Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Products & Services

    Products

    Support

    • Production Support
    • Development Support
    • Product Life Cycles

    Services

    • Consulting
    • Technical Account Management
    • Training & Certifications

    Documentation

    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    All Documentation

    Ecosystem Catalog

    • Red Hat Partner Ecosystem
    • Partner Resources
  • Tools

    Tools

    • Troubleshoot a product issue
    • Packages
    • Errata

    Customer Portal Labs

    • Configuration
    • Deployment
    • Security
    • Troubleshoot
    All labs

    Red Hat Insights

    Increase visibility into IT operations to detect and resolve technical issues before they impact your business.

    Learn More
    Go to Insights
  • Security

    Red Hat Product Security Center

    Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

    Product Security Center

    Security Updates

    • Security Advisories
    • Red Hat CVE Database
    • Security Labs

    Keep your systems secure with Red Hat's specialized responses to security vulnerabilities.

    View Responses

    Resources

    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community

    Customer Portal Community

    • Discussions
    • Private Groups
    Community Activity

    Customer Events

    • Red Hat Convergence
    • Red Hat Summit

    Stories

    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
Or troubleshoot an issue.

Select Your Language

  • English
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Integration
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
  • Red Hat JBoss Data Virtualization
  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager
All Products
Red Hat Product Errata RHSA-2011:1805 - Security Advisory
Issued:
2011-12-08
Updated:
2011-12-08

RHSA-2011:1805 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Low: JBoss Enterprise Application Platform 5.1.2 update

Type/Severity

Security Advisory: Low

Topic

JBoss Enterprise Application Platform 5.1.2, which fixes two security
issues, various bugs, and adds several enhancements is now available from
the Red Hat Customer Portal.

The Red Hat Security Response Team has rated this update as having low
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Description

JBoss Enterprise Application Platform is a platform for Java applications,
which integrates the JBoss Application Server with JBoss Hibernate and
JBoss Seam. OpenID4Java allows you to implement OpenID authentication in
your Java applications. OpenID4Java is a Technology Preview.

This JBoss Enterprise Application Platform 5.1.2 release serves as a
replacement for JBoss Enterprise Application Platform 5.1.1, and includes
bug fixes and enhancements. Refer to the JBoss Enterprise Application
Platform 5.1.2 Release Notes for information on the most significant of
these changes. The Release Notes will be available shortly from
https://docs.redhat.com/docs/en-US/index.html

The following security issues are also fixed with this release:

It was found that the invoker servlets, deployed by default via
httpha-invoker, only performed access control on the HTTP GET and POST
methods, allowing remote attackers to make unauthenticated requests by
using different HTTP methods. Due to the second layer of authentication
provided by a security interceptor, this issue is not exploitable on
default installations unless an administrator has misconfigured the
security interceptor or disabled it. (CVE-2011-4085)

It was found that the Attribute Exchange (AX) extension of OpenID4Java was
not checking to ensure attributes were signed. If AX was being used to
receive information that an application only trusts the identity provider
to assert, a remote attacker could use this flaw to conduct
man-in-the-middle attacks and compromise the integrity of the information
via a specially-crafted request. By default, only the JBoss Seam openid
example application uses OpenID4Java. (CVE-2011-4314)

Warning: Before applying this update, back up the
"jboss-as/server/[PROFILE]/deploy/" directory and any other customized
configuration files of your JBoss Enterprise Application Platform.

All users of JBoss Enterprise Application Platform 5.1.1 as provided from
the Red Hat Customer Portal are advised to upgrade to JBoss Enterprise
Application Platform 5.1.2.

Solution

The References section of this erratum contains a download link (you must
log in to download the update).

Affected Products

  • JBoss Enterprise Application Platform Text-Only Advisories x86_64

Fixes

  • BZ - 750422 - CVE-2011-4085 Invoker servlets authentication bypass (HTTP verb tampering)
  • BZ - 754386 - CVE-2011-4314 openid4java (AX extension): MITM due to improper validation of AX attribute signatures

CVEs

  • CVE-2011-4085
  • CVE-2011-4314

References

  • https://access.redhat.com/security/updates/classification/#low
  • https://docs.redhat.com/docs/en-US/index.html
  • https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=distributions
  • https://access.redhat.com/support/offerings/techpreview/
Note: More recent versions of these packages may be available. Click a package name for more details.

JBoss Enterprise Application Platform Text-Only Advisories

SRPM
x86_64

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

About

  • Red Hat Subscription Value
  • About Red Hat
  • Red Hat Jobs
Copyright © 2023 Red Hat, Inc.
  • Privacy Statement
  • Customer Portal Terms of Use
  • All Policies and Guidelines
Red Hat Summit
Twitter