Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.0605 Important: JBoss Enterprise BRMS Platform 5.3.0 update 22 June 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: JBoss Enterprise BRMS Platform 5.3.0 Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 6 Red Hat Enterprise Linux WS/Desktop 6 Impact/Access: Modify Arbitrary Files -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2012-2377 CVE-2011-4605 CVE-2011-4085 Reference: ESB-2012.0595 ESB-2011.1158 Original Bulletin: https://rhn.redhat.com/errata/RHSA-2012-1028.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Enterprise BRMS Platform 5.3.0 update Advisory ID: RHSA-2012:1028-01 Product: JBoss Enterprise Middleware Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1028.html Issue date: 2012-06-22 CVE Names: CVE-2011-4085 CVE-2011-4605 CVE-2012-2377 ===================================================================== 1. Summary: JBoss Enterprise BRMS Platform 5.3.0, which fixes multiple security issues, various bugs, and adds enhancements is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: JBoss Enterprise BRMS Platform is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules. The Java Naming and Directory Interface (JNDI) Java API allows Java software clients to locate objects or services in an application server. This release of JBoss Enterprise BRMS Platform 5.3.0 serves as a replacement for JBoss Enterprise BRMS Platform 5.2.0. It includes various bug fixes and enhancements which are detailed in the JBoss Enterprise BRMS Platform 5.3.0 Release Notes. The Release Notes will be available shortly from https://docs.redhat.com/docs/en-US/index.html The following security issues are also fixed with this release: It was found that the JBoss JNDI service allowed unauthenticated, remote write access by default. The JNDI and HA-JNDI services, and the HAJNDIFactory invoker servlet were all affected. A remote attacker able to access the JNDI service (port 1099), HA-JNDI service (port 1100), or the HAJNDIFactory invoker servlet on a JBoss server could use this flaw to add, delete, and modify items in the JNDI tree. This could have various, application-specific impacts. (CVE-2011-4605) It was found that the invoker servlets, deployed by default via httpha-invoker, only performed access control on the HTTP GET and POST methods, allowing remote attackers to make unauthenticated requests by using different HTTP methods. Due to the second layer of authentication provided by a security interceptor, this issue is not exploitable on default installations unless an administrator has misconfigured the security interceptor or disabled it. (CVE-2011-4085) When a JGroups channel is started, the JGroups diagnostics service would be enabled by default with no authentication. This service is exposed via IP multicast. An attacker on an adjacent network could exploit this flaw to read diagnostics information. (CVE-2012-2377) Red Hat would like to thank Christian Schlüter (VIADA) for reporting CVE-2011-4605. Warning: Before applying the update, back up your existing JBoss Enterprise BRMS Platform installation (including its databases, applications, configuration files, and so on). All users of JBoss Enterprise BRMS Platform 5.2.0 as provided from the Red Hat Customer Portal are advised to upgrade to JBoss Enterprise BRMS Platform 5.3.0. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise BRMS Platform installation (including its databases, applications, configuration files, and so on). 4. Bugs fixed (http://bugzilla.redhat.com/): 750422 - CVE-2011-4085 Invoker servlets authentication bypass (HTTP verb tampering) 766469 - CVE-2011-4605 JNDI: unauthenticated remote write access is permitted by default 823392 - CVE-2012-2377 JGroups diagnostics service enabled by default with no authentication when a JGroups channel is started 5. References: https://www.redhat.com/security/data/cve/CVE-2011-4085.html https://www.redhat.com/security/data/cve/CVE-2011-4605.html https://www.redhat.com/security/data/cve/CVE-2012-2377.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=distributions https://docs.redhat.com/docs/en-US/index.html 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFP48ppXlSAg2UNWIIRAuvfAJkBEt7BGoBnd0xBiy8+LLUIEP1kmgCgoZ4P KdN4iIuXKzcJeDfIPCIULtw= =D4Vt - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBT+PVk+4yVqjM2NGpAQK90RAApadrooZ0sDvEdNY3j9yfTJz5vF4ZrBkP D9Prlh5xG7qfiGQCX5UduuZlV1/9msOVJZmKx4m3ZTGF3k60ieRewxCRvWea/2b+ RyVctBgCdHvOyYHzpKcsF3DdKyFrPMS/IVyVsue6ONVDCikMpAG8eMSwKfeGiLjW 8wOTh1pSuFgeD0Kk2JhVHIyuOnHcPzq8vQ4OyhEDMvSJmscUIjaaO/mQouLuZP7i FSNVmjYtiF5erMzB3qsi919UFsNmqqcCAuzJXjsKAatyab/EUFDB4OD9ItgRsOO2 GHgRV9Mc9VSmzZ8ST90o5kDL6LtzTNHJU+vuiaKcNzTnCF33DxQO6hgTQ0OMnvtx oElM8JU1KFU1z216qMgO+amn5s/o+izaWz2tqIhC0HgCufvbLRRUYsVTyD2+0Hw9 nQro3WVNK/bg4yom04tvxfVmycrPHbJtYPlN99qbfGo20NXfp5GEUqfq4T9gFZcI rX1+u7eEWb1ox6FrbT/KwL6q1U7BrI0BbRv5OiKvXCaHQMkuU3XYVghsCvwjBZU/ PdSU73miv39NeoWUSR5OJqyTQOkVY8jqnZ751scDv0YUH5twYLGY2HXuJ2T/xd5A K92VMb4b6ykLCvSFJDKDWL9zFhE4VRD+CnxeCHqT9HA6C7B+4uqUW8kkwnl5pkiu SZM9Rtui5aM= =xQgf -----END PGP SIGNATURE-----