Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.2398 Important: Red Hat JBoss Enterprise Application Platform updates 13 October 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat JBoss Enterprise Application Platform Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 6 Red Hat Enterprise Linux Server 7 Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2016-4459 CVE-2016-3110 CVE-2016-2109 CVE-2016-2108 CVE-2016-2106 CVE-2016-2105 CVE-2015-4000 CVE-2015-3195 CVE-2015-3183 Reference: ASB-2016.0074 ASB-2016.0043 ASB-2016.0004 ASB-2015.0103 ASB-2015.0070 ESB-2016.1076 ESB-2016.0250 ESB-2015.3042 Original Bulletin: https://rhn.redhat.com/errata/RHSA-2016-2054.html https://rhn.redhat.com/errata/RHSA-2016-2055.html https://rhn.redhat.com/errata/RHSA-2016-2056.html Comment: This bulletin contains three (3) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 6.4.10 natives update on RHEL 7 Advisory ID: RHSA-2016:2054-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2054.html Issue date: 2016-10-12 CVE Names: CVE-2015-3183 CVE-2015-3195 CVE-2015-4000 CVE-2016-2105 CVE-2016-2106 CVE-2016-2108 CVE-2016-2109 CVE-2016-3110 CVE-2016-4459 ===================================================================== 1. Summary: Updated packages that provide Red Hat JBoss Enterprise Application Platform 6.4.10 natives, fix several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server - noarch, ppc64, x86_64 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release includes bug fixes and enhancements, as well as a new release of OpenSSL that addresses a number of outstanding security flaws. For further information, see the knowledge base article linked to in the References section. All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 7 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. Security Fix(es): * A flaw was found in the way OpenSSL encoded certain ASN.1 data structures. An attacker could use this flaw to create a specially crafted certificate which, when verified or re-encoded by OpenSSL, could cause it to crash, or execute arbitrary code using the permissions of the user running an application compiled against the OpenSSL library. (CVE-2016-2108) * Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks. (CVE-2015-3183) * A memory leak vulnerability was found in the way OpenSSL parsed PKCS#7 and CMS data. A remote attacker could use this flaw to cause an application that parses PKCS#7 or CMS data from untrusted sources to use an excessive amount of memory and possibly crash. (CVE-2015-3195) * A flaw was found in the way the TLS protocol composes the Diffie-Hellman exchange (for both export and non-export grade cipher suites). An attacker could use this flaw to downgrade a DHE connection to use export-grade key sizes, which could then be broken by sufficient pre-computation. This can lead to a passive man-in-the-middle attack in which the attacker is able to decrypt all traffic. (CVE-2015-4000) * An integer overflow flaw, leading to a buffer overflow, was found in the way the EVP_EncodeUpdate() function of OpenSSL parsed very large amounts of input data. A remote attacker could use this flaw to crash an application using OpenSSL or, possibly, execute arbitrary code with the permissions of the user running that application. (CVE-2016-2105) * An integer overflow flaw, leading to a buffer overflow, was found in the way the EVP_EncryptUpdate() function of OpenSSL parsed very large amounts of input data. A remote attacker could use this flaw to crash an application using OpenSSL or, possibly, execute arbitrary code with the permissions of the user running that application. (CVE-2016-2106) * It was discovered that it is possible to remotely Segfault Apache http server with a specially crafted string sent to the mod_cluster via service messages (MCMP). (CVE-2016-3110) * A denial of service flaw was found in the way OpenSSL parsed certain ASN.1-encoded data from BIO (OpenSSL's I/O abstraction) inputs. An application using OpenSSL that accepts untrusted ASN.1 BIO input could be forced to allocate an excessive amount of data. (CVE-2016-2109) * It was discovered that specifying configuration with a JVMRoute path longer than 80 characters will cause segmentation fault leading to a server crash. (CVE-2016-4459) Red Hat would like to thank the OpenSSL project for reporting CVE-2016-2108, CVE-2016-2105, and CVE-2016-2106 and Michal Karm Babacek for reporting CVE-2016-3110. The CVE-2016-4459 issue was discovered by Robert Bost (Red Hat). Upstream acknowledges Huzaifa Sidhpurwala (Red Hat), Hanno Böck, and David Benjamin (Google) as the original reporters of CVE-2016-2108; and Guido Vranken as the original reporter of CVE-2016-2105 and CVE-2016-2106. 4. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. 5. Bugs fixed (https://bugzilla.redhat.com/): 1223211 - CVE-2015-4000 LOGJAM: TLS connections which support export grade DHE key-exchange are vulnerable to MITM attacks 1243887 - CVE-2015-3183 httpd: HTTP request smuggling attack against chunked request parser 1288322 - CVE-2015-3195 OpenSSL: X509_ATTRIBUTE memory leak 1326320 - CVE-2016-3110 mod_cluster: remotely Segfault Apache http server 1330101 - CVE-2016-2109 openssl: ASN.1 BIO handling of large amounts of data 1331402 - CVE-2016-2108 openssl: Memory corruption in the ASN.1 encoder 1331441 - CVE-2016-2105 openssl: EVP_EncodeUpdate overflow 1331536 - CVE-2016-2106 openssl: EVP_EncryptUpdate overflow 1341583 - CVE-2016-4459 mod_cluster: Buffer overflow in mod_manager when sending request with long JVMRoute 1345989 - RHEL7 RPMs: Upgrade mod_cluster-native to 1.2.13.Final-redhat-1 1345993 - RHEL7 RPMs: Upgrade mod_jk to 1.2.41.redhat-1 1345997 - RHEL7 RPMs: Upgrade tomcat-native to 1.1.34 6. Package List: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server: Source: hornetq-native-2.3.25-4.SP11_redhat_1.ep6.el7.src.rpm httpd22-2.2.26-56.ep6.el7.src.rpm jbcs-httpd24-openssl-1.0.2h-4.jbcs.el7.src.rpm mod_jk-1.2.41-2.redhat_4.ep6.el7.src.rpm tomcat-native-1.1.34-5.redhat_1.ep6.el7.src.rpm noarch: jbcs-httpd24-1-3.jbcs.el7.noarch.rpm jbcs-httpd24-runtime-1-3.jbcs.el7.noarch.rpm ppc64: hornetq-native-2.3.25-4.SP11_redhat_1.ep6.el7.ppc64.rpm hornetq-native-debuginfo-2.3.25-4.SP11_redhat_1.ep6.el7.ppc64.rpm httpd22-2.2.26-56.ep6.el7.ppc64.rpm httpd22-debuginfo-2.2.26-56.ep6.el7.ppc64.rpm httpd22-devel-2.2.26-56.ep6.el7.ppc64.rpm httpd22-manual-2.2.26-56.ep6.el7.ppc64.rpm httpd22-tools-2.2.26-56.ep6.el7.ppc64.rpm jbcs-httpd24-openssl-1.0.2h-4.jbcs.el7.ppc64.rpm jbcs-httpd24-openssl-debuginfo-1.0.2h-4.jbcs.el7.ppc64.rpm jbcs-httpd24-openssl-devel-1.0.2h-4.jbcs.el7.ppc64.rpm jbcs-httpd24-openssl-libs-1.0.2h-4.jbcs.el7.ppc64.rpm jbcs-httpd24-openssl-perl-1.0.2h-4.jbcs.el7.ppc64.rpm jbcs-httpd24-openssl-static-1.0.2h-4.jbcs.el7.ppc64.rpm jbossas-hornetq-native-2.3.25-4.SP11_redhat_1.ep6.el7.ppc64.rpm jbossas-jbossweb-native-1.1.34-5.redhat_1.ep6.el7.ppc64.rpm mod_jk-ap22-1.2.41-2.redhat_4.ep6.el7.ppc64.rpm mod_jk-debuginfo-1.2.41-2.redhat_4.ep6.el7.ppc64.rpm mod_ldap22-2.2.26-56.ep6.el7.ppc64.rpm mod_ssl22-2.2.26-56.ep6.el7.ppc64.rpm tomcat-native-1.1.34-5.redhat_1.ep6.el7.ppc64.rpm tomcat-native-debuginfo-1.1.34-5.redhat_1.ep6.el7.ppc64.rpm x86_64: hornetq-native-2.3.25-4.SP11_redhat_1.ep6.el7.x86_64.rpm hornetq-native-debuginfo-2.3.25-4.SP11_redhat_1.ep6.el7.x86_64.rpm httpd22-2.2.26-56.ep6.el7.x86_64.rpm httpd22-debuginfo-2.2.26-56.ep6.el7.x86_64.rpm httpd22-devel-2.2.26-56.ep6.el7.x86_64.rpm httpd22-manual-2.2.26-56.ep6.el7.x86_64.rpm httpd22-tools-2.2.26-56.ep6.el7.x86_64.rpm jbcs-httpd24-openssl-1.0.2h-4.jbcs.el7.x86_64.rpm jbcs-httpd24-openssl-debuginfo-1.0.2h-4.jbcs.el7.x86_64.rpm jbcs-httpd24-openssl-devel-1.0.2h-4.jbcs.el7.x86_64.rpm jbcs-httpd24-openssl-libs-1.0.2h-4.jbcs.el7.x86_64.rpm jbcs-httpd24-openssl-perl-1.0.2h-4.jbcs.el7.x86_64.rpm jbcs-httpd24-openssl-static-1.0.2h-4.jbcs.el7.x86_64.rpm jbossas-hornetq-native-2.3.25-4.SP11_redhat_1.ep6.el7.x86_64.rpm jbossas-jbossweb-native-1.1.34-5.redhat_1.ep6.el7.x86_64.rpm mod_jk-ap22-1.2.41-2.redhat_4.ep6.el7.x86_64.rpm mod_jk-debuginfo-1.2.41-2.redhat_4.ep6.el7.x86_64.rpm mod_ldap22-2.2.26-56.ep6.el7.x86_64.rpm mod_ssl22-2.2.26-56.ep6.el7.x86_64.rpm tomcat-native-1.1.34-5.redhat_1.ep6.el7.x86_64.rpm tomcat-native-debuginfo-1.1.34-5.redhat_1.ep6.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-3183 https://access.redhat.com/security/cve/CVE-2015-3195 https://access.redhat.com/security/cve/CVE-2015-4000 https://access.redhat.com/security/cve/CVE-2016-2105 https://access.redhat.com/security/cve/CVE-2016-2106 https://access.redhat.com/security/cve/CVE-2016-2108 https://access.redhat.com/security/cve/CVE-2016-2109 https://access.redhat.com/security/cve/CVE-2016-3110 https://access.redhat.com/security/cve/CVE-2016-4459 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/articles/2688611 https://access.redhat.com/solutions/222023 https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.4 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFX/nCuXlSAg2UNWIIRAq6gAKCk3O4+LVrC6nN6yUHOOzpm8GB7NQCcDcA0 n7n6E5uqbAY0W1AG5Z+9yy8= =6ET2 - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 6.4.10 natives update on RHEL 6 Advisory ID: RHSA-2016:2055-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2055.html Issue date: 2016-10-12 CVE Names: CVE-2015-3183 CVE-2015-3195 CVE-2015-4000 CVE-2016-2105 CVE-2016-2106 CVE-2016-2108 CVE-2016-2109 CVE-2016-3110 CVE-2016-4459 ===================================================================== 1. Summary: Updated packages that provide Red Hat JBoss Enterprise Application Platform 6.4.10 natives, fix several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server - i386, noarch, ppc64, x86_64 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release includes bug fixes and enhancements, as well as a new release of OpenSSL that addresses a number of outstanding security flaws. For further information, see the knowledge base article linked to in the References section. All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. Security Fix(es): * A flaw was found in the way OpenSSL encoded certain ASN.1 data structures. An attacker could use this flaw to create a specially crafted certificate which, when verified or re-encoded by OpenSSL, could cause it to crash, or execute arbitrary code using the permissions of the user running an application compiled against the OpenSSL library. (CVE-2016-2108) * Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks. (CVE-2015-3183) * A memory leak vulnerability was found in the way OpenSSL parsed PKCS#7 and CMS data. A remote attacker could use this flaw to cause an application that parses PKCS#7 or CMS data from untrusted sources to use an excessive amount of memory and possibly crash. (CVE-2015-3195) * A flaw was found in the way the TLS protocol composes the Diffie-Hellman exchange (for both export and non-export grade cipher suites). An attacker could use this flaw to downgrade a DHE connection to use export-grade key sizes, which could then be broken by sufficient pre-computation. This can lead to a passive man-in-the-middle attack in which the attacker is able to decrypt all traffic. (CVE-2015-4000) * An integer overflow flaw, leading to a buffer overflow, was found in the way the EVP_EncodeUpdate() function of OpenSSL parsed very large amounts of input data. A remote attacker could use this flaw to crash an application using OpenSSL or, possibly, execute arbitrary code with the permissions of the user running that application. (CVE-2016-2105) * An integer overflow flaw, leading to a buffer overflow, was found in the way the EVP_EncryptUpdate() function of OpenSSL parsed very large amounts of input data. A remote attacker could use this flaw to crash an application using OpenSSL or, possibly, execute arbitrary code with the permissions of the user running that application. (CVE-2016-2106) * It was discovered that it is possible to remotely Segfault Apache http server with a specially crafted string sent to the mod_cluster via service messages (MCMP). (CVE-2016-3110) * A denial of service flaw was found in the way OpenSSL parsed certain ASN.1-encoded data from BIO (OpenSSL's I/O abstraction) inputs. An application using OpenSSL that accepts untrusted ASN.1 BIO input could be forced to allocate an excessive amount of data. (CVE-2016-2109) * It was discovered that specifying configuration with a JVMRoute path longer than 80 characters will cause segmentation fault leading to a server crash. (CVE-2016-4459) Red Hat would like to thank the OpenSSL project for reporting CVE-2016-2108, CVE-2016-2105, and CVE-2016-2106 and Michal Karm Babacek for reporting CVE-2016-3110. The CVE-2016-4459 issue was discovered by Robert Bost (Red Hat). Upstream acknowledges Huzaifa Sidhpurwala (Red Hat), Hanno Böck, and David Benjamin (Google) as the original reporters of CVE-2016-2108; and Guido Vranken as the original reporter of CVE-2016-2105 and CVE-2016-2106. 4. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. 5. Bugs fixed (https://bugzilla.redhat.com/): 1223211 - CVE-2015-4000 LOGJAM: TLS connections which support export grade DHE key-exchange are vulnerable to MITM attacks 1243887 - CVE-2015-3183 httpd: HTTP request smuggling attack against chunked request parser 1288322 - CVE-2015-3195 OpenSSL: X509_ATTRIBUTE memory leak 1326320 - CVE-2016-3110 mod_cluster: remotely Segfault Apache http server 1330101 - CVE-2016-2109 openssl: ASN.1 BIO handling of large amounts of data 1331402 - CVE-2016-2108 openssl: Memory corruption in the ASN.1 encoder 1331441 - CVE-2016-2105 openssl: EVP_EncodeUpdate overflow 1331536 - CVE-2016-2106 openssl: EVP_EncryptUpdate overflow 1341583 - CVE-2016-4459 mod_cluster: Buffer overflow in mod_manager when sending request with long JVMRoute 1345987 - RHEL6 RPMs: Upgrade mod_cluster-native to 1.2.13.Final-redhat-1 1345991 - RHEL6 RPMs: Upgrade mod_jk to 1.2.41.redhat-1 1345995 - RHEL6 RPMs: Upgrade tomcat-native to 1.1.34 6. Package List: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server: Source: hornetq-native-2.3.25-4.SP11_redhat_1.ep6.el6.src.rpm httpd-2.2.26-54.ep6.el6.src.rpm jbcs-httpd24-openssl-1.0.2h-4.jbcs.el6.src.rpm mod_jk-1.2.41-2.redhat_4.ep6.el6.src.rpm tomcat-native-1.1.34-5.redhat_1.ep6.el6.src.rpm i386: hornetq-native-2.3.25-4.SP11_redhat_1.ep6.el6.i386.rpm hornetq-native-debuginfo-2.3.25-4.SP11_redhat_1.ep6.el6.i386.rpm httpd-2.2.26-54.ep6.el6.i386.rpm httpd-debuginfo-2.2.26-54.ep6.el6.i386.rpm httpd-devel-2.2.26-54.ep6.el6.i386.rpm httpd-manual-2.2.26-54.ep6.el6.i386.rpm httpd-tools-2.2.26-54.ep6.el6.i386.rpm jbcs-httpd24-openssl-1.0.2h-4.jbcs.el6.i686.rpm jbcs-httpd24-openssl-debuginfo-1.0.2h-4.jbcs.el6.i686.rpm jbcs-httpd24-openssl-devel-1.0.2h-4.jbcs.el6.i686.rpm jbcs-httpd24-openssl-libs-1.0.2h-4.jbcs.el6.i686.rpm jbcs-httpd24-openssl-perl-1.0.2h-4.jbcs.el6.i686.rpm jbcs-httpd24-openssl-static-1.0.2h-4.jbcs.el6.i686.rpm jbossas-hornetq-native-2.3.25-4.SP11_redhat_1.ep6.el6.i386.rpm jbossas-jbossweb-native-1.1.34-5.redhat_1.ep6.el6.i386.rpm mod_jk-ap22-1.2.41-2.redhat_4.ep6.el6.i386.rpm mod_jk-debuginfo-1.2.41-2.redhat_4.ep6.el6.i386.rpm mod_ldap-2.2.26-54.ep6.el6.i386.rpm mod_ssl-2.2.26-54.ep6.el6.i386.rpm tomcat-native-1.1.34-5.redhat_1.ep6.el6.i386.rpm tomcat-native-debuginfo-1.1.34-5.redhat_1.ep6.el6.i386.rpm noarch: jbcs-httpd24-1-3.jbcs.el6.noarch.rpm jbcs-httpd24-runtime-1-3.jbcs.el6.noarch.rpm ppc64: hornetq-native-2.3.25-4.SP11_redhat_1.ep6.el6.ppc64.rpm hornetq-native-debuginfo-2.3.25-4.SP11_redhat_1.ep6.el6.ppc64.rpm httpd-2.2.26-54.ep6.el6.ppc64.rpm httpd-debuginfo-2.2.26-54.ep6.el6.ppc64.rpm httpd-devel-2.2.26-54.ep6.el6.ppc64.rpm httpd-manual-2.2.26-54.ep6.el6.ppc64.rpm httpd-tools-2.2.26-54.ep6.el6.ppc64.rpm jbcs-httpd24-openssl-1.0.2h-4.jbcs.el6.ppc64.rpm jbcs-httpd24-openssl-debuginfo-1.0.2h-4.jbcs.el6.ppc64.rpm jbcs-httpd24-openssl-devel-1.0.2h-4.jbcs.el6.ppc64.rpm jbcs-httpd24-openssl-libs-1.0.2h-4.jbcs.el6.ppc64.rpm jbcs-httpd24-openssl-perl-1.0.2h-4.jbcs.el6.ppc64.rpm jbcs-httpd24-openssl-static-1.0.2h-4.jbcs.el6.ppc64.rpm jbossas-hornetq-native-2.3.25-4.SP11_redhat_1.ep6.el6.ppc64.rpm jbossas-jbossweb-native-1.1.34-5.redhat_1.ep6.el6.ppc64.rpm mod_jk-ap22-1.2.41-2.redhat_4.ep6.el6.ppc64.rpm mod_jk-debuginfo-1.2.41-2.redhat_4.ep6.el6.ppc64.rpm mod_ldap-2.2.26-54.ep6.el6.ppc64.rpm mod_ssl-2.2.26-54.ep6.el6.ppc64.rpm tomcat-native-1.1.34-5.redhat_1.ep6.el6.ppc64.rpm tomcat-native-debuginfo-1.1.34-5.redhat_1.ep6.el6.ppc64.rpm x86_64: hornetq-native-2.3.25-4.SP11_redhat_1.ep6.el6.x86_64.rpm hornetq-native-debuginfo-2.3.25-4.SP11_redhat_1.ep6.el6.x86_64.rpm httpd-2.2.26-54.ep6.el6.x86_64.rpm httpd-debuginfo-2.2.26-54.ep6.el6.x86_64.rpm httpd-devel-2.2.26-54.ep6.el6.x86_64.rpm httpd-manual-2.2.26-54.ep6.el6.x86_64.rpm httpd-tools-2.2.26-54.ep6.el6.x86_64.rpm jbcs-httpd24-openssl-1.0.2h-4.jbcs.el6.x86_64.rpm jbcs-httpd24-openssl-debuginfo-1.0.2h-4.jbcs.el6.x86_64.rpm jbcs-httpd24-openssl-devel-1.0.2h-4.jbcs.el6.x86_64.rpm jbcs-httpd24-openssl-libs-1.0.2h-4.jbcs.el6.x86_64.rpm jbcs-httpd24-openssl-perl-1.0.2h-4.jbcs.el6.x86_64.rpm jbcs-httpd24-openssl-static-1.0.2h-4.jbcs.el6.x86_64.rpm jbossas-hornetq-native-2.3.25-4.SP11_redhat_1.ep6.el6.x86_64.rpm jbossas-jbossweb-native-1.1.34-5.redhat_1.ep6.el6.x86_64.rpm mod_jk-ap22-1.2.41-2.redhat_4.ep6.el6.x86_64.rpm mod_jk-debuginfo-1.2.41-2.redhat_4.ep6.el6.x86_64.rpm mod_ldap-2.2.26-54.ep6.el6.x86_64.rpm mod_ssl-2.2.26-54.ep6.el6.x86_64.rpm tomcat-native-1.1.34-5.redhat_1.ep6.el6.x86_64.rpm tomcat-native-debuginfo-1.1.34-5.redhat_1.ep6.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-3183 https://access.redhat.com/security/cve/CVE-2015-3195 https://access.redhat.com/security/cve/CVE-2015-4000 https://access.redhat.com/security/cve/CVE-2016-2105 https://access.redhat.com/security/cve/CVE-2016-2106 https://access.redhat.com/security/cve/CVE-2016-2108 https://access.redhat.com/security/cve/CVE-2016-2109 https://access.redhat.com/security/cve/CVE-2016-3110 https://access.redhat.com/security/cve/CVE-2016-4459 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/articles/2688611 https://access.redhat.com/solutions/222023 https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.4 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFX/nC3XlSAg2UNWIIRAl73AJwMWQGEz9iZUcT7H8h4DJigvv8JtgCdHdCf 4sZxcVqDWWAwzVeNvxo3kSk= =hA1L - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 6.4.10 update Advisory ID: RHSA-2016:2056-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2056.html Issue date: 2016-10-12 CVE Names: CVE-2015-3183 CVE-2015-3195 CVE-2015-4000 CVE-2016-2105 CVE-2016-2106 CVE-2016-2108 CVE-2016-2109 CVE-2016-3110 CVE-2016-4459 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Enterprise Application Platform. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release includes bug fixes and enhancements, as well as a new release of OpenSSL that addresses a number of outstanding security flaws. For further information, see the knowledge base article linked to in the References section. All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 6 are advised to upgrade to these updated packages. Security Fix(es): * A flaw was found in the way OpenSSL encoded certain ASN.1 data structures. An attacker could use this flaw to create a specially crafted certificate which, when verified or re-encoded by OpenSSL, could cause it to crash, or execute arbitrary code using the permissions of the user running an application compiled against the OpenSSL library. (CVE-2016-2108) * Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks. (CVE-2015-3183) * A memory leak vulnerability was found in the way OpenSSL parsed PKCS#7 and CMS data. A remote attacker could use this flaw to cause an application that parses PKCS#7 or CMS data from untrusted sources to use an excessive amount of memory and possibly crash. (CVE-2015-3195) * A flaw was found in the way the TLS protocol composes the Diffie-Hellman exchange (for both export and non-export grade cipher suites). An attacker could use this flaw to downgrade a DHE connection to use export-grade key sizes, which could then be broken by sufficient pre-computation. This can lead to a passive man-in-the-middle attack in which the attacker is able to decrypt all traffic. (CVE-2015-4000) * An integer overflow flaw, leading to a buffer overflow, was found in the way the EVP_EncodeUpdate() function of OpenSSL parsed very large amounts of input data. A remote attacker could use this flaw to crash an application using OpenSSL or, possibly, execute arbitrary code with the permissions of the user running that application. (CVE-2016-2105) * An integer overflow flaw, leading to a buffer overflow, was found in the way the EVP_EncryptUpdate() function of OpenSSL parsed very large amounts of input data. A remote attacker could use this flaw to crash an application using OpenSSL or, possibly, execute arbitrary code with the permissions of the user running that application. (CVE-2016-2106) * It was discovered that it is possible to remotely Segfault Apache http server with a specially crafted string sent to the mod_cluster via service messages (MCMP). (CVE-2016-3110) * A denial of service flaw was found in the way OpenSSL parsed certain ASN.1-encoded data from BIO (OpenSSL's I/O abstraction) inputs. An application using OpenSSL that accepts untrusted ASN.1 BIO input could be forced to allocate an excessive amount of data. (CVE-2016-2109) * It was discovered that specifying configuration with a JVMRoute path longer than 80 characters will cause segmentation fault leading to a server crash. (CVE-2016-4459) Red Hat would like to thank the OpenSSL project for reporting CVE-2016-2108, CVE-2016-2105, and CVE-2016-2106 and Michal Karm Babacek for reporting CVE-2016-3110. The CVE-2016-4459 issue was discovered by Robert Bost (Red Hat). Upstream acknowledges Huzaifa Sidhpurwala (Red Hat), Hanno Böck, and David Benjamin (Google) as the original reporters of CVE-2016-2108; and Guido Vranken as the original reporter of CVE-2016-2105 and CVE-2016-2106. 3. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1223211 - CVE-2015-4000 LOGJAM: TLS connections which support export grade DHE key-exchange are vulnerable to MITM attacks 1243887 - CVE-2015-3183 httpd: HTTP request smuggling attack against chunked request parser 1288322 - CVE-2015-3195 OpenSSL: X509_ATTRIBUTE memory leak 1326320 - CVE-2016-3110 mod_cluster: remotely Segfault Apache http server 1330101 - CVE-2016-2109 openssl: ASN.1 BIO handling of large amounts of data 1331402 - CVE-2016-2108 openssl: Memory corruption in the ASN.1 encoder 1331441 - CVE-2016-2105 openssl: EVP_EncodeUpdate overflow 1331536 - CVE-2016-2106 openssl: EVP_EncryptUpdate overflow 1341583 - CVE-2016-4459 mod_cluster: Buffer overflow in mod_manager when sending request with long JVMRoute 5. References: https://access.redhat.com/security/cve/CVE-2015-3183 https://access.redhat.com/security/cve/CVE-2015-3195 https://access.redhat.com/security/cve/CVE-2015-4000 https://access.redhat.com/security/cve/CVE-2016-2105 https://access.redhat.com/security/cve/CVE-2016-2106 https://access.redhat.com/security/cve/CVE-2016-2108 https://access.redhat.com/security/cve/CVE-2016-2109 https://access.redhat.com/security/cve/CVE-2016-3110 https://access.redhat.com/security/cve/CVE-2016-4459 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/articles/2688611 https://access.redhat.com/solutions/222023 https://access.redhat.com/documentation/en/jboss-enterprise-application-platform/ https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.4 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFX/nC9XlSAg2UNWIIRAnxyAJ9e/4EllYuokmkD6tLkfhHL3pZ0mQCgh8zG yB8E4qH53UH71bMzQwek8yU= =eQHg - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBV/8FpIx+lLeg9Ub1AQiZEg/+KL49reHspJH8K4Ek3QLpL79n+2kpvfVx RxQCAH+kiPAsh94hkxcXtJ/MmMb3EXEtOGs6WBuCvJ3P5ttvTVHWH3qFyJ9yN+67 mv5TbBrcX+KrYDxib9rbxzSfBEMQhqgKCV/j84ctKDbtMfdPen5i7rmRfEu1ZceN W7fSmFiZm7MVzg1Zte0owSNOqUEXHPPIFfWXDqDDallnLIixC5Jy+m+Ow98gGs1R llwKctw37swHxU4b3+oabRIGEW9A+aSOXxJx2xVbVbAgF3NgTzF4UCt741h3K4wv g8ouBVUyQUw3ym/lst+odPvQmlELhjU1+YvoJvodOgaqabTf4uPebiZwOqnVm9Q9 tSlWBeWqDsRlKonmx7qoupge1/KyhIdA/yZgIYsvKxaYnY6OxySy8unuXlRn9ifJ /Ab9+wRH4sRUcez3AGaQ/8D0N1AJlNItcBRR1sHbPb4N1Omtc8qn0YRhK5t04/Aw O8dZ9gPjVquEeWflQPaayEt2nu1aG1yRf1xvwhIOrCFOnbGhxPkFkyqRV6D0Eqi+ Kdh7dvkEc/j0/HwMIC4le8eheFi8fjVZQQRiZPvZYOt4vXsuvxxnGXUtO3t7CuAI BmDzu0p4Lipp0hUL1sZ/HxkSqxkFsXuE+CO1lKf339ggVtPlqUXmBwzPO4xjnYv+ e0wt4IqQASQ= =mNlT -----END PGP SIGNATURE-----