Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Products & Services

    Products

    Support

    • Production Support
    • Development Support
    • Product Life Cycles

    Services

    • Consulting
    • Technical Account Management
    • Training & Certifications

    Documentation

    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    All Documentation

    Ecosystem Catalog

    • Red Hat Partner Ecosystem
    • Partner Resources
  • Tools

    Tools

    • Troubleshoot a product issue
    • Packages
    • Errata

    Customer Portal Labs

    • Configuration
    • Deployment
    • Security
    • Troubleshoot
    All labs

    Red Hat Insights

    Increase visibility into IT operations to detect and resolve technical issues before they impact your business.

    Learn More
    Go to Insights
  • Security

    Red Hat Product Security Center

    Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

    Product Security Center

    Security Updates

    • Security Advisories
    • Red Hat CVE Database
    • Security Labs

    Keep your systems secure with Red Hat's specialized responses to security vulnerabilities.

    View Responses

    Resources

    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community

    Customer Portal Community

    • Discussions
    • Private Groups
    Community Activity

    Customer Events

    • Red Hat Convergence
    • Red Hat Summit

    Stories

    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
Or troubleshoot an issue.

Select Your Language

  • English
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Integration
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
  • Red Hat JBoss Data Virtualization
  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager
All Products
Red Hat Product Errata RHSA-2012:1594 - Security Advisory
Issued:
2012-12-18
Updated:
2012-12-18

RHSA-2012:1594 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Important: JBoss Enterprise Application Platform 6.0.1 update

Type/Severity

Security Advisory: Important

Topic

JBoss Enterprise Application Platform 6.0.1, which fixes multiple security
issues, various bugs, and adds enhancements, is now available from the Red
Hat Customer Portal.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

Description

JBoss Enterprise Application Platform 6 is a platform for Java applications
based on JBoss Application Server 7.

This release serves as a replacement for JBoss Enterprise Application
Platform 6.0.0, and includes bug fixes and enhancements. Refer to the 6.0.1
Release Notes for information on the most significant of these changes,
available shortly from https://access.redhat.com/knowledge/docs/

Security fixes:

Apache CXF checked to ensure XML elements were signed or encrypted by a
Supporting Token, but not whether the correct token was used. A remote
attacker could transmit confidential information without the appropriate
security, and potentially circumvent access controls on web services
exposed via Apache CXF. (CVE-2012-2379)

When using role-based authorization to configure EJB access, JACC
permissions should be used to determine access; however, due to a flaw the
configured authorization modules (JACC, XACML, etc.) were not called, and
the JACC permissions were not used to determine access to an EJB.
(CVE-2012-4550)

A flaw in the way Apache CXF enforced child policies of WS-SecurityPolicy
1.1 on the client side could, in certain cases, lead to a client failing to
sign or encrypt certain elements as directed by the security policy,
leading to information disclosure and insecure information transmission.
(CVE-2012-2378)

A flaw was found in the way IronJacamar authenticated credentials and
returned a valid datasource connection when configured to
"allow-multiple-users". A remote attacker, provided the correct subject,
could obtain a datasource connection that might belong to a privileged
user. (CVE-2012-3428)

It was found that Apache CXF was vulnerable to SOAPAction spoofing attacks
under certain conditions. Note that WS-Policy validation is performed
against the operation being invoked, and an attack must pass validation to
be successful. (CVE-2012-3451)

When there are no allowed roles for an EJB method invocation, the
invocation should be denied for all users. It was found that the
processInvocation() method in
org.jboss.as.ejb3.security.AuthorizationInterceptor incorrectly authorizes
all method invocations to proceed when the list of allowed roles is empty.
(CVE-2012-4549)

The apachectl script set an insecure library search path. Running apachectl
in an attacker-controlled directory containing a malicious library file
could cause arbitrary code execution with the privileges of the user
running the apachectl script (typically the root user). This issue only
affected JBoss Enterprise Application Platform on Solaris. (CVE-2012-0883)

It was found that in Mojarra, the FacesContext that is made available
during application startup is held in a ThreadLocal. The reference is not
properly cleaned up in all cases. As a result, if a JavaServer Faces (JSF)
WAR calls FacesContext.getCurrentInstance() during application startup,
another WAR can get access to the leftover context and thus get access to
the other WAR's resources. A local attacker could use this flaw to access
another WAR's resources using a crafted, deployed application.
(CVE-2012-2672)

An input sanitization flaw was found in the mod_negotiation Apache HTTP
Server module. A remote attacker able to upload or create files with
arbitrary names in a directory that has the MultiViews options enabled,
could use this flaw to conduct cross-site scripting attacks against users
visiting the site. (CVE-2008-0455, CVE-2012-2687)

Red Hat would like to thank the Apache CXF project for reporting
CVE-2012-2379, CVE-2012-2378, and CVE-2012-3451. The CVE-2012-4550 issue
was discovered by Josef Cacek of the Red Hat JBoss EAP Quality Engineering
team; CVE-2012-3428 and CVE-2012-4549 were discovered by Arun Neelicattu of
the Red Hat Security Response Team; and CVE-2012-2672 was discovered by
Marek Schmidt and Stan Silvert of Red Hat.

Warning: Before applying this update, back up your existing JBoss
Enterprise Application Platform installation and deployed applications.

Solution

Users of JBoss Enterprise Application Platform 6.0.0 as provided from the
Red Hat Customer Portal are advised to upgrade to JBoss Enterprise
Application Platform 6.0.1.

The References section of this erratum contains a download link (you must
log in to download the update). Before applying this update, back up your
existing JBoss Enterprise Application Platform installation and deployed
applications.

Affected Products

  • JBoss Enterprise Application Platform from RHUI 6 x86_64
  • JBoss Enterprise Application Platform from RHUI 6 i386
  • JBoss Enterprise Application Platform 6.4 for RHEL 6 x86_64
  • JBoss Enterprise Application Platform 6.4 for RHEL 6 i386
  • JBoss Enterprise Application Platform 6 for RHEL 6 x86_64
  • JBoss Enterprise Application Platform 6 for RHEL 6 i386
  • JBoss Enterprise Application Platform Text-Only Advisories x86_64

Fixes

  • BZ - 813559 - CVE-2012-0883 httpd: insecure handling of LD_LIBRARY_PATH in envvars
  • BZ - 826533 - CVE-2012-2378 jbossws-cxf, apache-cxf: Certain child policies of WS-SecurityPolicy 1.1 SupportingToken policy not applied on the client side
  • BZ - 826534 - CVE-2012-2379 jbossws-cxf, apache-cxf: Apache CXF does not verify that elements were signed / encrypted by a particular Supporting Token
  • BZ - 829560 - CVE-2012-2672 Mojarra: deployed web applications can read FacesContext from other applications under certain conditions
  • BZ - 843358 - CVE-2012-3428 JBoss: Datasource connection manager returns valid connection for wrong credentials when using security-domains
  • BZ - 850794 - CVE-2012-2687 CVE-2008-0455 httpd: mod_negotiation XSS via untrusted file names in directories with MultiViews enabled
  • BZ - 851896 - CVE-2012-3451 jbossws-cxf, apache-cxf: SOAPAction spoofing on document literal web services
  • BZ - 870868 - CVE-2012-4549 JBoss AS: EJB authorization succeeds for any role when allowed roles list is empty
  • BZ - 870871 - CVE-2012-4550 JBoss JACC: Security constraints configured for EJBs are incorrectly interpreted and not applied

CVEs

  • CVE-2012-2379
  • CVE-2012-0883
  • CVE-2012-3428
  • CVE-2012-4549
  • CVE-2012-4550
  • CVE-2012-2378
  • CVE-2008-0455
  • CVE-2012-2672
  • CVE-2012-3451
  • CVE-2012-2687

References

  • https://access.redhat.com/security/updates/classification/#important
  • https://access.redhat.com/knowledge/docs/
  • https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=distributions
Note: More recent versions of these packages may be available. Click a package name for more details.

JBoss Enterprise Application Platform from RHUI 6

SRPM
x86_64
i386

JBoss Enterprise Application Platform 6.4 for RHEL 6

SRPM
x86_64
i386

JBoss Enterprise Application Platform 6 for RHEL 6

SRPM
x86_64
i386

JBoss Enterprise Application Platform Text-Only Advisories

SRPM
x86_64

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

About

  • Red Hat Subscription Value
  • About Red Hat
  • Red Hat Jobs
Copyright © 2023 Red Hat, Inc.
  • Privacy Statement
  • Customer Portal Terms of Use
  • All Policies and Guidelines
Red Hat Summit
Twitter