Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.2347 Important: Red Hat JBoss Fuse and MQ security updates 7 October 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat JBoss Fuse Red Hat JBoss MQ Publisher: Red Hat Operating System: Windows Red Hat Solaris Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2016-4437 CVE-2016-2510 CVE-2016-2141 CVE-2015-7940 CVE-2015-5348 CVE-2015-5344 CVE-2015-3192 Reference: ESB-2016.1692 ESB-2016.0588 ESB-2015.3119 Original Bulletin: https://rhn.redhat.com/errata/RHSA-2016-2035.html https://rhn.redhat.com/errata/RHSA-2016-2036.html Comment: This bulletin contains two (2) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Fuse 6.3 security update Advisory ID: RHSA-2016:2035-01 Product: Red Hat JBoss Fuse Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2035.html Issue date: 2016-10-06 CVE Names: CVE-2015-3192 CVE-2015-5344 CVE-2015-5348 CVE-2015-7940 CVE-2016-2141 CVE-2016-2510 CVE-2016-4437 ===================================================================== 1. Summary: Red Hat JBoss Fuse 6.3, which fixes multiple security issues and includes several bug fixes and enhancements, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss Fuse 6.3 is a minor product release that updates Red Hat JBoss Fuse 6.2.1, and includes several bug fixes and enhancements. Refer to the Release Notes document, available from the Product Documentation link in the References section, for a list of these changes. Security Fix(es): It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks. (CVE-2016-2141) A deserialization flaw allowing remote code execution was found in the BeanShell library. If BeanShell was on the classpath, it could permit code execution if another part of the application deserialized objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the BeanShell library. (CVE-2016-2510) It was found that Apache Shiro uses a default cipher key for its "remember me" feature. An attacker could use this to devise a malicious request parameter and gain access to unauthorized content. (CVE-2016-4437) A denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed. (CVE-2015-3192) It was found that Apache Camel's camel-xstream component was vulnerable to Java object deserialization. This vulnerability permits deserialization of data which could lead to information disclosure, code execution, or other possible attacks. (CVE-2015-5344) It was found that Apache Camel's Jetty/Servlet permitted object deserialization. If using camel-jetty or camel-servlet as a consumer in Camel routes, then Camel will automatically deserialize HTTP requests that use the content-header: application/x-java-serialized-object. An attacker could use this vulnerability to gain access to unauthorized information or conduct further attacks. (CVE-2015-5348) It was found that bouncycastle is vulnerable to an invalid curve attack. An attacker could extract private keys used in elliptic curve cryptography with a few thousand queries. (CVE-2015-7940) The CVE-2016-2141 issue was discovered by Dennis Reed (Red Hat). Refer to the Product Documentation link in the References section for installation instructions. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1239002 - CVE-2015-3192 Spring Framework: denial-of-service attack with XML input 1276272 - CVE-2015-7940 bouncycastle: Invalid curve attack allowing to extract private keys 1292849 - CVE-2015-5348 Camel: Java object deserialisation in Jetty/Servlet 1303609 - CVE-2015-5344 camel-xstream: Java object de-serialization vulnerability leads to RCE 1310647 - CVE-2016-2510 bsh2: remote code execution via deserialization 1313589 - CVE-2016-2141 Authorization bypass in JGroups 1343346 - CVE-2016-4437 shiro: Security constraint bypass 5. References: https://access.redhat.com/security/cve/CVE-2015-3192 https://access.redhat.com/security/cve/CVE-2015-5344 https://access.redhat.com/security/cve/CVE-2015-5348 https://access.redhat.com/security/cve/CVE-2015-7940 https://access.redhat.com/security/cve/CVE-2016-2141 https://access.redhat.com/security/cve/CVE-2016-2510 https://access.redhat.com/security/cve/CVE-2016-4437 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=6.3.0 https://access.redhat.com/documentation/en/red-hat-jboss-fuse/?version=6.3 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFX9nl4XlSAg2UNWIIRAjzuAJ9IjZsuMRzFPBfv/AW1xXlo9AHHNwCeNayc X467FkxtKPz7MAU5sEu9U/c= =tF7y - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss A-MQ 6.3 security update Advisory ID: RHSA-2016:2036-01 Product: Red Hat JBoss A-MQ Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2036.html Issue date: 2016-10-06 CVE Names: CVE-2015-3192 CVE-2015-7940 CVE-2016-4437 ===================================================================== 1. Summary: Red Hat JBoss A-MQ 6.3, which fixes multiple security issues and includes several bug fixes and enhancements, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant messaging system that is tailored for use in mission critical applications. Red Hat JBoss A-MQ 6.3 is a minor product release that updates Red Hat JBoss A-MQ 6.2.1, and includes several bug fixes and enhancements. Refer to the Release Notes document, available from the Product Documentation link in the References section, for a list of these changes. Security Fix(es): It was found that Apache Shiro uses a default cipher key for its "remember me" feature. An attacker could use this to devise a malicious request parameter and gain access to unauthorized content. (CVE-2016-4437) A denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed. (CVE-2015-3192) It was found that bouncycastle is vulnerable to an invalid curve attack. An attacker could extract private keys used in elliptic curve cryptography with a few thousand queries. (CVE-2015-7940) Refer to the Product Documentation link in the References section for installation instructions. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1239002 - CVE-2015-3192 Spring Framework: denial-of-service attack with XML input 1276272 - CVE-2015-7940 bouncycastle: Invalid curve attack allowing to extract private keys 1343346 - CVE-2016-4437 shiro: Security constraint bypass 5. References: https://access.redhat.com/security/cve/CVE-2015-3192 https://access.redhat.com/security/cve/CVE-2015-7940 https://access.redhat.com/security/cve/CVE-2016-4437 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq&downloadType=distributions&version=6.3.0 https://access.redhat.com/documentation/en/red-hat-jboss-fuse/?version=6.3 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFX9nl/XlSAg2UNWIIRAn5DAKCeqOJhy3a+EAGO1sG/lNuo/JWFgQCfQRGS 3jDFUUI5eQBAO6ioMdCl8mQ= =CjkF - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBV/buDIx+lLeg9Ub1AQiFdRAAlqdUP+vcDpOBga+uw8cI+2IqREJ12ric c9GYGijde/YnXT7xkgAFuYwOrFl9Cyrme7GOlv7CgyFRgt7C3DyEyhWlRHB3xqn2 M9Ff4naisUzJErXnhMklebGyHpw5X8HSJvikyFZV42jRSa98/1BOGc1Dzm73SGHn 11ew2SxbS/HB8FpX4zv6YKd3nsCrMEBMdoJxuRI3H3OxxWZwjfkNrUZf9KsI08ji Do1e9KPphkT8nNezN9B34+iicQTes8Ev0cDlH8mA6n7fJoAJAsSQkPozXxPo0OLJ TwCKMDdmUIIgiPaNvo7p1iyy4EvDcNU3zdRiFdZECz/IfxtsdUTVSDqf3IoMZact zBWWNBaZFt/mMDbmgKfoZ+P5Vzea1S7yX2Js4RyD7LK1K9LRgTYXDhXEezSdmILM Yv5AFV4cPsNSjlVRjWklKvZbnA3gkxwXuBBFVORGB4ByBfQ6OOnn8+Tof6P+Ypjx 8oeGtml2AZ/mqO/HExKNjE6xKlQyQ+9KFdcPMjub5jPhrD8QpeSUk86909COu/mR Z+q2GRNB6eijNWIEAyy142O7wOX5iCzCL5B7rh3266QC3PH0i/Om65C3olR+JqFt nK8cIF3O6dGqe4Ewf7Hl1/pFXu6CUzfhLNS9xf9s/zKIKQyoOdyi/azARlxq8Dcb PXtIxUUj5M0= =ywUM -----END PGP SIGNATURE-----