RHSA-2006:0161 - Security Advisory

Topic

Red Hat Application Server Release 2 Update 1 is now available.

This update contains an upgrade of several RHAPS components to newer
releases, including JOnAS 4.6.3, Tomcat 5.5.12 and Struts 1.2.8.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Description

Red Hat Application Server packages provide a J2EE Application Server and
Web container as well as the underlying Java stack.

A denial of service flaw was found in the way Apache Tomcat displays
directory listings. A remote attacker could cause Tomcat to consume large
amounts of CPU resources by sending multiple requests for a directory
containing a large number of files. The Common Vulnerabilities and
Exposures project has assigned the name CVE-2005-3510 to this issue.
This update contains a version of Apache Tomcat that will recover after
the aforementioned attack. Users are also advised to disable directory
listing for web directories that contain very large numbers of files.

A cross-site scripting flaw was found in the way Struts displays error
pages. It may be possible for an attacker to construct a specially crafted
URL which could fool a victim into believing they are viewing a trusted
site. The Common Vulnerabilities and Exposures project has assigned the
name CVE-2005-3745 to this issue. Please note that this issue does not
affect Struts running on Tomcat or JOnAS, which is our supported usage of
Struts.

Additionally, this update replaces some other outdated packages with new
versions. Several bug fixes and enhancements are included in these new
versions.

IMPORTANT: Before applying this update, read the detailed
installation/upgrade instructions in the RELEASE_NOTES document.

All users of Red Hat Application Server should upgrade to these updated
packages, which contain packages that are not vulnerable to these issues.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains
the desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

IMPORTANT: For this errata, use the 'up2date' command (with no arguments).
DO NOT partially upgrade the packages for this errata as this can result
in a non-consistent set of packages being installed.

The update will cause applications to be undeployed from the server.
Redeploy all desired applications after the upgrade -- rerun GenIC for
faster deployment by the server as it will not have to replace stubs
from the previous version on the fly.

The 'jeremie' protocol option for the JOnAS J2EE Application Server is now
deprecated and unsupported. If your JOnAS server is using the 'jeremie'
protocol option, make sure you change the configuration to use the 'jrmp'
protocol instead before restarting the server. A server configured to use
the 'jeremie' protocol may not function properly after the upgrade.

Affected Products

• Red Hat Application Server v.2 2 x86_64
• Red Hat Application Server v.2 2 ppc
• Red Hat Application Server v.2 2 ia64
• Red Hat Application Server v.2 2 i386

Fixes

• BZ - 172557 - CVE-2005-3510 Possible Tomcat DoS
• BZ - 173929 - CVE-2005-3745 struts cross site scripting flaw

CVEs

• CVE-2006-0254
• CVE-2005-3510
• CVE-2005-3745

References

(none)