Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.0237 Important: JBoss Enterprise SOA Platform 5.3.1 update 21 February 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: JBoss Enterprise SOA Platform Publisher: Red Hat Operating System: Red Hat Enterprise Linux AS/ES/WS 4 Red Hat Enterprise Linux Server 5 Red Hat Enterprise Linux Server 6 Windows Server 2003 Windows Server 2008 Solaris Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2012-5478 CVE-2012-5370 CVE-2012-3370 CVE-2012-3369 CVE-2012-0874 CVE-2012-0034 CVE-2011-4575 CVE-2011-2730 CVE-2011-2487 CVE-2009-5066 Reference: ESB-2013.0140 ESB-2013.0112 ESB-2013.0111 ESB-2012.1217 ESB-2012.0671 ESB-2012.0627 ESB-2012.0151 Original Bulletin: https://rhn.redhat.com/errata/RHSA-2013-0533.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Enterprise SOA Platform 5.3.1 update Advisory ID: RHSA-2013:0533-01 Product: JBoss Enterprise Middleware Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0533.html Issue date: 2013-02-20 CVE Names: CVE-2009-5066 CVE-2011-2487 CVE-2011-2730 CVE-2011-4575 CVE-2012-0034 CVE-2012-0874 CVE-2012-3369 CVE-2012-3370 CVE-2012-5370 CVE-2012-5478 ===================================================================== 1. Summary: JBoss Enterprise SOA Platform 5.3.1, which fixes multiple security issues, various bugs, and adds enhancements, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. This release of JBoss Enterprise SOA Platform 5.3.1 serves as a replacement for JBoss Enterprise SOA Platform 5.3.0. It includes various bug fixes and enhancements which are detailed in the JBoss Enterprise SOA Platform 5.3.1 Release Notes. The Release Notes will be available shortly from https://access.redhat.com/knowledge/docs/ 2. Description: Security: JBoss Web Services leaked side-channel data when distributing symmetric keys (for XML encryption), allowing a remote attacker to recover the entire plain text form of a symmetric key. (CVE-2011-2487) Spring framework could possibly evaluate Expression Language (EL) expressions twice, allowing a remote attacker to execute arbitrary code in the context of the application server, or to obtain sensitive information from the server. (CVE-2011-2730) Note: Manual action is required to apply the fix for CVE-2011-2730. If your system has deployed applications which use Spring framework, the context parameter "springJspExpressionSupport" must be set to "false" to mitigate this flaw, for example, in the application's web.xml file. This will prevent the double-evaluation of EL expressions that led to this flaw. An XSS flaw allowed a remote attacker to perform an XSS attack against victims using the JMX Console. (CVE-2011-4575) SecurityAssociation.getCredential() returned the previous credential if no security context was provided. Depending on the deployed applications, this could possibly allow a remote attacker to hijack the credentials of a previously-authenticated user. (CVE-2012-3370) A denial of service flaw was found in the implementation of associative arrays (hashes) in JRuby. An attacker able to supply a large number of inputs to a JRuby application (such as HTTP POST request parameters sent to a web application) that are used as keys when inserting data into an array could trigger multiple hash function collisions, making array operations take an excessive amount of CPU time. To mitigate this issue, the Murmur hash function has been replaced with the Perl hash function. (CVE-2012-5370) Note: JBoss Enterprise SOA Platform only provides JRuby as a dependency of the scripting_chain quickstart example application. The CVE-2012-5370 flaw is not exposed unless the version of JRuby shipped with that quickstart is used by a deployed, custom application. Configuring the JMX Invoker to restrict access to users with specific roles did not actually restrict access, allowing remote attackers with valid JMX Invoker credentials to perform JMX operations accessible to roles they are not a member of. (CVE-2012-5478) twiddle.sh accepted credentials as command line arguments, allowing local users to view them via a process listing. (CVE-2009-5066) NonManagedConnectionFactory logged the username and password in plain text when an exception was thrown. This could lead to the exposure of authentication credentials if local users had permissions to read the log file. (CVE-2012-0034) The JMXInvokerHAServlet and EJBInvokerHAServlet invoker servlets allow unauthenticated access by default in some profiles. The security interceptor's second layer of authentication prevented direct exploitation of this flaw. If the interceptor was misconfigured or inadvertently disabled, this flaw could lead to arbitrary code execution in the context of the user running the JBoss server. (CVE-2012-0874) CallerIdentityLoginModule retained the password from the previous call if a null password was provided. In non-default configurations this could possibly lead to a remote attacker hijacking a previously-authenticated user's session. (CVE-2012-3369) Red Hat would like to thank Juraj Somorovsky of Ruhr-University Bochum for reporting CVE-2011-2487, and Tyler Krpata for reporting CVE-2011-4575. The CVE-2012-3370 and CVE-2012-3369 issues were discovered by Carlo de Wolf of Red Hat; CVE-2012-5478 was discovered by Derek Horton of Red Hat; and CVE-2012-0874 was discovered by David Jorm of the Red Hat Security Response Team. Warning: Before applying the update, back up your existing JBoss Enterprise SOA Platform installation (including its databases, applications, configuration files, and so on). All users of JBoss Enterprise SOA Platform 5.3.0 as provided from the Red Hat Customer Portal are advised to upgrade to JBoss Enterprise SOA Platform 5.3.1. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise SOA Platform installation (including its databases, applications, configuration files, and so on). 4. Bugs fixed (http://bugzilla.redhat.com/): 713539 - CVE-2011-2487 jbossws: Prone to Bleichenbacher attack against to be distributed symmetric key 737608 - CVE-2011-2730 Spring Framework: Information (internal server information, classpath, local working directories, session IDs) disclosure 760387 - CVE-2011-4575 JMX Console: XSS in invoke operation 772835 - CVE-2012-0034 JBoss Cache: NonManagedConnectionFactory will log password in clear text when an exception occurs 795645 - CVE-2012-0874 JBoss invoker servlets do not require authentication 836451 - CVE-2012-3369 JBoss: CallerIdentityLoginModule retaining password from previous call if a null password is provided 836456 - CVE-2012-3370 JBoss: SecurityAssociation.getCredential() will return the previous credential if no security context is provided 842477 - CVE-2009-5066 JBoss: twiddle.sh accepts credentials as command line arguments, exposing them to other local users via a process listing 874349 - CVE-2012-5478 JBoss: AuthorizationInterceptor allows JMX operation to proceed despite authorization failure 880671 - CVE-2012-5370 jruby: Murmur hash function collisions (oCERT-2012-001) 5. References: https://www.redhat.com/security/data/cve/CVE-2009-5066.html https://www.redhat.com/security/data/cve/CVE-2011-2487.html https://www.redhat.com/security/data/cve/CVE-2011-2730.html https://www.redhat.com/security/data/cve/CVE-2011-4575.html https://www.redhat.com/security/data/cve/CVE-2012-0034.html https://www.redhat.com/security/data/cve/CVE-2012-0874.html https://www.redhat.com/security/data/cve/CVE-2012-3369.html https://www.redhat.com/security/data/cve/CVE-2012-3370.html https://www.redhat.com/security/data/cve/CVE-2012-5370.html https://www.redhat.com/security/data/cve/CVE-2012-5478.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform&downloadType=distributions https://access.redhat.com/knowledge/docs/ 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRJUS7XlSAg2UNWIIRAvOuAJ9/CfVEiOKEWkerxwWgoqEsKKDbUQCcDR+m 06ehbUNl5vzux3t3ubr8fB4= =Hz1H - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUSW3MO4yVqjM2NGpAQKSFA/9E/eZysqSHvl8HnxPc85t2arxhv9NXAgo P5FEMJa/lamHtJtHZFGAbXbXOjxTLHdBE2vbUUuW4vCE2Frs2/TqJz0l9QHIivLv 0olboN0I4rqXhKYriMmxMTtNdzA3qJik0aJ2iHz/iaJ+7kQljwp9P9vyL9Ps8Yln EXcRLT3fMJF/HPA64BLkXLJKHomKv1hhg5gsfZohI5utgq3jg8+K5S6TUoZoi/ka SDBUGBAogRwKsbGXu9qVT9UA470NHMPEz89jQcyc7AxAtrBINTuU4cnWQrLIXnEn HvpQT5EvJFf+UXricsC541+mFCpEPNL0C8a+Hby1RiP5Znj2Ti3RDg44L53k+Dfz U80nyKoZh6ChId1G3EBrxU+1/F/RIPLgkZKKls43ezXpnIzgOH5D28GLyyFC1akn 65vS5SNwLs0CvisI80McRGG5GEWunzCE+BhGFcnNirMr1GcL4g2VSv5ZVNwnlj4J fbxZRmDmMnkE6hKew+FwJeqrTMa2lMZhmaSxjF5HmYxZdRoauoJs7iivyP7KMWDN d2uuB68Mo0QCY5Jjc1aC3sHjN+9wGFHFd2C2GUMIqAe5vU+cnLapOHYZy9F4QRuq jLCBKyd9TiJxylSSmqLr6ttilMBKOLz9DIcCChMsVlGNLAbiB9/xiGcr/uAMT5NY sN1P/v7Rwzk= =Zjhy -----END PGP SIGNATURE-----