Synopsis

Important: jbossas-web and jboss-naming security update

Type/Severity

Security Advisory: Important

Topic

Updated jbossas-web and jboss-naming packages that fix two security issues
are now available for JBoss Enterprise Web Platform 5.1.2 for Red Hat
Enterprise Linux 4, 5, and 6.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

Description

JBoss Application Server is the base package for JBoss Enterprise Web
Platform, providing the core server components. The Java Naming and
Directory Interface (JNDI) Java API allows Java software clients to locate
objects or services in an application server. The Java Authorization
Contract for Containers (Java ACC) specification defines Permission classes
and the binding of container access decisions to operations on instances of
these permission classes. JaccAuthorizationRealm performs authorization
based on Java ACC permissions and a Policy implementation.

It was found that the JBoss JNDI service allowed unauthenticated, remote
write access by default. The JNDI and HA-JNDI services, and the
HAJNDIFactory invoker servlet were all affected. A remote attacker able to
access the JNDI service (port 1099), HA-JNDI service (port 1100), or the
HAJNDIFactory invoker servlet on a JBoss server could use this flaw to add,
delete, and modify items in the JNDI tree. This could have various,
application-specific impacts. (CVE-2011-4605)

When a JBoss server is configured to use JaccAuthorizationRealm, the
WebPermissionMapping class creates permissions that are not checked and can
permit access to users without checking their roles. If the
ignoreBaseDecision property is set to true on JBossWebRealm, the web
authorization process is handled exclusively by JBossAuthorizationEngine,
without any input from JBoss Web. This allows any valid user to access an
application, without needing to be assigned the role specified in the
application's web.xml "security-constraint" tag. (CVE-2012-1167)

Red Hat would like to thank Christian Schlüter (VIADA) for reporting
CVE-2011-4605.

Warning: Before applying this update, back up your JBoss Enterprise Web
Platform's "server/[PROFILE]/deploy/" directory and any other customized
configuration files.

Users of JBoss Enterprise Web Platform 5.1.2 on Red Hat Enterprise Linux 4,
5, and 6 should upgrade to these updated packages, which correct these
issues. The JBoss server process must be restarted for this update to take
effect.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Affected Products

• JBoss Enterprise Web Platform 5 for RHEL 6 x86_64
• JBoss Enterprise Web Platform 5 for RHEL 6 i386
• JBoss Enterprise Web Platform 5 for RHEL 5 x86_64
• JBoss Enterprise Web Platform 5 for RHEL 5 i386

Fixes

• BZ - 766469 - CVE-2011-4605 JNDI: unauthenticated remote write access is permitted by default
• BZ - 802622 - CVE-2012-1167 JBoss: authentication bypass when running under JACC with ignoreBaseDecision on JBossWebRealm

CVEs

• CVE-2012-1167
• CVE-2011-4605

References

• https://access.redhat.com/security/updates/classification/#important

JBoss Enterprise Web Platform 5 for RHEL 6

SRPM
jboss-naming-5.0.3-4.CP01_patch_01.2.ep5.el6.src.rpm	SHA-256: e34a81c334bc7f30159839125c07af6a5896d07080c5ef44c60f7821e7856634
jbossas-web-5.1.2-10.ep5.el6.src.rpm	SHA-256: d3aa6c8a75028a1dc631fda56d5dd7c1c8d45c47c23f2710e694fff522b7d773
x86_64
jboss-naming-5.0.3-4.CP01_patch_01.2.ep5.el6.noarch.rpm	SHA-256: 92a2244201f18ce16b4dfaccd9657f37b1a8ece7815233fea9e523d29179c89d
jbossas-web-5.1.2-10.ep5.el6.noarch.rpm	SHA-256: 45333c390039f361e9cdf74874588e97f47543df00a7734db1ae3ae18130f1b2
jbossas-web-client-5.1.2-10.ep5.el6.noarch.rpm	SHA-256: 98dd340fcf024ee8d16d750421160c1386d6105337a4185a3cd64e7ab18326c7
jbossas-web-ws-native-5.1.2-10.ep5.el6.noarch.rpm	SHA-256: 122140113cf6080de12f749fc20c1195b11e6dd5c7f0e0e631ef7c751c7f516a
i386
jboss-naming-5.0.3-4.CP01_patch_01.2.ep5.el6.noarch.rpm	SHA-256: 92a2244201f18ce16b4dfaccd9657f37b1a8ece7815233fea9e523d29179c89d
jbossas-web-5.1.2-10.ep5.el6.noarch.rpm	SHA-256: 45333c390039f361e9cdf74874588e97f47543df00a7734db1ae3ae18130f1b2
jbossas-web-client-5.1.2-10.ep5.el6.noarch.rpm	SHA-256: 98dd340fcf024ee8d16d750421160c1386d6105337a4185a3cd64e7ab18326c7
jbossas-web-ws-native-5.1.2-10.ep5.el6.noarch.rpm	SHA-256: 122140113cf6080de12f749fc20c1195b11e6dd5c7f0e0e631ef7c751c7f516a

JBoss Enterprise Web Platform 5 for RHEL 5

SRPM
jboss-naming-5.0.3-4.CP01_patch_01.1.ep5.el5.src.rpm	SHA-256: 6db84c069c08c82cc03776ba0bdbd6a24cd8f35ab3178e5506fc1572bb61c283
jbossas-web-5.1.2-10.ep5.el5.src.rpm	SHA-256: b8a2072eacb8ef3f17009145a8a0466ed50c860e53c6a03376faeba636f7b18c
x86_64
jboss-naming-5.0.3-4.CP01_patch_01.1.ep5.el5.noarch.rpm	SHA-256: 4627dc38fe22a2976dd8b3af5b03518cfa6bcb249f3550fdcb333a7e8bd19603
jbossas-web-5.1.2-10.ep5.el5.noarch.rpm	SHA-256: b2b06c9c153eaffce8f0956a45a7c2d47468a01899e179cd929538b0ae86d814
jbossas-web-client-5.1.2-10.ep5.el5.noarch.rpm	SHA-256: 322c6b52f7ff6d01005ad879dcfc3b307c66cdcd2d5cb505955426bb25b46b5a
jbossas-web-ws-native-5.1.2-10.ep5.el5.noarch.rpm	SHA-256: ab872d91208ea2ae9b6c8a7497c2f6e9e5ba84456a33d26b9463b8f3516ccb6d
i386
jboss-naming-5.0.3-4.CP01_patch_01.1.ep5.el5.noarch.rpm	SHA-256: 4627dc38fe22a2976dd8b3af5b03518cfa6bcb249f3550fdcb333a7e8bd19603
jbossas-web-5.1.2-10.ep5.el5.noarch.rpm	SHA-256: b2b06c9c153eaffce8f0956a45a7c2d47468a01899e179cd929538b0ae86d814
jbossas-web-client-5.1.2-10.ep5.el5.noarch.rpm	SHA-256: 322c6b52f7ff6d01005ad879dcfc3b307c66cdcd2d5cb505955426bb25b46b5a
jbossas-web-ws-native-5.1.2-10.ep5.el5.noarch.rpm	SHA-256: ab872d91208ea2ae9b6c8a7497c2f6e9e5ba84456a33d26b9463b8f3516ccb6d