Operating System:

[WIN][LINUX][RedHat][Solaris]

Published:

28 January 2015

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2015.0191 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.0191
              Important: Red Hat JBoss Data Grid 6.4.0 update
                              28 January 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Hat JBoss Data Grid
Publisher:         Red Hat
Operating System:  Red Hat
                   Linux variants
                   Solaris
                   Windows
Impact/Access:     Access Privileged Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-3530  

Reference:         ESB-2014.1203

Original Bulletin: 
   https://rhn.redhat.com/errata/RHSA-2015-0091.html

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Red Hat. It is recommended that administrators
         running Red Hat JBoss Data Grid check for an updated version of the
         software for their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss Data Grid 6.4.0 update
Advisory ID:       RHSA-2015:0091-01
Product:           Red Hat JBoss Data Grid
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2015-0091.html
Issue date:        2015-01-27
CVE Names:         CVE-2014-3530 
=====================================================================

1. Summary:

Red Hat JBoss Data Grid 6.4.0, which fixes one security issue, multiple
bugs, and adds various enhancements, is now available from the Red Hat
Customer Portal.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Description:

Red Hat JBoss Data Grid is a distributed in-memory data grid, based on
Infinispan.

This release of Red Hat JBoss Data Grid 6.4.0 serves as a replacement for
Red Hat JBoss Data Grid 6.3.1. It includes various bug fixes and
enhancements, which are detailed in the Red Hat JBoss Data Grid 6.4.0
Release Notes. The Release Notes are available at:
https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Data_Grid/

This update also fixes the following security issue:

It was found that the implementation of the
org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory() method
provided a DocumentBuilderFactory that would expand entity references.
A remote, unauthenticated attacker could use this flaw to read files
accessible to the user running the application server, and potentially
perform other more advanced XXE attacks. (CVE-2014-3530)

Red Hat would like to thank Alexander Papadakis for reporting
CVE-2014-3530.

All users of Red Hat JBoss Data Grid 6.3.1 as provided from the Red Hat
Customer Portal are advised to upgrade to Red Hat JBoss Data Grid 6.4.0.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Before applying this update, back up your
existing JBoss Data Grid installation.

4. Bugs fixed (https://bugzilla.redhat.com/):

1112987 - CVE-2014-3530 PicketLink: XXE via insecure DocumentBuilderFactory usage

5. References:

https://access.redhat.com/security/cve/CVE-2014-3530
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=data.grid&version=6.4.0
https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Data_Grid/

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFUx8WZXlSAg2UNWIIRApApAJwKhC9uy+xJKMxTjX+3dV1BO5lP+wCeNGhj
2JvftkUTyLhIPXQ7qNxkI88=
=iyQZ
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVMg/ARLndAQH1ShLAQJLeg//YvWVEfdUFVrelDQ1E+jl0ANNB2Dg8Gte
PdWZcWVvv2Zv33ITj5wDq92qkhFJRrEVQ/WSShLdhVoIhanHeY7d6Dq4qNZa/uYH
Nwr5uj4RxM7WoBoFODFOloeVXDzdxXSO5ppf/7htYiiQvQo6cyHX0CRvY7OrWNWN
CfDxCrKXhFlIFjc69n7tD1Y/8wrL+IylPWuknfld8szoaGNtScKmwJg2GAfKwyRI
lQNl0aMJP0KbbUYbrkCQ39SToOICacRCszIFbQurUwq8pY69l6s69WDxwGvfhFVp
c3SXqe3nB6Ci2N/0fj8sOi+YPikgHoG4LMi6XNFE1ZIfLYPSTJw60Wfavs8m5ZHX
tKzjq6r2oRtM+bS36BJxF/aFDtF22EuYRq4Kw/+CtlRHwH4ka9RhVLH/puqBWpCd
CBvDIDqUxDFHjsnvp+We7M0fgv/U+UBEa9JY/YAmuqIbKiZ/F+2bkYnYwdKB+ydU
5qTAlkxetBO7j97+XNGEGkZ3MRnliuiJ1dxxoVFD1glCn7G8QU6/PVOlHuRP2mUw
k48J6UkGMcXzcfmQhT48poq2sIPqSkXJZDSfbVSRoY38aeQqv712JygvZ0Er/Yz0
UawKg4T3vUuRIyXbUy3RN26qs3K715XIiuj9KnQCiUHiFTU1RRJkC2N/G7p5pfWW
2wmw9PEy75o=
=q0Y2
-----END PGP SIGNATURE-----