-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0145 Title: JBoss Enterprise BRMS Platform 5.3.0 security update [1] Version history: 14.12.2012 Initial publication Summary ======= An update for JBoss Enterprise BRMS Platform 5.3.0 that fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. CVE number: CVE-2012-2379 CVSS v2: 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N [2] Affected Versions ================= JBoss Enterprise BRMS Platform 5.3.0 Original Details ================ A flaw was found in the way Apache CXF verified that XML elements were signed or encrypted by a particular Supporting Token. Apache CXF checked to ensure these elements were signed or encrypted by a Supporting Token, but not whether the correct token was used. A remote attacker could use this flaw to transmit confidential information without the appropriate security, and potentially circumvent access controls on web services exposed via Apache CXF. What can you do? ================ Patches are available [3] What to tell your users ======================= N/A More information ================ [1] https://rhn.redhat.com/errata/RHSA-2012-1559.html [2] https://access.redhat.com/security/cve/CVE-2012-2379 [3] https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=securityPatches&version=5.3.0 Best regards, CERT-EU Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJQy0B1AAoJEPpzpNLI8SVobqkP/1TpactD2sUjClSm3XHXo1nk AB9G8qeEFO+fS4oH7IeUitNo+H1pSDQhqs22apJbh8sL0tbcZ1L/pCn5yth/zRPE DZcJRSvDl2+lPU2uvkA19ERkxuiIW48iiPVi9cFN2gpuf/0ouAjvxq52zA+ESaoa CcKid3xyfZAd6qMw2OdIslXfPK+8NKgjEf6dzERMrPRUG5L45LYVD5hC+4ErPYWR B6TxtNcpUQOSi3JX8EN4oL44OxR1v8zmF8UGy6qc1cV5hLxjYHSVu+1+04MjKaqI zRLWFFaKw6f3bthWHs+JCn0US4UcOTvd6cvUKvCcpwj117AH78uwFSzBOvZn1Z/V YATiBhfgLx4ZnKtH9spj9mB7kBPqhAw/zeJkvFX4cfJW4GSQz3SHurg9h7In6lER Nolo4LP3w+8gGanzVa25XLQQ/vvIhBbyV2/CUV61Fq7ikO9KUDkU04UZqQVWOsdw yMK+lBFdBkWQ9DCYsun779n3NsbYmnP1gx1q4MDt3O/k040dT1dR59E80zh2lVye MKs6o8EFxhNIa3ek6a3KW7HSlt7nb7V5eo7VjUXJHSqrVX/ZeymtKZDfW4urzwSx aOir5rhX6e4oTY/j8Cu06XxTPNmkvdNyAufGz/77zNuF5SqSlY5AG8uuYgZQi78X TpffPqDAXPyDpS0Y0SPn =9OOF -----END PGP SIGNATURE-----