-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.2347
           Important: Red Hat JBoss Fuse and MQ security updates
                              7 October 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Hat JBoss Fuse
                   Red Hat JBoss MQ
Publisher:         Red Hat
Operating System:  Windows
                   Red Hat
                   Solaris
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Access Privileged Data          -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Provide Misleading Information  -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-4437 CVE-2016-2510 CVE-2016-2141
                   CVE-2015-7940 CVE-2015-5348 CVE-2015-5344
                   CVE-2015-3192  

Reference:         ESB-2016.1692
                   ESB-2016.0588
                   ESB-2015.3119

Original Bulletin: 
   https://rhn.redhat.com/errata/RHSA-2016-2035.html
   https://rhn.redhat.com/errata/RHSA-2016-2036.html

Comment: This bulletin contains two (2) Red Hat security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss Fuse 6.3 security update
Advisory ID:       RHSA-2016:2035-01
Product:           Red Hat JBoss Fuse
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2016-2035.html
Issue date:        2016-10-06
CVE Names:         CVE-2015-3192 CVE-2015-5344 CVE-2015-5348 
                   CVE-2015-7940 CVE-2016-2141 CVE-2016-2510 
                   CVE-2016-4437 
=====================================================================

1. Summary:

Red Hat JBoss Fuse 6.3, which fixes multiple security issues and includes
several bug fixes and enhancements, is now available from the Red Hat
Customer Portal.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,
flexible, open source enterprise service bus and integration platform.

Red Hat JBoss Fuse 6.3 is a minor product release that updates Red Hat
JBoss Fuse 6.2.1, and includes several bug fixes and enhancements. Refer to
the Release Notes document, available from the Product Documentation link
in the References section, for a list of these changes.

Security Fix(es):

It was found that JGroups did not require necessary headers for encrypt and
auth protocols from new nodes joining the cluster. An attacker could use
this flaw to bypass security restrictions, and use this vulnerability to
send and receive messages within the cluster, leading to information
disclosure, message spoofing, or further possible attacks. (CVE-2016-2141)

A deserialization flaw allowing remote code execution was found in the
BeanShell library. If BeanShell was on the classpath, it could permit code
execution if another part of the application deserialized objects involving
a specially constructed chain of classes. A remote attacker could use this
flaw to execute arbitrary code with the permissions of the application
using the BeanShell library. (CVE-2016-2510)

It was found that Apache Shiro uses a default cipher key for its "remember
me" feature. An attacker could use this to devise a malicious request
parameter and gain access to unauthorized content. (CVE-2016-4437)

A denial of service flaw was found in the way Spring processes inline DTD
declarations. A remote attacker could submit a specially crafted XML file
that would cause out-of-memory errors when parsed. (CVE-2015-3192)

It was found that Apache Camel's camel-xstream component was vulnerable to
Java object deserialization. This vulnerability permits deserialization of
data which could lead to information disclosure, code execution, or other
possible attacks. (CVE-2015-5344)

It was found that Apache Camel's Jetty/Servlet permitted object
deserialization. If using camel-jetty or camel-servlet as a consumer in
Camel routes, then Camel will automatically deserialize HTTP requests that
use the content-header: application/x-java-serialized-object. An attacker
could use this vulnerability to gain access to unauthorized information or
conduct further attacks. (CVE-2015-5348)

It was found that bouncycastle is vulnerable to an invalid curve attack. An
attacker could extract private keys used in elliptic curve cryptography
with a few thousand queries. (CVE-2015-7940)

The CVE-2016-2141 issue was discovered by Dennis Reed (Red Hat).

Refer to the Product Documentation link in the References section for
installation instructions.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

1239002 - CVE-2015-3192 Spring Framework: denial-of-service attack with XML input
1276272 - CVE-2015-7940 bouncycastle: Invalid curve attack allowing to extract private keys
1292849 - CVE-2015-5348 Camel: Java object deserialisation in Jetty/Servlet
1303609 - CVE-2015-5344 camel-xstream: Java object de-serialization vulnerability leads to RCE
1310647 - CVE-2016-2510 bsh2: remote code execution via deserialization
1313589 - CVE-2016-2141 Authorization bypass in JGroups
1343346 - CVE-2016-4437 shiro: Security constraint bypass

5. References:

https://access.redhat.com/security/cve/CVE-2015-3192
https://access.redhat.com/security/cve/CVE-2015-5344
https://access.redhat.com/security/cve/CVE-2015-5348
https://access.redhat.com/security/cve/CVE-2015-7940
https://access.redhat.com/security/cve/CVE-2016-2141
https://access.redhat.com/security/cve/CVE-2016-2510
https://access.redhat.com/security/cve/CVE-2016-4437
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=6.3.0
https://access.redhat.com/documentation/en/red-hat-jboss-fuse/?version=6.3

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2016 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFX9nl4XlSAg2UNWIIRAjzuAJ9IjZsuMRzFPBfv/AW1xXlo9AHHNwCeNayc
X467FkxtKPz7MAU5sEu9U/c=
=tF7y
- -----END PGP SIGNATURE-----

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss A-MQ 6.3 security update
Advisory ID:       RHSA-2016:2036-01
Product:           Red Hat JBoss A-MQ
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2016-2036.html
Issue date:        2016-10-06
CVE Names:         CVE-2015-3192 CVE-2015-7940 CVE-2016-4437 
=====================================================================

1. Summary:

Red Hat JBoss A-MQ 6.3, which fixes multiple security issues and includes
several bug fixes and enhancements, is now available from the Red Hat
Customer Portal.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant
messaging system that is tailored for use in mission critical applications.

Red Hat JBoss A-MQ 6.3 is a minor product release that updates Red Hat
JBoss A-MQ 6.2.1, and includes several bug fixes and enhancements. Refer to
the Release Notes document, available from the Product Documentation link
in the References section, for a list of these changes.

Security Fix(es):

It was found that Apache Shiro uses a default cipher key for its "remember
me" feature. An attacker could use this to devise a malicious request
parameter and gain access to unauthorized content. (CVE-2016-4437)

A denial of service flaw was found in the way Spring processes inline DTD
declarations. A remote attacker could submit a specially crafted XML file
that would cause out-of-memory errors when parsed. (CVE-2015-3192)

It was found that bouncycastle is vulnerable to an invalid curve attack. An
attacker could extract private keys used in elliptic curve cryptography
with a few thousand queries. (CVE-2015-7940)

Refer to the Product Documentation link in the References section for
installation instructions.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

1239002 - CVE-2015-3192 Spring Framework: denial-of-service attack with XML input
1276272 - CVE-2015-7940 bouncycastle: Invalid curve attack allowing to extract private keys
1343346 - CVE-2016-4437 shiro: Security constraint bypass

5. References:

https://access.redhat.com/security/cve/CVE-2015-3192
https://access.redhat.com/security/cve/CVE-2015-7940
https://access.redhat.com/security/cve/CVE-2016-4437
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq&downloadType=distributions&version=6.3.0
https://access.redhat.com/documentation/en/red-hat-jboss-fuse/?version=6.3

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2016 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFX9nl/XlSAg2UNWIIRAn5DAKCeqOJhy3a+EAGO1sG/lNuo/JWFgQCfQRGS
3jDFUUI5eQBAO6ioMdCl8mQ=
=CjkF
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBV/buDIx+lLeg9Ub1AQiFdRAAlqdUP+vcDpOBga+uw8cI+2IqREJ12ric
c9GYGijde/YnXT7xkgAFuYwOrFl9Cyrme7GOlv7CgyFRgt7C3DyEyhWlRHB3xqn2
M9Ff4naisUzJErXnhMklebGyHpw5X8HSJvikyFZV42jRSa98/1BOGc1Dzm73SGHn
11ew2SxbS/HB8FpX4zv6YKd3nsCrMEBMdoJxuRI3H3OxxWZwjfkNrUZf9KsI08ji
Do1e9KPphkT8nNezN9B34+iicQTes8Ev0cDlH8mA6n7fJoAJAsSQkPozXxPo0OLJ
TwCKMDdmUIIgiPaNvo7p1iyy4EvDcNU3zdRiFdZECz/IfxtsdUTVSDqf3IoMZact
zBWWNBaZFt/mMDbmgKfoZ+P5Vzea1S7yX2Js4RyD7LK1K9LRgTYXDhXEezSdmILM
Yv5AFV4cPsNSjlVRjWklKvZbnA3gkxwXuBBFVORGB4ByBfQ6OOnn8+Tof6P+Ypjx
8oeGtml2AZ/mqO/HExKNjE6xKlQyQ+9KFdcPMjub5jPhrD8QpeSUk86909COu/mR
Z+q2GRNB6eijNWIEAyy142O7wOX5iCzCL5B7rh3266QC3PH0i/Om65C3olR+JqFt
nK8cIF3O6dGqe4Ewf7Hl1/pFXu6CUzfhLNS9xf9s/zKIKQyoOdyi/azARlxq8Dcb
PXtIxUUj5M0=
=ywUM
-----END PGP SIGNATURE-----