Synopsis

Moderate: JBoss Enterprise Application Platform security update

Type/Severity

Security Advisory: Moderate

Topic

Updated JBoss Enterprise Application Platform packages that fix several
security issues and bugs are now available for Red Hat Application Stack v1
and v2.

This update has been rated as having moderate security impact by the Red Hat
Security Response Team.

Description

The updated packages address the following security vulnerabilities:

Tomcat incorrectly treated a single quote character (') in a cookie value
as a delimiter. In some circumstances this lead to the leaking of
information such as session ID to an attacker (CVE-2007-3382).

Tomcat incorrectly handled the character sequence \" in a cookie value. In
some circumstances this lead to the leaking of information such as session
ID to an attacker (CVE-2007-3385).

In addition to these security fixes, this update also fixes several bugs in
JBoss Enterprise Application Platform. Please see the referenced release
notes for the list of bugs fixed.

Users of JBoss Enterprise Application Platform should upgrade to these
updated packages which contain fixes to correct these issues.

For users of Red Hat Application Stack v1, installation of this errata will
automatically bring the system up to V.1.2. Please note the following
changes that may affect you:

• Stacks V.1.2 has a new version of JBoss Application Server which
  requires Java version 1.5 to run.
  
• Unless the JBOSS_IP variable is explicitly set in the configuration
  file, JBoss Application Server services are now bound to localhost.
  
• Unless the JBOSSCONF variable is explicitly set in the configuration
  file, JBoss Application Server will start with the production config
  when started via the init script.
  

Refer to the release notes for more information on how to set the
JBOSS_IP and JBOSSCONF variables.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Affected Products

• Red Hat Application Stack 2 (for RHEL Server) 2 x86_64
• Red Hat Application Stack 2 (for RHEL Server) 2 i386
• Red Hat Application Stack 1 1 x86_64
• Red Hat Application Stack 1 1 i386

Fixes

• BZ - 247972 - CVE-2007-3382 tomcat handling of cookies
• BZ - 247976 - CVE-2007-3385 tomcat handling of cookie values

CVEs

• CVE-2007-3385
• CVE-2007-3382

References

• http://www.redhat.com/docs/manuals/jboss/jboss-eap-4.2.0.cp01/readme.html
• https://rhstack.108.redhat.com/docs/Red_Hat_Application_Stack_V.1.2_Release_Notes.html
• http://www.redhat.com/security/updates/classification/#moderate

This erratum does not contain any packages.