.2013 Initial publication


Summary
=======
Updated JBoss Enterprise Application Platform 5.2.0 packages that fix two security issues.

The Red Hat Security Response Team has rated this update as having important security impact.

CVE numbers [2]:  CVE-2012-5633 CVE-2012-3451 

Affected Versions
=================
JBoss Enterprise Application Platform 5.2.0

Original Details
================

Security fixes:


If web services were deployed using Apache CXF with the WSS4JInInterceptor
enabled to apply WS-Security processing, HTTP GET requests to these
services were always granted access, without applying authentication
checks. The URIMappingInterceptor is a legacy mechanism for allowing
REST-like access (via GET requests) to simple SOAP services. A remote
attacker could use this flaw to access the REST-like interface of a simple
SOAP service using GET requests that bypass the security constraints
applied by WSS4JInInterceptor. This flaw was only exploitable if
WSS4JInInterceptor was used to apply WS-Security processing. Services that
use WS-SecurityPolicy to apply security were not affected. (CVE-2012-5633)

It was found that Apache CXF was vulnerable to SOAPAction spoofing attacks
under certain conditions. If web services were exposed via Apache CXF that
use a unique SOAPAction for each service operation, then a remote attacker
could perform SOAPAction spoofing to call a forbidden operation if it
accepts the same parameters as an allowed operation. WS-Policy validation
was performed against the operation being invoked, and an attack must pass
validation to be successful. (CVE-2012-3451)


What can you do?
================
This update is available via the Red Hat Network. [3]


What to tell your users
=======================

N/A

More information
================
[1]  
https://rhn.redhat.com/errata/RHSA-2013-0256.html

[2]  
https://www.redhat.com/security/data/cve/CVE-2012-3451.html
https://www.redhat.com/security/data/cve/CVE-2012-5633.html

[3]  
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=5.2.0

Best regards,
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJRI7FXAAoJEPpzpNLI8SVo9dcP/j1xsKoGC3S/LGza5wKB9Tfm
jSoXIbkHv5xMaZOonsEFW9S1SCw2nyEYB85Jvjci7FXUtkkQb4y+wOCB+SCKdMwo
Ovg4GwnV6NJy/xFklYGO7Wz2va+UnU+YJoSLBHJuwLxseSpDTeuOKibj1crO2AiP
+9h/UCXhFrmnhdjhaXv/f/oQrajLL4PWUlPdGBQwFIv2VqCIs+ZNBbiyuSL1+QxG
Z4qDwVKcmc3bspdO4+cQxe8OwVWQM0iSbmoCKjAuCZ9K4mHp86TibQFHjoPaJt/n
mqHqs/+lMjWuO6HpYke/C28oGGTCdzw+ASS/uLb2ivF4LKbbPHsH9yd2BTIX54ra
YhGf8XnFzxYBelXHAo2Mnrului5A6k5Sqe4Jgj4q3LZpLBmyn1MmMhcD7o2mxJMS
Dvs7aHCpX23oVM99sm4C3OseHC191zx4Xid9pEXN0qcEUk8kBM9skTFJo7qnYBmF
E7EF8hQQci9lA8ITyLZ/rmsa2tR+egu0C2ieLqHtjbcNuh2EYxi4QHludbbg9Jpj
UHaXUb3Y83M/YFd5y3OPhWaVjusAnPQJD68hG+660UFy2Pj42AbiM+Qa1/yh77cs
fPxNEYsXkbpIjBhDoJ8UARh9WyMmCogrjTmf2Kp7zaGX9IEMPq82d0b/MdF4NPy8
yihdAG2cgky29Elh5Ihc
=LXjw
-----END PGP SIGNATURE-----