RHSA-2013:1286 - Security Advisory

Topic

Red Hat JBoss Fuse/A-MQ 6.0.0 patch 3, which fixes multiple security issues
and various bugs, is now available from the Red Hat Customer Portal.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

Description

Red Hat JBoss Fuse 6.0.0, based on Apache ServiceMix, provides an
integration platform. Red Hat JBoss A-MQ 6.0.0, based on Apache ActiveMQ,
is a standards compliant messaging system that is tailored for use in
mission critical applications.

Red Hat JBoss Fuse/A-MQ 6.0.0 patch 3 is an update to Red Hat JBoss Fuse
6.0.0 and Red Hat JBoss A-MQ 6.0.0, including bug fixes. Refer to the
readme file included with the patch files for information about these
fixes.

The following security issues are also resolved with this update:

Multiple stored cross-site scripting (XSS) flaws were found in the Fuse
Management Console. A remote attacker could use these flaws to perform an
XSS attack against other users of the Fuse Management Console.
(CVE-2013-4372)

All users of Red Hat JBoss Fuse 6.0.0 and Red Hat JBoss A-MQ 6.0.0 as
provided from the Red Hat Customer Portal are advised to apply this patch.

Solution

The References section of this erratum contains a download link (you must
log in to download the update).

Affected Products

• Red Hat Fuse 1 x86_64

Fixes

• BZ - 1011736 - CVE-2013-4372 Fuse Management Console: Stored cross-site scripting (XSS)

CVEs

• CVE-2013-4372

References

• https://access.redhat.com/security/updates/classification/#moderate
• https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.0.0
• https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq&downloadType=securityPatches&version=6.0.0