Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.1064 Important: Red Hat JBoss BRMS 6.0.2 update and Red Hat JBoss BPM Suite 6.0.2 update 1 July 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat JBoss BRMS Red Hat JBoss BPM Publisher: Red Hat Operating System: Red Hat Windows Solaris Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote with User Interaction Unauthorised Access -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2014-0364 CVE-2014-0363 CVE-2014-0193 CVE-2014-0107 Reference: ESB-2014.1016 ESB-2014.0864 ESB-2014.0629 ESB-2014.0422 ESB-2014.0398 Original Bulletin: https://rhn.redhat.com/errata/RHSA-2014-0818.html https://rhn.redhat.com/errata/RHSA-2014-0819.html Comment: This advisory references vulnerabilities in products which run on platforms other than Red Hat. It is recommended that administrators running Red Hat JBoss BRMS or Red Hat JBoss BPM check for an updated version of the software for their operating system. This bulletin contains two (2) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss BRMS 6.0.2 update Advisory ID: RHSA-2014:0818-01 Product: Red Hat JBoss BRMS Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0818.html Issue date: 2014-06-30 CVE Names: CVE-2014-0107 CVE-2014-0193 CVE-2014-0363 CVE-2014-0364 ===================================================================== 1. Summary: Red Hat JBoss BRMS 6.0.2, which fixes multiple security issues, various bugs, and adds enhancements, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss BRMS is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules. This release of Red Hat JBoss BRMS 6.0.2 serves as a replacement for Red Hat JBoss BRMS 6.0.1, and includes bug fixes and enhancements. Refer to the Red Hat JBoss BRMS 6.0.2 Release Notes for information on the most significant of these changes. The Release Notes will be available shortly at https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_BRMS/ The following security issues are fixed with this release: It was found that the secure processing feature of Xalan-Java had insufficient restrictions defined for certain properties and features. A remote attacker able to provide Extensible Stylesheet Language Transformations (XSLT) content to be processed by an application using Xalan-Java could use this flaw to bypass the intended constraints of the secure processing feature. Depending on the components available in the classpath, this could lead to arbitrary remote code execution in the context of the application server running the application that uses Xalan-Java. (CVE-2014-0107) It was found that the ServerTrustManager in the Smack XMPP API did not verify basicConstraints and nameConstraints in X.509 certificate chains. A man-in-the-middle attacker could use this flaw to spoof servers and obtain sensitive information. (CVE-2014-0363) It was found that the ParseRoster component in the Smack XMPP API did not verify the From attribute of a roster-query IQ stanza. A remote attacker could use this flaw to spoof IQ responses. (CVE-2014-0364) A flaw was found in the WebSocket08FrameDecoder implementation that could allow a remote attacker to trigger an Out Of Memory Exception by issuing a series of TextWebSocketFrame and ContinuationWebSocketFrames. Depending on the server configuration, this could lead to a denial of service. (CVE-2014-0193) Red Hat would like to thank James Roper of Typesafe for reporting the CVE-2014-0193 issue. All users of Red Hat JBoss BRMS 6.0.1 as provided from the Red Hat Customer Portal are advised to upgrade to Red Hat JBoss BRMS 6.0.2. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. It is recommended to halt the server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the server by starting the JBoss Application Server process. 4. Bugs fixed (https://bugzilla.redhat.com/): 1080248 - CVE-2014-0107 Xalan-Java: insufficient constraints in secure processing feature 1092783 - CVE-2014-0193 netty: DoS via memory exhaustion during data aggregation 1093273 - CVE-2014-0363 smack: incorrect X.509 certificate validation 1093276 - CVE-2014-0364 smack: IQ response spoofing 5. References: https://www.redhat.com/security/data/cve/CVE-2014-0107.html https://www.redhat.com/security/data/cve/CVE-2014-0193.html https://www.redhat.com/security/data/cve/CVE-2014-0363.html https://www.redhat.com/security/data/cve/CVE-2014-0364.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=distributions&version=6.0.2 https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_BRMS/ 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTsdBRXlSAg2UNWIIRApgoAJ4qZy1snKmPfN+becwbawV/V16oMACgqjUu AB1LmsvFsa2NmQDx4i2NwXk= =6scE - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss BPM Suite 6.0.2 update Advisory ID: RHSA-2014:0819-01 Product: Red Hat JBoss BPM Suite Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0819.html Issue date: 2014-06-30 CVE Names: CVE-2014-0107 CVE-2014-0363 CVE-2014-0364 ===================================================================== 1. Summary: Red Hat JBoss BPM Suite 6.0.2, which fixes multiple security issues, various bugs, and adds enhancements, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes. This release of Red Hat JBoss BPM Suite 6.0.2 serves as a replacement for Red Hat JBoss BPM Suite 6.0.1, and includes bug fixes and enhancements. Refer to the Red Hat JBoss BPM Suite 6.0.2 Release Notes for information on the most significant of these changes. The Release Notes will be available shortly at https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_BPM_Suite/ The following security issues are fixed with this release: It was found that the secure processing feature of Xalan-Java had insufficient restrictions defined for certain properties and features. A remote attacker able to provide Extensible Stylesheet Language Transformations (XSLT) content to be processed by an application using Xalan-Java could use this flaw to bypass the intended constraints of the secure processing feature. Depending on the components available in the classpath, this could lead to arbitrary remote code execution in the context of the application server running the application that uses Xalan-Java. (CVE-2014-0107) It was found that the ServerTrustManager in the Smack XMPP API did not verify basicConstraints and nameConstraints in X.509 certificate chains. A man-in-the-middle attacker could use this flaw to spoof servers and obtain sensitive information. (CVE-2014-0363) It was found that the ParseRoster component in the Smack XMPP API did not verify the From attribute of a roster-query IQ stanza. A remote attacker could use this flaw to spoof IQ responses. (CVE-2014-0364) All users of Red Hat JBoss BPM Suite 6.0.1 as provided from the Red Hat Customer Portal are advised to upgrade to Red Hat JBoss BPM Suite 6.0.2. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. It is recommended to halt the server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the server by starting the JBoss Application Server process. 4. Bugs fixed (https://bugzilla.redhat.com/): 1080248 - CVE-2014-0107 Xalan-Java: insufficient constraints in secure processing feature 1093273 - CVE-2014-0363 smack: incorrect X.509 certificate validation 1093276 - CVE-2014-0364 smack: IQ response spoofing 5. References: https://www.redhat.com/security/data/cve/CVE-2014-0107.html https://www.redhat.com/security/data/cve/CVE-2014-0363.html https://www.redhat.com/security/data/cve/CVE-2014-0364.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=distributions&version=6.0.2 https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_BPM_Suite/ 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTsdEPXlSAg2UNWIIRAvu/AJ9C0hY1754u7KoZ03V58FsJRlQDTwCgl0j2 UmrOhtSbWfvLWRBLgK2+Mkc= =Lnv7 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU7I/jhLndAQH1ShLAQKKpg/9GW8rhroRYx/Pw6M+AKV7fYESVon2yS0X 5hdgRTngmjOQyBuch96NkTBqlSXSd1ccSQF1TA8xfykrraiXZypAurFiq2sJgLUw /uIGFW+q9DkbhDAEmljpvSw37lJ6fyTrEcdizM2NdR/r03DITMRJiJ932PG0xKXT yWknE2nj8CryYwu+jhK3VsiNa2jUbMBj1FIqSVwq55j7cg+BbmZxcNc9dtOXpTUJ UQZ1SuglsgB6fFMHCD2fTmiXfHSjANKUqroPQ836pLTKUd3JmBbxfYtqytHAnKcp M9oCWOQ2saEp82SRTnCF77X6iXGu6pXifjbepvqM2CbLZ3xyjKMG+Ae3lNHXPwDx Tz6CTx5PlkJvzHeB0JjyKNbMvNlgOAEeVMis6fLloKGEYkpOtR+Ad1Zx5T3spunG EXauBeEndifvqM0DqnR75MAWjEnt+P/Ehaki+oi0II7xZngt8E3LGK1+tpyW4bzO YImgUTXLk+iGSQN33ufrPIQEs5SkODFa5XeV1iavZBN65csahORB9xC1kzKXAx05 pM9N40a6Wva7HJxQU4wsHaKoD8rREibJ+Lt9oF7jtXuMJSWtLjF/xkbMc+P1YQpW BGhPHFvVX320S1hlLAYQkArOYvvt7HWVuWNpnQc5Fgw0GlqQTZGFsapgMcH6qsK8 D1uUC0zD8l8= =ocYN -----END PGP SIGNATURE-----