
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Reference: CERT-EU Security Advisory 2012-0074
 
Title: Jboss Security Update - JNDI: unauthenticated remote write access is permitted by default  [1]
 
Version history:
21.06.2012 Initial publication

Summary
=======
An update that fixes one security issue is now available from the Red Hat Customer Portal.

The Red Hat Security Response Team has rated this update as having important security impact. A 
Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating,is 
available from the CVE link in the References section. [4]


CVE-2011-4605 
CVSS v2 Base Score: 7.5 (MEDIUM) AV:N/AC:L/Au:N/C:P/I:P/A:P [2]

Vulnerable systems
==================
JBoss Enterprise Application Platform 5.1.2
JBoss Enterprise Application Platform 4.3.0 CP10 
JBoss Enterprise Web Platform 5.1.2 for Red Hat Enterprise Linux 4, 5, and 6


Original Details
================
A flaw was found in the way LDAP (Lightweight Directory Access Protocol) authentication was handled. If 
the LDAP bind account credentials became invalid, subsequent login attempts with any password for 
user accounts created via LDAP were successful. A remote attacker could use this flaw to log into LDAP-
based JBoss ON accounts without knowing the correct passwords.

What can you do?
================
Fix is available via the Red Hat Network.[3]

Warning: Before applying the update, backup your existing JBoss ON installation (including its databases, 
applications, configuration files, the JBoss ON server's file system directory, and so on).

What to tell your users?
========================
N/A

More information
================
[1] https://access.redhat.com/security/cve/CVE-2011-4605
[2] https://access.redhat.com/security/updates/classification/#important
[3] 
https://access.redhat.com/jbossnetwork/restricted/listSoftware.htmlwnloadType=securityPatches&prod
uct=appplatform&version=5.1.2
[4] https://rhn.redhat.com/errata/RHSA-2012-1022.html

Best regards,

CERT-EU Pre-configuration Team (http://cert.europa.eu)
Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu
PGP KeyID 0x46AC4383
FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383
Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html


-----BEGIN PGP SIGNATURE-----
Version: BCPG v1.39

iQJXBAEBAgBBBQJP5EGKOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp
b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4Ojgg/9HFAvsBEd
BRDzF+C5QMrQeZv5mZweRLNlw+zWIdloRKcabrIJogokCKg8hcPwmQptS7lK6655
ULynHK63HC++HDo4CANdMd+jb7EsGrb9X67rJnxt3FGPtR4ptU9muDxG1e3gaNiN
ek7PVJnKmH+tdSsrsDmqrUFWMBjlw55YHpaCPmQGgz8aDIJKfcdF6VNZSL6B9F9R
rvtLqZ514vQZNz4hzjeisxMyX2URfozb1Pg+1qHPU3TEqz0f8Sj1WgWudvMAcLjf
PSJEB0ehKaojGFlw8zYE9nZaiBE4yt5OssAno6xo4bUtb2yk0MsHjgEAHGPPGLIx
8N0qMdWRQuY7ceR8LQu8SlPQz1JesWkKT4siGmZUcLXvIuE+N/QEvRe3/vUdVJDM
oTUDRa0VAqmmokkyEsHhYRKD2duWTtcDIVKCUnIHU0nJy2egARj4vsDx65wjfXkX
F2D+k2n22/lzCftQXW3/iU1s1DpHEQa+WVDBSB9Kg1WCNZ5xC0nXkrEbCdWbvx/P
yRkd2YsyeSYtZWz+tg33o9q0rxTiLOaDj/PoD2pTEuuQ3UCpjlDCjFPNbsh7Dyam
uAFcXG3ih+FlorIRpf/wVCnQJml7ClRvJDYwt1+TvtGZiaSQBiGK7fUWE8xnZmG0
Jff7meL8iCxrV1DNJOV77sUX3USEYVoZadc=
=ZDgS
-----END PGP SIGNATURE-----