Red Hat Product Errata RHSA-2014:0195 - Security Advisory
Issued:
2014-02-20
Updated:
2014-02-20

RHSA-2014:0195 - Security Advisory

Synopsis

Moderate: Red Hat JBoss Portal 6.1.1 update

Type/Severity

Security Advisory: Moderate

Topic

Red Hat JBoss Portal 6.1.1, which fixes two security issues and various
bugs, is now available from the Red Hat Customer Portal.

The Red Hat Security Response Team has rated this update as having Moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Description

Red Hat JBoss Portal is the open source implementation of the Java EE suite
of services and Portal services running atop Red Hat JBoss Enterprise
Application Platform.

This Red Hat JBoss Portal 6.1.1 release serves as a replacement for 6.1.0.
Refer to the 6.1.1 Release Notes for further information, available shortly
from https://access.redhat.com/site/documentation/en-US/

It was found that the ParserPool and Decrypter classes in the OpenSAML Java
implementation resolved external entities, permitting XML External Entity
(XXE) attacks. A remote attacker could use this flaw to read files
accessible to the user running the application server, and potentially
perform other more advanced XXE attacks. (CVE-2013-6440)

It was discovered that the Apache Santuario XML Security for Java project
allowed Document Type Definitions (DTDs) to be processed when applying
Transforms even when secure validation was enabled. A remote attacker could
use this flaw to exhaust all available memory on the system, causing a
denial of service. (CVE-2013-4517)

All users of Red Hat JBoss Portal 6.1.0 as provided from the Red Hat
Customer Portal are advised to upgrade to Red Hat JBoss Portal 6.1.1.

Solution

The References section of this erratum contains a download link (you must
log in to download the update). Before applying the update, back up all
applications deployed on JBoss Enterprise Portal Platform, along with all
customized configuration files, and any databases and database settings.

Affected Products

  • Red Hat JBoss Middleware Text-Only Advisories for MIDDLEWARE 1 x86_64

Fixes

  • BZ - 1043332 - CVE-2013-6440 XMLTooling-J/OpenSAML Java: XML eXternal Entity (XXE) flaw in ParserPool and Decrypter
  • BZ - 1045257 - CVE-2013-4517 Apache Santuario XML Security for Java: Java XML Signature DoS Attack

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.