Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.0237
Important: JBoss Enterprise SOA Platform 5.3.1 update
21 February 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: JBoss Enterprise SOA Platform
Publisher: Red Hat
Operating System: Red Hat Enterprise Linux AS/ES/WS 4
Red Hat Enterprise Linux Server 5
Red Hat Enterprise Linux Server 6
Windows Server 2003
Windows Server 2008
Solaris
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Privileged Data -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2012-5478 CVE-2012-5370 CVE-2012-3370
CVE-2012-3369 CVE-2012-0874 CVE-2012-0034
CVE-2011-4575 CVE-2011-2730 CVE-2011-2487
CVE-2009-5066
Reference: ESB-2013.0140
ESB-2013.0112
ESB-2013.0111
ESB-2012.1217
ESB-2012.0671
ESB-2012.0627
ESB-2012.0151
Original Bulletin:
https://rhn.redhat.com/errata/RHSA-2013-0533.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: JBoss Enterprise SOA Platform 5.3.1 update
Advisory ID: RHSA-2013:0533-01
Product: JBoss Enterprise Middleware
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0533.html
Issue date: 2013-02-20
CVE Names: CVE-2009-5066 CVE-2011-2487 CVE-2011-2730
CVE-2011-4575 CVE-2012-0034 CVE-2012-0874
CVE-2012-3369 CVE-2012-3370 CVE-2012-5370
CVE-2012-5478
=====================================================================
1. Summary:
JBoss Enterprise SOA Platform 5.3.1, which fixes multiple security issues,
various bugs, and adds enhancements, is now available from the Red Hat
Customer Portal.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
This release of JBoss Enterprise SOA Platform 5.3.1 serves as a replacement
for JBoss Enterprise SOA Platform 5.3.0. It includes various bug fixes and
enhancements which are detailed in the JBoss Enterprise SOA Platform 5.3.1
Release Notes. The Release Notes will be available shortly from
https://access.redhat.com/knowledge/docs/
2. Description:
Security:
JBoss Web Services leaked side-channel data when distributing symmetric
keys (for XML encryption), allowing a remote attacker to recover the entire
plain text form of a symmetric key. (CVE-2011-2487)
Spring framework could possibly evaluate Expression Language (EL)
expressions twice, allowing a remote attacker to execute arbitrary code in
the context of the application server, or to obtain sensitive information
from the server. (CVE-2011-2730)
Note: Manual action is required to apply the fix for CVE-2011-2730. If your
system has deployed applications which use Spring framework, the context
parameter "springJspExpressionSupport" must be set to "false" to mitigate
this flaw, for example, in the application's web.xml file. This will
prevent the double-evaluation of EL expressions that led to this flaw.
An XSS flaw allowed a remote attacker to perform an XSS attack against
victims using the JMX Console. (CVE-2011-4575)
SecurityAssociation.getCredential() returned the previous credential if
no security context was provided. Depending on the deployed applications,
this could possibly allow a remote attacker to hijack the credentials of a
previously-authenticated user. (CVE-2012-3370)
A denial of service flaw was found in the implementation of associative
arrays (hashes) in JRuby. An attacker able to supply a large number of
inputs to a JRuby application (such as HTTP POST request parameters sent to
a web application) that are used as keys when inserting data into an array
could trigger multiple hash function collisions, making array operations
take an excessive amount of CPU time. To mitigate this issue, the Murmur
hash function has been replaced with the Perl hash function.
(CVE-2012-5370)
Note: JBoss Enterprise SOA Platform only provides JRuby as a dependency of
the scripting_chain quickstart example application. The CVE-2012-5370 flaw
is not exposed unless the version of JRuby shipped with that quickstart is
used by a deployed, custom application.
Configuring the JMX Invoker to restrict access to users with specific
roles did not actually restrict access, allowing remote attackers with
valid JMX Invoker credentials to perform JMX operations accessible to
roles they are not a member of. (CVE-2012-5478)
twiddle.sh accepted credentials as command line arguments, allowing local
users to view them via a process listing. (CVE-2009-5066)
NonManagedConnectionFactory logged the username and password in plain text
when an exception was thrown. This could lead to the exposure of
authentication credentials if local users had permissions to read the log
file. (CVE-2012-0034)
The JMXInvokerHAServlet and EJBInvokerHAServlet invoker servlets allow
unauthenticated access by default in some profiles. The security
interceptor's second layer of authentication prevented direct exploitation
of this flaw. If the interceptor was misconfigured or inadvertently
disabled, this flaw could lead to arbitrary code execution in the context
of the user running the JBoss server. (CVE-2012-0874)
CallerIdentityLoginModule retained the password from the previous call if a
null password was provided. In non-default configurations this could
possibly lead to a remote attacker hijacking a previously-authenticated
user's session. (CVE-2012-3369)
Red Hat would like to thank Juraj Somorovsky of Ruhr-University Bochum
for reporting CVE-2011-2487, and Tyler Krpata for reporting CVE-2011-4575.
The CVE-2012-3370 and CVE-2012-3369 issues were discovered by Carlo de Wolf
of Red Hat; CVE-2012-5478 was discovered by Derek Horton of Red Hat; and
CVE-2012-0874 was discovered by David Jorm of the Red Hat Security Response
Team.
Warning: Before applying the update, back up your existing JBoss Enterprise
SOA Platform installation (including its databases, applications,
configuration files, and so on).
All users of JBoss Enterprise SOA Platform 5.3.0 as provided from the Red
Hat Customer Portal are advised to upgrade to JBoss Enterprise SOA Platform
5.3.1.
3. Solution:
The References section of this erratum contains a download link (you must
log in to download the update). Before applying the update, back up your
existing JBoss Enterprise SOA Platform installation (including its
databases, applications, configuration files, and so on).
4. Bugs fixed (http://bugzilla.redhat.com/):
713539 - CVE-2011-2487 jbossws: Prone to Bleichenbacher attack against to be distributed symmetric key
737608 - CVE-2011-2730 Spring Framework: Information (internal server information, classpath, local working directories, session IDs) disclosure
760387 - CVE-2011-4575 JMX Console: XSS in invoke operation
772835 - CVE-2012-0034 JBoss Cache: NonManagedConnectionFactory will log password in clear text when an exception occurs
795645 - CVE-2012-0874 JBoss invoker servlets do not require authentication
836451 - CVE-2012-3369 JBoss: CallerIdentityLoginModule retaining password from previous call if a null password is provided
836456 - CVE-2012-3370 JBoss: SecurityAssociation.getCredential() will return the previous credential if no security context is provided
842477 - CVE-2009-5066 JBoss: twiddle.sh accepts credentials as command line arguments, exposing them to other local users via a process listing
874349 - CVE-2012-5478 JBoss: AuthorizationInterceptor allows JMX operation to proceed despite authorization failure
880671 - CVE-2012-5370 jruby: Murmur hash function collisions (oCERT-2012-001)
5. References:
https://www.redhat.com/security/data/cve/CVE-2009-5066.html
https://www.redhat.com/security/data/cve/CVE-2011-2487.html
https://www.redhat.com/security/data/cve/CVE-2011-2730.html
https://www.redhat.com/security/data/cve/CVE-2011-4575.html
https://www.redhat.com/security/data/cve/CVE-2012-0034.html
https://www.redhat.com/security/data/cve/CVE-2012-0874.html
https://www.redhat.com/security/data/cve/CVE-2012-3369.html
https://www.redhat.com/security/data/cve/CVE-2012-3370.html
https://www.redhat.com/security/data/cve/CVE-2012-5370.html
https://www.redhat.com/security/data/cve/CVE-2012-5478.html
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform&downloadType=distributions
https://access.redhat.com/knowledge/docs/
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2013 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFRJUS7XlSAg2UNWIIRAvOuAJ9/CfVEiOKEWkerxwWgoqEsKKDbUQCcDR+m
06ehbUNl5vzux3t3ubr8fB4=
=Hz1H
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUSW3MO4yVqjM2NGpAQKSFA/9E/eZysqSHvl8HnxPc85t2arxhv9NXAgo
P5FEMJa/lamHtJtHZFGAbXbXOjxTLHdBE2vbUUuW4vCE2Frs2/TqJz0l9QHIivLv
0olboN0I4rqXhKYriMmxMTtNdzA3qJik0aJ2iHz/iaJ+7kQljwp9P9vyL9Ps8Yln
EXcRLT3fMJF/HPA64BLkXLJKHomKv1hhg5gsfZohI5utgq3jg8+K5S6TUoZoi/ka
SDBUGBAogRwKsbGXu9qVT9UA470NHMPEz89jQcyc7AxAtrBINTuU4cnWQrLIXnEn
HvpQT5EvJFf+UXricsC541+mFCpEPNL0C8a+Hby1RiP5Znj2Ti3RDg44L53k+Dfz
U80nyKoZh6ChId1G3EBrxU+1/F/RIPLgkZKKls43ezXpnIzgOH5D28GLyyFC1akn
65vS5SNwLs0CvisI80McRGG5GEWunzCE+BhGFcnNirMr1GcL4g2VSv5ZVNwnlj4J
fbxZRmDmMnkE6hKew+FwJeqrTMa2lMZhmaSxjF5HmYxZdRoauoJs7iivyP7KMWDN
d2uuB68Mo0QCY5Jjc1aC3sHjN+9wGFHFd2C2GUMIqAe5vU+cnLapOHYZy9F4QRuq
jLCBKyd9TiJxylSSmqLr6ttilMBKOLz9DIcCChMsVlGNLAbiB9/xiGcr/uAMT5NY
sN1P/v7Rwzk=
=Zjhy
-----END PGP SIGNATURE-----