Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.1064
Important: Red Hat JBoss BRMS 6.0.2 update and Red Hat JBoss
BPM Suite 6.0.2 update
1 July 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Red Hat JBoss BRMS
Red Hat JBoss BPM
Publisher: Red Hat
Operating System: Red Hat
Windows
Solaris
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote with User Interaction
Unauthorised Access -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2014-0364 CVE-2014-0363 CVE-2014-0193
CVE-2014-0107
Reference: ESB-2014.1016
ESB-2014.0864
ESB-2014.0629
ESB-2014.0422
ESB-2014.0398
Original Bulletin:
https://rhn.redhat.com/errata/RHSA-2014-0818.html
https://rhn.redhat.com/errata/RHSA-2014-0819.html
Comment: This advisory references vulnerabilities in products which run on
platforms other than Red Hat. It is recommended that administrators
running Red Hat JBoss BRMS or Red Hat JBoss BPM check for an updated
version of the software for their operating system.
This bulletin contains two (2) Red Hat security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat JBoss BRMS 6.0.2 update
Advisory ID: RHSA-2014:0818-01
Product: Red Hat JBoss BRMS
Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0818.html
Issue date: 2014-06-30
CVE Names: CVE-2014-0107 CVE-2014-0193 CVE-2014-0363
CVE-2014-0364
=====================================================================
1. Summary:
Red Hat JBoss BRMS 6.0.2, which fixes multiple security issues, various
bugs, and adds enhancements, is now available from the Red Hat Customer
Portal.
The Red Hat Security Response Team has rated this update as having
Important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
2. Description:
Red Hat JBoss BRMS is a business rules management system for the
management, storage, creation, modification, and deployment of JBoss Rules.
This release of Red Hat JBoss BRMS 6.0.2 serves as a replacement for Red
Hat JBoss BRMS 6.0.1, and includes bug fixes and enhancements. Refer to the
Red Hat JBoss BRMS 6.0.2 Release Notes for information on the most
significant of these changes. The Release Notes will be available shortly
at https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_BRMS/
The following security issues are fixed with this release:
It was found that the secure processing feature of Xalan-Java had
insufficient restrictions defined for certain properties and features.
A remote attacker able to provide Extensible Stylesheet Language
Transformations (XSLT) content to be processed by an application using
Xalan-Java could use this flaw to bypass the intended constraints of the
secure processing feature. Depending on the components available in the
classpath, this could lead to arbitrary remote code execution in the
context of the application server running the application that uses
Xalan-Java. (CVE-2014-0107)
It was found that the ServerTrustManager in the Smack XMPP API did not
verify basicConstraints and nameConstraints in X.509 certificate chains.
A man-in-the-middle attacker could use this flaw to spoof servers and
obtain sensitive information. (CVE-2014-0363)
It was found that the ParseRoster component in the Smack XMPP API did not
verify the From attribute of a roster-query IQ stanza. A remote attacker
could use this flaw to spoof IQ responses. (CVE-2014-0364)
A flaw was found in the WebSocket08FrameDecoder implementation that could
allow a remote attacker to trigger an Out Of Memory Exception by issuing a
series of TextWebSocketFrame and ContinuationWebSocketFrames. Depending on
the server configuration, this could lead to a denial of service.
(CVE-2014-0193)
Red Hat would like to thank James Roper of Typesafe for reporting the
CVE-2014-0193 issue.
All users of Red Hat JBoss BRMS 6.0.1 as provided from the Red Hat Customer
Portal are advised to upgrade to Red Hat JBoss BRMS 6.0.2.
3. Solution:
The References section of this erratum contains a download link (you must
log in to download the update). Before applying the update, back up your
existing installation, including all applications, configuration files,
databases and database settings, and so on.
It is recommended to halt the server by stopping the JBoss Application
Server process before installing this update, and then after installing the
update, restart the server by starting the JBoss Application Server
process.
4. Bugs fixed (https://bugzilla.redhat.com/):
1080248 - CVE-2014-0107 Xalan-Java: insufficient constraints in secure processing feature
1092783 - CVE-2014-0193 netty: DoS via memory exhaustion during data aggregation
1093273 - CVE-2014-0363 smack: incorrect X.509 certificate validation
1093276 - CVE-2014-0364 smack: IQ response spoofing
5. References:
https://www.redhat.com/security/data/cve/CVE-2014-0107.html
https://www.redhat.com/security/data/cve/CVE-2014-0193.html
https://www.redhat.com/security/data/cve/CVE-2014-0363.html
https://www.redhat.com/security/data/cve/CVE-2014-0364.html
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=distributions&version=6.0.2
https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_BRMS/
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2014 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFTsdBRXlSAg2UNWIIRApgoAJ4qZy1snKmPfN+becwbawV/V16oMACgqjUu
AB1LmsvFsa2NmQDx4i2NwXk=
=6scE
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat JBoss BPM Suite 6.0.2 update
Advisory ID: RHSA-2014:0819-01
Product: Red Hat JBoss BPM Suite
Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0819.html
Issue date: 2014-06-30
CVE Names: CVE-2014-0107 CVE-2014-0363 CVE-2014-0364
=====================================================================
1. Summary:
Red Hat JBoss BPM Suite 6.0.2, which fixes multiple security issues,
various bugs, and adds enhancements, is now available from the Red Hat
Customer Portal.
The Red Hat Security Response Team has rated this update as having
Important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
2. Description:
Red Hat JBoss BPM Suite is a business rules and processes management system
for the management, storage, creation, modification, and deployment of
JBoss rules and BPMN2-compliant business processes.
This release of Red Hat JBoss BPM Suite 6.0.2 serves as a replacement for
Red Hat JBoss BPM Suite 6.0.1, and includes bug fixes and enhancements.
Refer to the Red Hat JBoss BPM Suite 6.0.2 Release Notes for information
on the most significant of these changes. The Release Notes will be
available shortly at
https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_BPM_Suite/
The following security issues are fixed with this release:
It was found that the secure processing feature of Xalan-Java had
insufficient restrictions defined for certain properties and features. A
remote attacker able to provide Extensible Stylesheet Language
Transformations (XSLT) content to be processed by an application using
Xalan-Java could use this flaw to bypass the intended constraints of the
secure processing feature. Depending on the components available in the
classpath, this could lead to arbitrary remote code execution in the
context of the application server running the application that uses
Xalan-Java. (CVE-2014-0107)
It was found that the ServerTrustManager in the Smack XMPP API did not
verify basicConstraints and nameConstraints in X.509 certificate chains. A
man-in-the-middle attacker could use this flaw to spoof servers and obtain
sensitive information. (CVE-2014-0363)
It was found that the ParseRoster component in the Smack XMPP API did not
verify the From attribute of a roster-query IQ stanza. A remote attacker
could use this flaw to spoof IQ responses. (CVE-2014-0364)
All users of Red Hat JBoss BPM Suite 6.0.1 as provided from the Red Hat
Customer Portal are advised to upgrade to Red Hat JBoss BPM Suite 6.0.2.
3. Solution:
The References section of this erratum contains a download link (you must
log in to download the update). Before applying the update, back up your
existing installation, including all applications, configuration files,
databases and database settings, and so on.
It is recommended to halt the server by stopping the JBoss Application
Server process before installing this update, and then after installing the
update, restart the server by starting the JBoss Application Server
process.
4. Bugs fixed (https://bugzilla.redhat.com/):
1080248 - CVE-2014-0107 Xalan-Java: insufficient constraints in secure processing feature
1093273 - CVE-2014-0363 smack: incorrect X.509 certificate validation
1093276 - CVE-2014-0364 smack: IQ response spoofing
5. References:
https://www.redhat.com/security/data/cve/CVE-2014-0107.html
https://www.redhat.com/security/data/cve/CVE-2014-0363.html
https://www.redhat.com/security/data/cve/CVE-2014-0364.html
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=distributions&version=6.0.2
https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_BPM_Suite/
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2014 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFTsdEPXlSAg2UNWIIRAvu/AJ9C0hY1754u7KoZ03V58FsJRlQDTwCgl0j2
UmrOhtSbWfvLWRBLgK2+Mkc=
=Lnv7
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBU7I/jhLndAQH1ShLAQKKpg/9GW8rhroRYx/Pw6M+AKV7fYESVon2yS0X
5hdgRTngmjOQyBuch96NkTBqlSXSd1ccSQF1TA8xfykrraiXZypAurFiq2sJgLUw
/uIGFW+q9DkbhDAEmljpvSw37lJ6fyTrEcdizM2NdR/r03DITMRJiJ932PG0xKXT
yWknE2nj8CryYwu+jhK3VsiNa2jUbMBj1FIqSVwq55j7cg+BbmZxcNc9dtOXpTUJ
UQZ1SuglsgB6fFMHCD2fTmiXfHSjANKUqroPQ836pLTKUd3JmBbxfYtqytHAnKcp
M9oCWOQ2saEp82SRTnCF77X6iXGu6pXifjbepvqM2CbLZ3xyjKMG+Ae3lNHXPwDx
Tz6CTx5PlkJvzHeB0JjyKNbMvNlgOAEeVMis6fLloKGEYkpOtR+Ad1Zx5T3spunG
EXauBeEndifvqM0DqnR75MAWjEnt+P/Ehaki+oi0II7xZngt8E3LGK1+tpyW4bzO
YImgUTXLk+iGSQN33ufrPIQEs5SkODFa5XeV1iavZBN65csahORB9xC1kzKXAx05
pM9N40a6Wva7HJxQU4wsHaKoD8rREibJ+Lt9oF7jtXuMJSWtLjF/xkbMc+P1YQpW
BGhPHFvVX320S1hlLAYQkArOYvvt7HWVuWNpnQc5Fgw0GlqQTZGFsapgMcH6qsK8
D1uUC0zD8l8=
=ocYN
-----END PGP SIGNATURE-----