-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0045 Title: JBOSS Security Updates [1] Version history: 22.03.2012 Initial publication Summary ======= An update for JBoss Operations Network 2.4.2 that fixes one security issue is now available from the Red Hat Customer Portal.[1] CVE-2012-1100 JON: LDAP authentication allows any user access if bind credentials are bad CVSS v2 Base Score: 5.2 (MEDIUM) (AV:N/AC:L/Au:S/C:P/I:P/A:P)[2] Vulnerable systems ================== JBoss Operations Network (JON) 2.4.2 Original Details ================ A flaw was found in the way LDAP (Lightweight Directory Access Protocol) authentication was handled. If the LDAP bind account credentials became invalid, subsequent login attempts with any password for user accounts created via LDAP were successful. A remote attacker could use this flaw to log into LDAP-based JBoss ON accounts without knowing the correct passwords. What can you do? ================ Fix is available via the Red Hat Network. Warning: Before applying the update, backup your existing JBoss ON installation (including its databases, applications, configuration files, the JBoss ON server's file system directory, and so on). What to tell your users? ======================== N/A More information ================ [1] https://www.redhat.com/security/data/cve/CVE-2012-1100.html [2] Information about CVSS: http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 (DISCLAIMER: CERT-EU, the CERT for the EU institutions, is currently in its setup phase, until May 2012. Services are provided in a pilot fashion, and are not yet fully functional. Announcements, alerts and warnings are sent out in best effort manner, and to contact information currently known to us. We apologise if you are not the correct recipient, or if you had already been warned about this issue from another source . Format, content and way of alerting are subject to change in the future. Contact information or even the team name may change as well.) -----BEGIN PGP SIGNATURE----- Version: BCPG v1.39 iQJXBAEBAgBBBQJPacGeOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4PLCA//ctYqY2CJ HhiE59bgb/rVpz7Bec2l7n9733pTSVbXtkYej+ThX7OEk8xf2JXYQrFrkpcb5KKm RBpMM9V2tW4XtQD7limAXJkjW1co7pEt3yO7nRKZiYbJYBaZ6+zpsGeN5e8OhyNq WjVNbUol2KZgrifl1f8hQboXLSuD63Jr3hP4oYST1TgDzGRSsaNzoeer8nlbhhwc 9sCysKiXpumpAFIPjBNzUDUvnMngKaZlaAoxaKp//9h3GviBLcMml8TW/pnD8Fbg mgNnZue88gxELU1UFbhSDUGnwmP/8lu8IbJpspYLeW/jF0BZyPDsE6tYrLEOJOyL XWFLbB7bfG9UYeEsfRSLTjycd1Pm8D5g1kzyUPCCXP3x3UlSes+C/8Hrb46orupt cYSrWvjq1OBbh17gb5YxERe+uZ1dbqEogcLXr7BvYSOpmNFDTixMEvgEssfd7ItN y1aZZ8VirVPyT0graLvC3fKxbsLanvfOhWmcJ+xnWf0nfHR66Zf6r3VBPLY2CJMP tzgNKJjBs8I0h8OGLPYWpHq/+NSZj8kCiU8Gd2VAvktpguOAgjT91/VTOWdg9NWz dtHIuDIC7R1mbJ/jrUffnKXxGExC24J5iwVh4RLNKPNhAijE+yYKwFhWsA+ZfXqu zRyIoTPLj9Je2ZA5/8N0TZWM0fzeH6UbJnY= =8Kg0 -----END PGP SIGNATURE-----