-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2014-018 Title: JBoss Enterprice Aplication Platform update [1] Version history: 19.02.2014 Initial publication Summary ======= An update for Red Hat JBoss Enterprise Application Platform 6.2.0, which fixes three security issues, several bugs, and adds various enhancements, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. CVE numbers: CVE-2013-4517 CVSS v2 Base Score:4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P) [2] CVE-2013-6440 CVSS v2 Base Score:5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N) CVE-2014-0018 CVSS v2 Base Score:1.9 (LOW) (AV:L/AC:M/Au:N/C:N/I:P/A:N) Affected Versions ================= JBoss Enterprise Application Platform 6.2.0 Original Details ================ It was found that the ParserPool and Decrypter classes in the OpenSAML Java implementation resolved external entities, permitting XML External Entity (XXE) attacks. A remote attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. (CVE-2013-6440) It was discovered that the Apache Santuario XML Security for Java project allowed Document Type Definitions (DTDs) to be processed when applying Transforms even when secure validation was enabled. A remote attacker could use this flaw to exhaust all available memory on the system, causing a denial of service. (CVE-2013-4517) In Red Hat JBoss Enterprise Application Platform, when running under a security manager, it was possible for deployed code to get access to the Modular Service Container (MSC) service registry without any permission checks. This could allow malicious deployments to modify the internal state of the server in various ways. (CVE-2014-0018) What can you do? ================ This update is available via the Red Hat Network. [3] What to tell your users ======================= N/A More information ================ [1] https://rhn.redhat.com/errata/RHSA-2014-0172.html [2] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4517 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6440 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0018 [3] https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=distributions Best regards, CERT-EU Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJTBjYQAAoJEPpzpNLI8SVoy5YQAJ8AySd3UBsPytO2aliS53r9 Q/j/b1nlFeAy8SR+u4B2AVv7wW40vYMgy6/C+uEV14b9l1Lhdp3K/bCckRrdsrSt rQ57085D4JsOVx0hcX+Yb/GmoZXyfrDST3MFoBM0APfojL6y4AGiuOjjvoV5NJtZ pH92ya6tgkK1nmL6QlTIj78OHlABnmTcj/34bAmCtRq0XxYTEKgtsCF9Cy8JnN/j Rx9E952ksFjST3A5wFKKaQKq+lfgCWhX8xL9SF4FxfyVW4/17ecnC/zrU6OPRfK7 v/dt6a2spyDQcphuRoMMVBuEuIuvPovi3QYoyPnDVAwvKkp6kHOC0xzdL4Pcdkd8 xiOJeVj53SmiZSmU+1UoT568dS0kr6JfgGUJ52Mt7ludtvhPefrndR6G0wu3z4hZ xfJYvCoq7QVQLxeUm2kZ18MxL/ByoCYaLg8UlwmjU5TNuFR53ImtRTEVaIUtgXgJ +QIWmCwN8yeBzETAIxoqOca5ZWKSot2Pkp3fFNJsj8wS+x4KdHLtdecO2hxFToI1 I3h6Pl5rN7f1TUwsMfp4/yi5ELB9fanhk4ZLAKONhO5utvdOh1HdTwCaViV8ogLC 2fpKtBbuDZJFfxxdle4aNXD+uCwaMK0goedsn69sWivLjAKvrZ0UDRDotYe7D3L5 zTsBmujIuL1UnNRG7pfN =JQrW -----END PGP SIGNATURE-----