Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

         Important: Red Hat JBoss Fuse/A-MQ 6.1.0 security update
                              2 October 2014


        AusCERT Security Bulletin Summary

Product:           Red Hat JBoss Fuse/A-MQ 6.1.0
Publisher:         Red Hat
Operating System:  Windows
                   Red Hat
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Access Privileged Data          -- Remote/Unauthenticated
                   Cross-site Request Forgery      -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Unauthorised Access             -- Remote/Unauthenticated
                   Reduced Security                -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-0225 CVE-2014-0193 CVE-2014-0168
                   CVE-2014-0110 CVE-2014-0109 CVE-2014-0107
                   CVE-2014-0074 CVE-2014-0035 CVE-2014-0034

Reference:         ESB-2014.1653

Original Bulletin: 

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Red Hat. It is recommended that administrators
         running Red Hat JBoss Fuse/A-MQ 6.1.0 check for an updated version 
         of the software for their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

Hash: SHA1

                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss Fuse/A-MQ 6.1.0 security update
Advisory ID:       RHSA-2014:1351-01
Product:           Red Hat JBoss Fuse
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-1351.html
Issue date:        2014-10-01
CVE Names:         CVE-2014-0034 CVE-2014-0035 CVE-2014-0074 
                   CVE-2014-0107 CVE-2014-0109 CVE-2014-0110 
                   CVE-2014-0168 CVE-2014-0193 CVE-2014-0225 

1. Summary:

Red Hat JBoss Fuse and A-MQ 6.1.0 Rollup Patch 1, which addresses several
security issues, multiple bug fixes, and adds various enhancements, is now
available from the Red Hat Customer Portal.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Description:

Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,
flexible, open source enterprise service bus and integration platform.
Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant
messaging system that is tailored for use in mission critical applications.

This patch is an update to Red Hat JBoss Fuse 6.1.0 and Red Hat JBoss A-MQ
6.1.0. It includes bug fixes and enhancements, which are documented in the
readme.txt file included with the patch files. The following security
issues are addressed in this release:

It was discovered that Apache Shiro authenticated users without specifying
a user name or a password when used in conjunction with an LDAP back end
that allowed unauthenticated binds. (CVE-2014-0074)

It was found that the secure processing feature of Xalan-Java had
insufficient restrictions defined for certain properties and features.
A remote attacker able to provide Extensible Stylesheet Language
Transformations (XSLT) content to be processed by an application using
Xalan-Java could use this flaw to bypass the intended constraints of the
secure processing feature. Depending on the components available in the
classpath, this could lead to arbitrary remote code execution in the
context of the application server running the application that uses
Xalan-Java. (CVE-2014-0107)

It was found that the SecurityTokenService (STS), provided as a part of
Apache CXF, could under certain circumstances accept invalid SAML tokens as
valid. A remote attacker could use a specially crafted SAML token to gain
access to an application that uses STS for validation of SAML tokens.

A denial of service flaw was found in the way Apache CXF created error
messages for certain POST requests. A remote attacker could send a
specially crafted request which, when processed by an application using
Apache CXF, could consume an excessive amount of memory on the system,
possibly triggering an Out Of Memory (OOM) error. (CVE-2014-0109)

It was found that when a large invalid SOAP message was processed by Apache
CXF, it could be saved to a temporary file in the /tmp directory. A remote
attacker could send a specially crafted SOAP message that, when processed
by an application using Apache CXF, would use an excessive amount of disk
space, possibly causing a denial of service. (CVE-2014-0110)

It was found that Jolokia was vulnerable to Cross-Site Request Forgery
(CSRF) attacks. A remote attacker could provide a specially crafted web
page that, when visited by a user logged in to Jolokia, could allow the
attacker to execute arbitrary methods on MBeans exposed via JMX.

It was found that the Spring Framework did not, by default, disable the
resolution of URI references in a DTD declaration when processing
user-provided XML documents. By observing differences in response times, an
attacker could identify valid IP addresses on the internal network with
functioning web servers. (CVE-2014-0225)

It was discovered that UsernameTokens were sent in plain text by an Apache
CXF client that used a Symmetric EncryptBeforeSigning password policy.
A man-in-the-middle attacker could use this flaw to obtain the user name
and password used by the client application using Apache CXF.

A flaw was found in the WebSocket08FrameDecoder implementation that could
allow a remote attacker to trigger an Out Of Memory Exception by issuing a
series of TextWebSocketFrame and ContinuationWebSocketFrames. Depending on
the server configuration, this could lead to a denial of service.

Refer to the readme.txt file included with the patch files for
installation instructions.

Red Hat would like to thank James Roper of Typesafe for reporting the
CVE-2014-0193 issue.

All users of Red Hat JBoss Fuse 6.1.0 and Red Hat JBoss A-MQ 6.1.0 as
provided from the Red Hat Customer Portal are advised to apply this
security update.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

1072603 - CVE-2014-0074 Apache Shiro: successful authentication without specifying user name or password
1080248 - CVE-2014-0107 Xalan-Java: insufficient constraints in secure processing feature
1084838 - CVE-2014-0168 Jolokia: cross-site request forgery (CSRF)
1092783 - CVE-2014-0193 netty: DoS via memory exhaustion during data aggregation
1093526 - CVE-2014-0109 Apache CXF: HTML content posted to SOAP endpoint could cause OOM errors
1093527 - CVE-2014-0110 Apache CXF: Large invalid content could cause temporary space to fill
1093529 - CVE-2014-0034 Apache CXF: The SecurityTokenService accepts certain invalid SAML Tokens as valid
1093530 - CVE-2014-0035 Apache CXF: UsernameTokens are sent in plaintext with a Symmetric EncryptBeforeSigning policy
1110110 - CVE-2014-0225 Spring Framework: Information disclosure via SSRF

5. References:


6. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
Version: GnuPG v1


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967