Red Hat Product Errata RHSA-2013:0164 - Security Advisory
Issued:
2013-01-15
Updated:
2013-01-15

RHSA-2013:0164 - Security Advisory

Synopsis

Important: jbossweb security update

Type/Severity

Security Advisory: Important

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated jbossweb packages that fix one security issue are now available for
JBoss Enterprise Application Platform 6.0.1 for Red Hat Enterprise Linux 5
and 6.

The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

Description

JBoss Web is the web container, based on Apache Tomcat, in JBoss Enterprise
Application Platform. It provides a single deployment platform for the
JavaServer Pages (JSP) and Java Servlet technologies.

It was found that when an application used FORM authentication, along with
another component that calls request.setUserPrincipal() before the call to
FormAuthenticator#authenticate() (such as the Single-Sign-On valve), it was
possible to bypass the security constraint checks in the FORM authenticator
by appending "/j_security_check" to the end of a URL. A remote attacker
with an authenticated session on an affected application could use this
flaw to circumvent authorization controls, and thereby access resources not
permitted by the roles associated with their authenticated session.
(CVE-2012-3546)

Warning: Before applying this update, back up your existing JBoss
Enterprise Application Platform installation (including all applications
and configuration files).

Users of JBoss Enterprise Application Platform 6.0.1 on Red Hat
Enterprise Linux 5 and 6 should upgrade to these updated packages, which
correct this issue. The JBoss server process must be restarted for this
update to take effect.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Affected Products

  • JBoss Enterprise Application Platform from RHUI 6 x86_64
  • JBoss Enterprise Application Platform from RHUI 6 i386
  • JBoss Enterprise Application Platform 6.4 for RHEL 6 x86_64
  • JBoss Enterprise Application Platform 6.4 for RHEL 6 i386
  • JBoss Enterprise Application Platform 6.4 for RHEL 5 x86_64
  • JBoss Enterprise Application Platform 6.4 for RHEL 5 i386
  • JBoss Enterprise Application Platform 6 for RHEL 6 x86_64
  • JBoss Enterprise Application Platform 6 for RHEL 6 i386
  • JBoss Enterprise Application Platform 6 for RHEL 5 x86_64
  • JBoss Enterprise Application Platform 6 for RHEL 5 i386

Fixes

  • BZ - 883634 - CVE-2012-3546 Tomcat/JBoss Web: Bypass of security constraints

JBoss Enterprise Application Platform from RHUI 6

SRPM
jbossweb-7.0.17-3.Final_redhat_2.ep6.el6.src.rpm SHA-256: a3419f6197ae67831a4dd0f041d5e82ed0bfec139fddacf28731939140df40d4
x86_64
jbossweb-7.0.17-3.Final_redhat_2.ep6.el6.noarch.rpm SHA-256: 901a28cb4ca79167c0f0179a694b316c15586e9fb463c2e6d99684c92487771a
jbossweb-lib-7.0.17-3.Final_redhat_2.ep6.el6.noarch.rpm SHA-256: 716c056296f478916f7afccf3214655b70e5f071acca5f7c0e42e8ee6731c08f
i386
jbossweb-7.0.17-3.Final_redhat_2.ep6.el6.noarch.rpm SHA-256: 901a28cb4ca79167c0f0179a694b316c15586e9fb463c2e6d99684c92487771a
jbossweb-lib-7.0.17-3.Final_redhat_2.ep6.el6.noarch.rpm SHA-256: 716c056296f478916f7afccf3214655b70e5f071acca5f7c0e42e8ee6731c08f

JBoss Enterprise Application Platform 6.4 for RHEL 6

SRPM
jbossweb-7.0.17-3.Final_redhat_2.ep6.el6.src.rpm SHA-256: a3419f6197ae67831a4dd0f041d5e82ed0bfec139fddacf28731939140df40d4
x86_64
jbossweb-7.0.17-3.Final_redhat_2.ep6.el6.noarch.rpm SHA-256: 901a28cb4ca79167c0f0179a694b316c15586e9fb463c2e6d99684c92487771a
jbossweb-lib-7.0.17-3.Final_redhat_2.ep6.el6.noarch.rpm SHA-256: 716c056296f478916f7afccf3214655b70e5f071acca5f7c0e42e8ee6731c08f
i386
jbossweb-7.0.17-3.Final_redhat_2.ep6.el6.noarch.rpm SHA-256: 901a28cb4ca79167c0f0179a694b316c15586e9fb463c2e6d99684c92487771a
jbossweb-lib-7.0.17-3.Final_redhat_2.ep6.el6.noarch.rpm SHA-256: 716c056296f478916f7afccf3214655b70e5f071acca5f7c0e42e8ee6731c08f

JBoss Enterprise Application Platform 6.4 for RHEL 5

SRPM
jbossweb-7.0.17-3.Final_redhat_2.ep6.el5.src.rpm SHA-256: 7d8f6627899141a449eae87361ba954a6e463294c730e87a9ecf9b68c9e158f1
x86_64
jbossweb-7.0.17-3.Final_redhat_2.ep6.el5.noarch.rpm SHA-256: 66cdc85d20d65eba17ecf8be1c19259501460b101d467d594bd35a1824ddb0c7
jbossweb-lib-7.0.17-3.Final_redhat_2.ep6.el5.noarch.rpm SHA-256: 8115462eda6b378ff4313497c399d0b0504e4744e3df3964d79535b4ccee6753
i386
jbossweb-7.0.17-3.Final_redhat_2.ep6.el5.noarch.rpm SHA-256: 66cdc85d20d65eba17ecf8be1c19259501460b101d467d594bd35a1824ddb0c7
jbossweb-lib-7.0.17-3.Final_redhat_2.ep6.el5.noarch.rpm SHA-256: 8115462eda6b378ff4313497c399d0b0504e4744e3df3964d79535b4ccee6753

JBoss Enterprise Application Platform 6 for RHEL 6

SRPM
jbossweb-7.0.17-3.Final_redhat_2.ep6.el6.src.rpm SHA-256: a3419f6197ae67831a4dd0f041d5e82ed0bfec139fddacf28731939140df40d4
x86_64
jbossweb-7.0.17-3.Final_redhat_2.ep6.el6.noarch.rpm SHA-256: 901a28cb4ca79167c0f0179a694b316c15586e9fb463c2e6d99684c92487771a
jbossweb-lib-7.0.17-3.Final_redhat_2.ep6.el6.noarch.rpm SHA-256: 716c056296f478916f7afccf3214655b70e5f071acca5f7c0e42e8ee6731c08f
i386
jbossweb-7.0.17-3.Final_redhat_2.ep6.el6.noarch.rpm SHA-256: 901a28cb4ca79167c0f0179a694b316c15586e9fb463c2e6d99684c92487771a
jbossweb-lib-7.0.17-3.Final_redhat_2.ep6.el6.noarch.rpm SHA-256: 716c056296f478916f7afccf3214655b70e5f071acca5f7c0e42e8ee6731c08f

JBoss Enterprise Application Platform 6 for RHEL 5

SRPM
jbossweb-7.0.17-3.Final_redhat_2.ep6.el5.src.rpm SHA-256: 7d8f6627899141a449eae87361ba954a6e463294c730e87a9ecf9b68c9e158f1
x86_64
jbossweb-7.0.17-3.Final_redhat_2.ep6.el5.noarch.rpm SHA-256: 66cdc85d20d65eba17ecf8be1c19259501460b101d467d594bd35a1824ddb0c7
jbossweb-lib-7.0.17-3.Final_redhat_2.ep6.el5.noarch.rpm SHA-256: 8115462eda6b378ff4313497c399d0b0504e4744e3df3964d79535b4ccee6753
i386
jbossweb-7.0.17-3.Final_redhat_2.ep6.el5.noarch.rpm SHA-256: 66cdc85d20d65eba17ecf8be1c19259501460b101d467d594bd35a1824ddb0c7
jbossweb-lib-7.0.17-3.Final_redhat_2.ep6.el5.noarch.rpm SHA-256: 8115462eda6b378ff4313497c399d0b0504e4744e3df3964d79535b4ccee6753

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.