Warning message

Log in to add comments.

How Red Hat ships JBoss security updates

David Jorm published on 2012-11-14T13:00:35+00:00, last updated 2012-11-14T13:00:35+00:00

JBoss security updates

When security flaws are discovered in JBoss products, the Red Hat Security Response Team works to resolve them on a prioritized basis. Flaws are rated according to a four-point scale: low, moderate, important, and critical. For details on the process of rating flaws, refer to How Red Hat rates JBoss security flaws. Flaws of low impact are typically deferred, to be resolved in the next minor release of the affected products. Flaws of moderate or higher impact are typically addressed in order of importance as an update to the product. These fixes are provided as async (asychronous) patches, which are isolated updates that generally only contain the resolution for the security issue. For some products, such as JBoss Enterprise SOA Platform and JBoss Enterprise BRMS Platform, roll up patches are provided. These include a consolidated single patch for all issues fixed to date for a given product version.

JBoss distribution mechanisms

JBoss products are distributed in two forms: ZIP (for all products) and RPM (for a subset of products).

All JBoss products are provided as ZIP files which can be unpacked and run on any supported platform. ZIP files are used because they are platform-agnostic, and do not rely on any kind of package management on the system. The ZIP files are monolithic, with a single file providing the entire product distribution. ZIP distributions are published in the download section of the Red Hat Customer Portal. Updates to ZIP distributions are provided as single ZIP files that unpack over existing installations. These are also published on the Customer Portal.

A subset of JBoss products are also provided as a series of RPMs, designed to run on Red Hat Enterprise Linux. The RPMs are modular, with each major component factored out into its own package. The RPMs are distributed via Red Hat Network (RHN), similar to Red Hat Enterprise Linux RPMs. Updates are provided as RPMs for the affected component(s), which can be consumed by running "yum update".

Shipping JBoss security updates

Security updates for JBoss products are provided by an erratum. The erratum encapsulates a list of the resolved flaws, their severity ratings, the affected products, textual description of the flaws, and a reference to the patches.

For ZIP distributions of JBoss products, the errata include a link to a URL on the Customer Portal where the patch ZIP can be downloaded and instructions for unpacking and installing the patch can be found. For RPM distributions of JBoss products, the errata include references to the updated RPM packages. The patch can be installed by using yum or another RPM tool to update the relevant packages. Using RPMs has some advantages, including the ability to identify the origin of files, and resolve conflicts between a file you have edited and the version of that file provided by an updated RPM.

Example: CVE-2012-0818

CVE-2012-0818 is a moderate impact XML External Entity (XXE) flaw in the RESTEasy component. It affected various products, including JBoss Enterprise Application Platform (EAP), JBoss Enterprise BRMS Platform, and JBoss Enterprise Portal Platform (EPP). For EAP, there was no new version of the product due to be released in a reasonable time frame, so the fix for this flaw was released as an async patch. Two errata were released:

  • JBoss Enterprise Application Platform 5.1.2 zip async patch: RHSA-2012:1056
  • JBoss Enterprise Application Platform 5.1.2 RPM async patch: RHSA-2012:1059

For JBoss Enterprise BRMS Platform, a roll up patch was already scheduled for release, the fix for this flaw was added to that roll up patch. A single erratum was released, as JBoss Enterprise BRMS Platform is only distributed in a ZIP archive:

  • JBoss Enterprise BRMS Platform 5.1.2 zip roll up patch: RHSA-2012:0441

For JBoss Enterprise Portal Platform, a new minor version was already scheduled for release, the fix for this flaw was added to that new version as well. A single erratum was released, as JBoss Enterprise Portal Platform is only distributed in a ZIP archive:

The Red Hat Security Response Team works to ensure potential security flaws affecting JBoss products are triaged, and that patches are released for relevant flaws on a prioritized basis. JBoss customers receive this coverage throughout the supported life-cycle of their products, which is an advantage of using supported JBoss products instead of community releases. It is important for JBoss administrators to know how to acquire and deploy security patches relevant to their systems.

About The Author

rhn-ecs-djorm's picture

David Jorm