Menu Close
Settings Close

Language and Page Formatting Options

Red Hat Training

A Red Hat training course is available for JBoss Enterprise Application Platform Common Criteria Certification

3.5. Installing the Security Notice CVE-2009-0027 patch

After you have installed JBoss EAP you must also install the Security Notice CVE-2009-0027 patch. This patch resolves an issue where a remote attacker could read arbitrary XML files with the permissions of the EAP process. You can refer to http://rhn.redhat.com/errata/RHSA-2009-0349.html for additional information regarding this exploit.
The exact files you will need to download will vary according to whether you have installed the RPM version of JBoss EAP or the zip version.
The files for the RPM install are included in the ISO image.
The files for the zip package install must be downloaded separately as described in Section 3.2, “Downloading JBoss EAP from the Red Hat JBoss Customer Support Portal”.
You can verify the authenticity of the downloaded files by using md5sum and the checksum values listed here.

Table 3.2. MD5 checksums for patch files

File MD5 Checksum
jbossws-2.0.1-3.SP2_CP04.4.1.ep1.el5.noarch.rpm 2b94cc1b052280f2a8cf5856c64972c5
jbossws-2.0.1-3.SP2_CP04.4.1.ep1.el5.src.rpm ccb6c9bd951b3d4df4a4004973533980
jbossws-2.0.1-3.SP2_CP04.4.ep1.el4.noarch.rpm bf61c04a503d914186d0bd68f47dea9b
jbossws-2.0.1-3.SP2_CP04.4.ep1.el4.src.rpm 31a4fd98ce9eb02a3b98d7fa7306e8ba
jbeap-4.3.0.GA_CP03_CVE-2009-0027.zip 45a3abcfd95d40322d92bd5a0e7dd6ee
For a Red Hat Enterprise Linux 4 or 5 RPM Installation you can install the patch RPM that you downloaded just like any other RPM package. You can do this using the command line or using the GUI tool of your choice.

Example 3.2. Installing the RPM patch on Red Hat Enterprise Linux 5

$ rpm -ivh jbossws-2.0.1-3.SP2_CP04.3.1.ep1.el5.noarch.rpm
Preparing...                ########################################### [100%]
   1:jbossws                ########################################### [100%]
Installation of the patch on a JBoss EAP zip file install simply requires you to overwrite two jar files in the install with those that you have downloaded.

Procedure 3.1. Installing the patch on a zip install

  1. Extract the two JAR files from jbeap-4.3.0.GA_CP03_CVE-2009-0027.zip.
  2. Copy jbossws-client.jar over the existing one in %JBOSS_HOME%/client.
  3. Copy jbossws-core.jar over the existing one in %JBOSS_HOME%/server/production/deploy/jbossws.sar/.
  4. Repeat step 2 for any other server profiles that you use, such as for development and testing.