-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.0104
              Moderate: JBoss Operations Network 3.1.2 update
                              24 January 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           JBoss Operations Network
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 6
                   Windows 7
                   Windows Server 2008
                   Solaris
Impact/Access:     Cross-site Scripting -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2012-5920  

Original Bulletin: 
   https://rhn.redhat.com/errata/RHSA-2013-0187.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: JBoss Operations Network 3.1.2 update
Advisory ID:       RHSA-2013:0187-01
Product:           JBoss Operations Network
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2013-0187.html
Issue date:        2013-01-23
CVE Names:         CVE-2012-5920 
=====================================================================

1. Summary:

JBoss Operations Network 3.1.2, which fixes one security issue and several
bugs, is now available from the Red Hat Customer Portal.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

2. Description:

JBoss Operations Network (JBoss ON) is a middleware management solution
that provides a single point of control to deploy, manage, and monitor
JBoss Enterprise Middleware, applications, and services.

This JBoss ON 3.1.2 release serves as a replacement for JBoss ON 3.1.1, and
includes several bug fixes. Refer to the JBoss ON 3.1.2 Release Notes for
information on the most significant of these changes. The Release Notes
will be available shortly from https://access.redhat.com/knowledge/docs/

The following security issue is also fixed with this release:

A cross-site scripting (XSS) flaw was found in Google Web Toolkit (GWT), a
core part of the JBoss ON web interface. If a remote attacker could trick a
user, who was logged into the JBoss ON web interface, into visiting a
specially-crafted URL, it could possibly lead to arbitrary web script
execution in the context of the user's JBoss ON session. (CVE-2012-5920)

Warning: Before applying the update, back up your existing JBoss ON
installation (including its databases, applications, configuration files,
the JBoss ON server's file system directory, and so on).

All users of JBoss Operations Network 3.1.1 as provided from the Red Hat
Customer Portal are advised to upgrade to JBoss Operations Network 3.1.2.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Before applying this update, back up your
existing JBoss ON installation (including its databases, applications,
configuration files, the JBoss ON server's file system directory, and so
on).

Refer to the JBoss Operations Network 3.1.2 Release Notes for installation
information.

4. Bugs fixed (http://bugzilla.redhat.com/):

871690 - CVE-2012-5920 GWT: unknown XSS flaw

5. References:

https://www.redhat.com/security/data/cve/CVE-2012-5920.html
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=em&version=3.1.2
https://developers.google.com/web-toolkit/release-notes#Release_Notes_Current
https://access.redhat.com/knowledge/docs/

6. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2013 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFRAFsuXlSAg2UNWIIRAoIpAJ41lcJfSCnjLt/MuybQPPRyssfrJQCfcUU5
QcJou7EXNnVFLk5ejl/pb58=
=bfcd
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUQB6xu4yVqjM2NGpAQITTw/6A91muleVW24YjpGSxTRNnLN6fmPzQ2b0
gyyXywzpsMhf2Kq6UD5ZTUWekvuW24VetB5SBdcdXAIz0PibRt3enOb81KA0Mprh
xO5kOirNy0/qb9v8AFkFQtD4CrAtC4FHSeVhkjI1bHQaJb/3grzIf3zqa7o08jBG
50wTov5MXweyi+KvQbq/Jc/RaY5OH3fKBhZttwpMegjVpHu0ABsF++LiMJI2326s
pJ1lZJhfCmBq7RXI6nO+EXHcwg4gRvUyXn7MiRIGizjjAETWYpfByFEjid+8huIt
5N12Xy7+5vNYZR4bIdmOpwS46QusDg3T4BjLMjG5jrxfkuaclwFOVRBo18oKCOz8
XP0AV68S8x9v3V+NvaD3ZWtrvJL3Cd1k4xnylJ8ULxZddw7uG+WIhChmO54BSHS7
FjQ5XoUx1go4VPO+b4IyAY1X0tm0ZdDMLbvNcBN9Um+jZ2KV3Lvdb4DQkixqGuRa
NkK1QdEMMqRVSuvg9QDpzdcqo9aG/5FPae9sNV9Vqr6B/SuumP/kr5NRJSunYs07
y/FTH3NSIOUbqi78jSfUG/dxUHoUVbUS7GfkkfPO1j3mXUCrwbE2qprZxmPNWuwy
yLILn+YJmw2UEnoqDRH5mQxz3reACBWF4OKPFeWN6S/W9DzdCHS7DImp1C8OvuVg
t8VTcHgC25c=
=5ll4
-----END PGP SIGNATURE-----