Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.3058 Important: Red Hat JBoss updates 8 December 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat JBoss Fuse 6.2.1 Red Hat JBoss A-MQ 6.2.1 Red Hat JBoss Fuse Service Works 6.2.1 Red Hat JBoss BRMS 6.2.0 Publisher: Red Hat Operating System: Red Hat Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Provide Misleading Information -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2015-7501 CVE-2015-6748 CVE-2015-5181 CVE-2015-3253 CVE-2015-0264 CVE-2015-0263 CVE-2015-0250 Reference: ESB-2015.2935 ESB-2015.2012 Original Bulletin: https://rhn.redhat.com/errata/RHSA-2015-2556.html https://rhn.redhat.com/errata/RHSA-2015-2557.html https://rhn.redhat.com/errata/RHSA-2015-2558.html https://rhn.redhat.com/errata/RHSA-2015-2559.html https://rhn.redhat.com/errata/RHSA-2015-2560.html Comment: This bulletin contains five (5) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Fuse 6.2.1 update Advisory ID: RHSA-2015:2556-01 Product: Red Hat JBoss Fuse Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2556.html Issue date: 2015-12-07 CVE Names: CVE-2015-3253 CVE-2015-5181 CVE-2015-7501 ===================================================================== 1. Summary: Red Hat JBoss Fuse 6.2.1, which fixes three security issues, several bugs, and adds various enhancements, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss Fuse 6.2.1 is a micro product release that updates Red Hat JBoss Fuse 6.2.0, and includes several bug fixes and enhancements. Refer to the Release Notes document, available from the link in the References section, for a list of changes. The following security fixes are addressed in this release: It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) Further information about this issue may be found at: https://access.redhat.com/solutions/2045023 A flaw was discovered that when an application uses Groovy (has it on the classpath) and uses the standard Java serialization mechanism, an attacker can bake a special serialized object that executes code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. (CVE-2015-3253) It was found that the JBoss A-MQ console would accept a string containing JavaScript as the name of a new message queue. Execution of the UI would subsequently execute the script. An attacker could use this flaw to access sensitive information or perform other attacks. (CVE-2015-5181) Red Hat would like to thank Naftali Rosenbaum of Comsec Consulting for reporting CVE-2015-5181. All users of Red Hat JBoss Fuse 6.2.0 are advised to apply this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1243934 - CVE-2015-3253 groovy: remote execution of untrusted code in class MethodClosure 1248804 - CVE-2015-5181 A-MQ Console: script injection into queue name 1279330 - CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation 5. JIRA issues fixed (https://issues.jboss.org/): ENTESB-4398 - Arbitrary remote code execution with InvokerTransformer 6. References: https://access.redhat.com/security/cve/CVE-2015-3253 https://access.redhat.com/security/cve/CVE-2015-5181 https://access.redhat.com/security/cve/CVE-2015-7501 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=6.2.1 https://access.redhat.com/solutions/2045023 https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_Fuse/ 7. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWZfDMXlSAg2UNWIIRAmfiAKCfO/H71Dlcij5D7R1xC0H5CvBlKACfRtIX 9dnbEFEqfTUl8U3zcV369Qw= =m+SP - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss A-MQ 6.2.1 update Advisory ID: RHSA-2015:2557-01 Product: Red Hat JBoss A-MQ Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2557.html Issue date: 2015-12-07 CVE Names: CVE-2015-3253 CVE-2015-5181 CVE-2015-7501 ===================================================================== 1. Summary: Red Hat JBoss A-MQ 6.2.1, which fixes three security issues, several bugs, and adds various enhancements, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant messaging system that is tailored for use in mission critical applications. Red Hat JBoss A-MQ 6.2.1 is a micro product release that updates Red Hat JBoss A-MQ 6.2.0, and includes several bug fixes and enhancements. Refer to the Release Notes document, available from the link in the References section, for a list of changes. The following security fixes are addressed in this release: It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) Further information about this issue may be found at: https://access.redhat.com/solutions/2045023 A flaw was discovered that when an application uses Groovy (has it on the classpath) and uses the standard Java serialization mechanism, an attacker can bake a special serialized object that executes code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. (CVE-2015-3253) It was found that the JBoss A-MQ console would accept a string containing JavaScript as the name of a new message queue. Execution of the UI would subsequently execute the script. An attacker could use this flaw to access sensitive information or perform other attacks. (CVE-2015-5181) Red Hat would like to thank Naftali Rosenbaum of Comsec Consulting for reporting CVE-2015-5181. All users of Red Hat JBoss A-MQ 6.2.0 as provided from the Red Hat Customer Portal are advised to apply this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1243934 - CVE-2015-3253 groovy: remote execution of untrusted code in class MethodClosure 1248804 - CVE-2015-5181 A-MQ Console: script injection into queue name 1279330 - CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation 5. JIRA issues fixed (https://issues.jboss.org/): ENTESB-4398 - Arbitrary remote code execution with InvokerTransformer 6. References: https://access.redhat.com/security/cve/CVE-2015-3253 https://access.redhat.com/security/cve/CVE-2015-5181 https://access.redhat.com/security/cve/CVE-2015-7501 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq&downloadType=distributions&version=6.2.1 https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_A-MQ/ https://access.redhat.com/solutions/2045023 7. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWZfDTXlSAg2UNWIIRAqQWAKCpTMbovQc86F5F7S/qYSm7epk/SwCgkRp3 Q/CL1ZUdh8dNmyM/xz89F24= =/MKe - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Fuse Service Works 6.2.1 update Advisory ID: RHSA-2015:2558-01 Product: Red Hat JBoss Fuse Service Works Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2558.html Issue date: 2015-12-07 CVE Names: CVE-2015-0263 CVE-2015-0264 CVE-2015-3253 ===================================================================== 1. Summary: Red Hat JBoss Fuse Service Works 6.2.1, which fixes three security issues and various bugs, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss Fuse Service Works is the next-generation ESB and business process automation infrastructure. This release of Red Hat JBoss Fuse Service Works 6.2.1 serves as a replacement for Red Hat JBoss Fuse Service Works 6.0.0. It includes various bug fixes, which are listed in the README file included with the patch files. The following security issues are fixed with this release: A flaw was discovered that when an application uses Groovy (has it on the classpath) and uses the standard Java serialization mechanism, an attacker can bake a special serialized object that executes code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. (CVE-2015-3253) It was found that Apache Camel's XML converter performed XML External Entity (XXE) expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. (CVE-2015-0263) It was found that Apache Camel performed XML External Entity (XXE) expansion when evaluating invalid XML Strings or invalid XML GenericFile objects. A remote attacker able to submit a crafted XML message could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. (CVE-2015-0264) All users of Red Hat JBoss Fuse Service Works 6.0.0 as provided from the Red Hat Customer Portal are advised to apply this security update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the updates). Before applying the updates, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. It is recommended to halt the server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the server by starting the JBoss Application Server process. 4. Bugs fixed (https://bugzilla.redhat.com/): 1203341 - CVE-2015-0264 Camel: XXE via XPath expression evaluation 1203344 - CVE-2015-0263 Camel: XXE in via SAXSource expansion 1243934 - CVE-2015-3253 groovy: remote execution of untrusted code in class MethodClosure 5. References: https://access.redhat.com/security/cve/CVE-2015-0263 https://access.redhat.com/security/cve/CVE-2015-0264 https://access.redhat.com/security/cve/CVE-2015-3253 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse.serviceworks&downloadType=distributions&version=6.2.1 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWZfDaXlSAg2UNWIIRAqo4AKCAWdR9+9lWONKC4u22zgWHHyhyjACeMn1R ccS1nUZyXktfSdxuT2KBN6g= =v1JM - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: Red Hat JBoss BRMS 6.2.0 update Advisory ID: RHSA-2015:2559-01 Product: Red Hat JBoss BRMS Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2559.html Issue date: 2015-12-07 CVE Names: CVE-2015-0250 CVE-2015-6748 CVE-2015-7501 ===================================================================== 1. Summary: Red Hat JBoss BRMS 6.2.0, which fixes three security issues, several bugs, and adds various enhancements, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss BRMS is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules. This release of Red Hat JBoss BRMS 6.2.0 serves as a replacement for Red Hat JBoss BRMS 6.1.2, and includes bug fixes and enhancements. Refer to the Red Hat JBoss BRMS 6.2.0 Release Notes for information on the most significant of these changes. The Release Notes are available at https://access.redhat.com/documentation/en/red-hat-jboss-brms/ The following security issues are also fixed with this release: It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) Further information about this security flaw may be found at: https://access.redhat.com/solutions/2045023 It was found that batik was vulnerable to XML External Entity attacks when parsing SVG files. A remote attacker able to send malicious SVG content to the affected server could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. (CVE-2015-0250) It was found that jsoup did not properly validate user-supplied HTML content; certain HTML snippets could get past the validator without being detected as unsafe. A remote attacker could use a specially crafted HTML snippet to execute arbitrary web script in the user's browser. (CVE-2015-6748) All users of Red Hat JBoss BRMS 6.1.2 as provided from the Red Hat Customer Portal are advised to upgrade to Red Hat JBoss BRMS 6.2.0. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. It is recommended to halt the server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the server by starting the JBoss Application Server process. 4. Bugs fixed (https://bugzilla.redhat.com/): 1203762 - CVE-2015-0250 batik: XML External Entity (XXE) injection in SVG parsing 1258310 - CVE-2015-6748 jsoup: XSS vulnerability related to incomplete tags at EOF 1279330 - CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation 5. References: https://access.redhat.com/security/cve/CVE-2015-0250 https://access.redhat.com/security/cve/CVE-2015-6748 https://access.redhat.com/security/cve/CVE-2015-7501 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=distributions&version=6.2.0 https://access.redhat.com/documentation/en/red-hat-jboss-brms/ https://access.redhat.com/solutions/2045023 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWZfDhXlSAg2UNWIIRAvDKAKClwhyanboC5lO2WQXu6871vyZy8ACfTr4p DEXQISjnuE1tLdAFItUPXcg= =BO5h - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: Red Hat JBoss BPM Suite 6.2.0 update Advisory ID: RHSA-2015:2560-01 Product: Red Hat JBoss BPM Suite Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2560.html Issue date: 2015-12-07 CVE Names: CVE-2015-0250 CVE-2015-6748 CVE-2015-7501 ===================================================================== 1. Summary: Red Hat JBoss BPM Suite 6.2.0, which fixes three security issues, several bugs, and adds various enhancements, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes. This release of Red Hat JBoss BPM Suite 6.2.0 serves as a replacement for Red Hat JBoss BPM Suite 6.1.2, and includes bug fixes and enhancements. Refer to the Red Hat JBoss BPM Suite 6.2.0 Release Notes for information on the most significant of these changes. The Release Notes are available at https://access.redhat.com/documentation/en/red-hat-jboss-brms/ The following security issues are also fixed with this release: It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) Further information about this security flaw may be found at: https://access.redhat.com/solutions/2045023 It was found that batik was vulnerable to XML External Entity attacks when parsing SVG files. A remote attacker able to send malicious SVG content to the affected server could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. (CVE-2015-0250) It was found that jsoup did not properly validate user-supplied HTML content; certain HTML snippets could get past the validator without being detected as unsafe. A remote attacker could use a specially crafted HTML snippet to execute arbitrary web script in the user's browser. (CVE-2015-6748) All users of Red Hat JBoss BPM Suite 6.1.2 as provided from the Red Hat Customer Portal are advised to upgrade to Red Hat JBoss BPM Suite 6.2.0. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. It is recommended to halt the server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the server by starting the JBoss Application Server process. 4. Bugs fixed (https://bugzilla.redhat.com/): 1203762 - CVE-2015-0250 batik: XML External Entity (XXE) injection in SVG parsing 1258310 - CVE-2015-6748 jsoup: XSS vulnerability related to incomplete tags at EOF 1279330 - CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation 5. References: https://access.redhat.com/security/cve/CVE-2015-0250 https://access.redhat.com/security/cve/CVE-2015-6748 https://access.redhat.com/security/cve/CVE-2015-7501 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=distributions&version=6.2.0 https://access.redhat.com/documentation/en/red-hat-jboss-bpm-suite/ https://access.redhat.com/solutions/2045023 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWZfDoXlSAg2UNWIIRAohBAJ9MfGsVH9cga1METwUuBpeAUwl7OACfV8d2 HrTmzDEH6eFp2FkRTOLmFyA= =dypX - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVmZNIn6ZAP0PgtI9AQJZPA//TjvMwUAxIRULGkd/Y7ke2VnCQ95ZuONr ZTkXKI+3LTstMnkDetzYls86LGjgS7bT21AHzUGvHJFIIvNiuu7lDuFS5j1558FG ZYA9hXhWNPCQX8EvLQJXMoiBfBYwedmDlK1g3erMSf4ZH+qvKoIYWy4xuxplXPMc ipKhC0r9hf4+1JuTtYejG6n6+YlAWy+hsowZ2QM0hDE7mqs6VJDIMBW+y/rtkRsm +z3/9rGuffTH/YevgFbpl9vOS/P5evyq9HO/ueNUBs7awws3qTilAtpCQHDCQso9 GBf1A/FxCfkl64W98ytSKUHAI4m2BmbhVeqvpdLPhXXzFZptUVDc8kn8tDxiowNv fre52d5GNCH9JjOmG+Hx4zFeOrxci1NCR8IFgv6grG9aHNrz7LNcIyoA/pdVSOu8 Uq+CUAAzpvJwzw7bC3WbT+kVM0dOSzq7xyp9ftKbd2JHFz1JHi+UYxCG/wBjLfZi Z2wMHOn8RMTc1qJqkODPCiMR/cae2KpvdU491aGg2ztLzQaprObg44GR7ctEGHzq SuWtGdv90FWcG9DQPqAaECf9QkSJQUywCDQFIAJO/MJo4P1bOLWwXXllraCV09vn kCh0dES4011N9bI/V/5QPpz8saGcJ7zxBhYL9QDgX7bASOFazoPMzvzp+oUu9BiI ZRFumLoa/Wo= =oWWe -----END PGP SIGNATURE-----