-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Reference: CERT-EU Security Advisory 2013-0022

Title: JBoss Enterprise Application Platform 4.3.0 security update [1]

Version history:
19.02.2013 Initial publication


Summary
=======
Updated JBoss Enterprise Application Platform 4.3.0 packages that fix two security issues.

The Red Hat Security Response Team has rated this update as having important security impact.

CVE numbers [2]:  CVE-2012-5629 CVE-2011-1096 

Affected Versions
=================
JBoss Enterprise Application Platform 4.3.0 CP10

Original Details
================

Security fixes:

When using LDAP authentication with the provided LDAP login modules
(LdapLoginModule/LdapExtLoginModule), empty passwords were allowed by
default. An attacker could use this flaw to bypass intended authentication
by providing an empty password for a valid username, as the LDAP server may
recognize this as an 'unauthenticated authentication' (RFC 4513). This
update sets the allowEmptyPasswords option for the LDAP login modules to
false if the option is not already configured. (CVE-2012-5629).

An attack technique was found against the W3C XML Encryption Standard when
block ciphers were used in cipher-block chaining (CBC) mode. A remote
attacker could use this flaw to conduct chosen-ciphertext attacks, leading
to the recovery of the entire plain text of a particular cryptogram by
examining the differences between SOAP (Simple Object Access Protocol)
responses sent from JBoss Web Services. (CVE-2011-1096).


What can you do?
================
This update is available via the Red Hat Network. [3]


What to tell your users
=======================

N/A

More information
================
[1]  
https://rhn.redhat.com/errata/RHSA-2013-0248.html
https://rhn.redhat.com/errata/RHSA-2013-0261.html

[2]  
https://www.redhat.com/security/data/cve/CVE-2012-5629.html
https://www.redhat.com/security/data/cve/CVE-2011-1096.html

[3]  
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=4.3.0.GA_CP10

Best regards,
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJRI7ESAAoJEPpzpNLI8SVoKKgQAI1F90HjpBJWch41e6dWgbjY
ICP2sVyh7M45IsiXWVwDDuQMBdSbbAQ+TyLC8vr0wnV7YSEo38q0qr9dxB6rYxS7
KjB+rbnd/vJFOa1bdqHHygGKNxvJvO1fLs9urB8xA40Z7LapnvAqpEtDU1Kf657N
yrUBIr8tkNoXwfRESJp5mLzhsGy1OyDSgYduW1Fqf0h4Ku7KeBGs+XrpZPFiUwJF
Sx/ULUcBm/dHdyXz8nfRkoQQoJktN5sM2n+18E2vS1YJXo/gv9whWBOl/wnzUZFi
tsoud5QiPv/4rLr2AltgNEacrfPGUoqjJ7VwlmSdFe2cYLLWgQLMI+597zYFIvD9
/ZQHV9SArKwmCPgZ+NbVYNLJQZALl4eGpjtDNGSVp5IANKJLurAKhyG7gDJG0WVj
QvtPg/MsSIRQzL+i5rqFWEriUfmy3BvqFevJYymH0z1I+un6n3OCw+6V9k8LQTli
8iBjP7xlUCOped67jfcSThHYNQACQ+HxPJeqT1gmx/yE7X1Q0SPUwb2ZvKOU+d0M
YnwHvZTRa4ZCjRFqLGUAC+bWEvO0ho95b2exwAU/mD2bIG6DlRaYNNWiBgFK/KmO
CmrOFNpAw9gNc4AN2D2QfOIWfyRQGpqjOvhLDO/oX6xZ3SWU42u5O7x/j9w3ZTq9
Nq1N51A7PajK76g2j0zJ
=MtMt
-----END PGP SIGNATURE-----