RHSA-2011:1334 - Security Advisory

Topic

Updated Spring Framework 3 files for JBoss Enterprise SOA Platform 5.1.0
that fix multiple security issues are now available from the Red Hat
Customer Portal.

The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

Description

JBoss Enterprise SOA Platform is the next-generation ESB and business
process automation infrastructure. JBoss Enterprise SOA Platform allows IT
to leverage existing (MoM and EAI), modern (SOA and BPM-Rules), and future
(EDA and CEP) integration methodologies to dramatically improve business
process execution speed and quality.

Multiple flaws were found in the way Spring Framework 3 deserialized
certain Java objects. If an attacker were able to control the stream from
which an application with the Spring Framework 3 AOP in its class-path was
deserializing objects, they could use these flaws to execute arbitrary code
with the privileges of the JBoss Application Server process via a
specially-crafted, serialized Java object. (CVE-2011-2894)

Note: JBoss Enterprise SOA Platform does not expose applications that
deserialize objects from an untrusted source by default. These flaws would
affect applications configured to trust a malicious source, for example,
if the messaging service was configured to look up a remote messaging
queue, and an attacker had control of that queue.

All users of JBoss Enterprise SOA Platform 5.1.0 as provided from the Red
Hat Customer Portal are advised to install this update. Refer to the
Solution section for information about installing the update.

Solution

The References section of this erratum contains a download link (you must
log in to download the update). Before applying the update, back up your
existing JBoss Enterprise SOA Platform installation (including its
databases, applications, configuration files, and so on).

If you have created custom applications that are packaged with a copy of
the Spring Framework 3 library, those applications must be rebuilt with the
Spring Framework 3 files provided by this update.

Note that it is recommended to halt the JBoss Enterprise SOA Platform
server by stopping the JBoss Application Server process before installing
this update, and then after installing the update, restart the JBoss
Enterprise SOA Platform server by starting the JBoss Application Server
process.

Affected Products

• Red Hat JBoss Middleware Text-Only Advisories for RHEL 6 x86_64

Fixes

• BZ - 737611 - CVE-2011-2894 Spring Framework, Spring Security: Chosen commands execution on the server (Framework) or authentication token bypass (Security) by objects de-serialization

CVEs

• CVE-2011-2894

References

• https://access.redhat.com/security/updates/classification/#important
• https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform&downloadType=securityPatches&version=5.1.0+GA