-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Reference: CERT-EU Security Advisory 2013-0077

Title: JBoss Middleware security update [1]

Version history:
17.10.2013 Initial publication


Summary
=======
An update for the commons-fileupload component that fixes one security issue is now available from the Red Hat Customer Portal for Red Hat JBoss BRMS 5.3.1; and Red Hat JBoss Portal 4.3 CP07, 5.2.2 and 6.0.0.

The Red Hat Security Response Team has rated this update as having important security impact.

CVE numbers [2]:  CVE-2013-2186 

Affected Versions
=================
Red Hat JBoss Middleware

Original Details
================

Security fixes:


The Apache Commons FileUpload component can be used to add a file upload capability to your applications.

A flaw was found in the way the DiskFileItem class handled NULL characters in file names. A remote attacker able to supply a serialized instance of the DiskFileItem class, which will be deserialized on a server, could use this flaw to write arbitrary content to any location on the server that is
accessible to the user running the application server process.
(CVE-2013-2186)


What can you do?
================
This update is available via the Red Hat Network. [3]


What to tell your users
=======================

N/A

More information
================
[1]  

https://rhn.redhat.com/errata/RHSA-2013-2186.html

[2]  

https://www.redhat.com/security/data/cve/CVE-2013-2186.html

[3]  

https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=securityPatches&version=5.3.1
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal&downloadType=securityPatches&version=4.3+CP07
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal&downloadType=securityPatches&version=5.2.2
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal&downloadType=securityPatches&version=6.0.0

Best regards,

CERT-EU Team (http://cert.europa.eu)
Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu
PGP KeyID 0x46AC4383
FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383
Privacy Statement:
http://cert.europa.eu/cert/plainedition/en/cert_privacy.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJSX/0xAAoJEPpzpNLI8SVoe1YP/013O03Ske7bs9pzGnV5MMbC
QgrHvaQ4XskKyyG1RLavwSJKDR+jlqcxuhLusjEARv8uGV4I3/4/ZsOwYt21zwgG
S97gHHoinqp5Pm/Z3bGbmdi3SR55mCjXIsVnyJ5qfrLnrWD3N++ORYNi2jzM56P+
VbiJKCUpzjRsp/A9ZAGIFu+BWcJpLzewVjxrkvXaGTblz9Qpaz5jwWbv/lA+vUnO
0mUJWuaoENgHWmb4e4+5V+MZNyx99pVREU3lH14khEeuS+yOVIxzMSzTxYjUvzA3
X4TQj6fpfywZHlfpCRzH5vmMXpviEFv+6rPV06x52jbSYUEO294faznQnoCh6ZK9
hmq2K9fviESI8hSKHEn90MY6wy9XL4EmbTn6hwBa5E1U+iaYFjiW8j7Lc/pWjvW9
5jtb7/5h2397yPEESNkeFp/981GqpvxcoScO8NK4eWLVhMMh3hgwWOCWq4MvuB3Q
huJL3QFugXlzrCn3kh+L6+1FJ0CCOAdZB6M5RgGfRTgYb9S1MdWHEUiv2xNdlLY0
+1NyKKxY8ql50Tl+HObbX6E+8/ZYLUv3lKvuI+Uap0utd0vLOh0MV8ny3uE13391
s0mGILdvSVKfJh/a03yElAI3M81ZCZgIXJmgJsYluFYVMzvVxqW6ZbtU+5eXXnqv
4+Z6rBLwAk/zx04oweSu
=EZsm
-----END PGP SIGNATURE-----