Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

           Important: JBoss Enterprise SOA Platform 5.3.1 update
                             21 February 2013


        AusCERT Security Bulletin Summary

Product:           JBoss Enterprise SOA Platform
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux AS/ES/WS 4
                   Red Hat Enterprise Linux Server 5
                   Red Hat Enterprise Linux Server 6
                   Windows Server 2003
                   Windows Server 2008
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Access Privileged Data          -- Remote/Unauthenticated      
                   Denial of Service               -- Remote/Unauthenticated      
                   Cross-site Scripting            -- Remote with User Interaction
                   Access Confidential Data        -- Remote/Unauthenticated      
                   Unauthorised Access             -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2012-5478 CVE-2012-5370 CVE-2012-3370
                   CVE-2012-3369 CVE-2012-0874 CVE-2012-0034
                   CVE-2011-4575 CVE-2011-2730 CVE-2011-2487

Reference:         ESB-2013.0140

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Hash: SHA1

                   Red Hat Security Advisory

Synopsis:          Important: JBoss Enterprise SOA Platform 5.3.1 update
Advisory ID:       RHSA-2013:0533-01
Product:           JBoss Enterprise Middleware
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2013-0533.html
Issue date:        2013-02-20
CVE Names:         CVE-2009-5066 CVE-2011-2487 CVE-2011-2730 
                   CVE-2011-4575 CVE-2012-0034 CVE-2012-0874 
                   CVE-2012-3369 CVE-2012-3370 CVE-2012-5370 

1. Summary:

JBoss Enterprise SOA Platform 5.3.1, which fixes multiple security issues,
various bugs, and adds enhancements, is now available from the Red Hat
Customer Portal.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

This release of JBoss Enterprise SOA Platform 5.3.1 serves as a replacement
for JBoss Enterprise SOA Platform 5.3.0. It includes various bug fixes and
enhancements which are detailed in the JBoss Enterprise SOA Platform 5.3.1
Release Notes. The Release Notes will be available shortly from

2. Description:


JBoss Web Services leaked side-channel data when distributing symmetric
keys (for XML encryption), allowing a remote attacker to recover the entire
plain text form of a symmetric key. (CVE-2011-2487)

Spring framework could possibly evaluate Expression Language (EL)
expressions twice, allowing a remote attacker to execute arbitrary code in
the context of the application server, or to obtain sensitive information
from the server. (CVE-2011-2730)

Note: Manual action is required to apply the fix for CVE-2011-2730. If your
system has deployed applications which use Spring framework, the context
parameter "springJspExpressionSupport" must be set to "false" to mitigate
this flaw, for example, in the application's web.xml file. This will
prevent the double-evaluation of EL expressions that led to this flaw.

An XSS flaw allowed a remote attacker to perform an XSS attack against
victims using the JMX Console. (CVE-2011-4575)

SecurityAssociation.getCredential() returned the previous credential if
no security context was provided. Depending on the deployed applications,
this could possibly allow a remote attacker to hijack the credentials of a
previously-authenticated user. (CVE-2012-3370)

A denial of service flaw was found in the implementation of associative
arrays (hashes) in JRuby. An attacker able to supply a large number of
inputs to a JRuby application (such as HTTP POST request parameters sent to
a web application) that are used as keys when inserting data into an array
could trigger multiple hash function collisions, making array operations
take an excessive amount of CPU time. To mitigate this issue, the Murmur
hash function has been replaced with the Perl hash function.

Note: JBoss Enterprise SOA Platform only provides JRuby as a dependency of
the scripting_chain quickstart example application. The CVE-2012-5370 flaw
is not exposed unless the version of JRuby shipped with that quickstart is
used by a deployed, custom application.

Configuring the JMX Invoker to restrict access to users with specific
roles did not actually restrict access, allowing remote attackers with
valid JMX Invoker credentials to perform JMX operations accessible to
roles they are not a member of. (CVE-2012-5478)

twiddle.sh accepted credentials as command line arguments, allowing local
users to view them via a process listing. (CVE-2009-5066)

NonManagedConnectionFactory logged the username and password in plain text
when an exception was thrown. This could lead to the exposure of
authentication credentials if local users had permissions to read the log
file. (CVE-2012-0034)

The JMXInvokerHAServlet and EJBInvokerHAServlet invoker servlets allow
unauthenticated access by default in some profiles. The security
interceptor's second layer of authentication prevented direct exploitation
of this flaw. If the interceptor was misconfigured or inadvertently
disabled, this flaw could lead to arbitrary code execution in the context
of the user running the JBoss server. (CVE-2012-0874)

CallerIdentityLoginModule retained the password from the previous call if a
null password was provided. In non-default configurations this could
possibly lead to a remote attacker hijacking a previously-authenticated
user's session. (CVE-2012-3369)

Red Hat would like to thank Juraj Somorovsky of Ruhr-University Bochum
for reporting CVE-2011-2487, and Tyler Krpata for reporting CVE-2011-4575.
The CVE-2012-3370 and CVE-2012-3369 issues were discovered by Carlo de Wolf
of Red Hat; CVE-2012-5478 was discovered by Derek Horton of Red Hat; and 
CVE-2012-0874 was discovered by David Jorm of the Red Hat Security Response

Warning: Before applying the update, back up your existing JBoss Enterprise
SOA Platform installation (including its databases, applications,
configuration files, and so on).

All users of JBoss Enterprise SOA Platform 5.3.0 as provided from the Red
Hat Customer Portal are advised to upgrade to JBoss Enterprise SOA Platform

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Before applying the update, back up your
existing JBoss Enterprise SOA Platform installation (including its
databases, applications, configuration files, and so on).

4. Bugs fixed (http://bugzilla.redhat.com/):

713539 - CVE-2011-2487 jbossws: Prone to Bleichenbacher attack against to be distributed symmetric key
737608 - CVE-2011-2730 Spring Framework: Information (internal server information, classpath, local working directories, session IDs) disclosure
760387 - CVE-2011-4575 JMX Console: XSS in invoke operation
772835 - CVE-2012-0034 JBoss Cache: NonManagedConnectionFactory will log password in clear text when an exception occurs
795645 - CVE-2012-0874 JBoss invoker servlets do not require authentication
836451 - CVE-2012-3369 JBoss: CallerIdentityLoginModule retaining password from previous call if a null password is provided
836456 - CVE-2012-3370 JBoss: SecurityAssociation.getCredential() will return the previous credential if no security context is provided
842477 - CVE-2009-5066 JBoss: twiddle.sh accepts credentials as command line arguments, exposing them to other local users via a process listing
874349 - CVE-2012-5478 JBoss: AuthorizationInterceptor allows JMX operation to proceed despite authorization failure
880671 - CVE-2012-5370 jruby: Murmur hash function collisions (oCERT-2012-001)

5. References:


6. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2013 Red Hat, Inc.
Version: GnuPG v1.4.4 (GNU/Linux)


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967