RHSA-2014:0401 - Security Advisory

Topic

Red Hat JBoss A-MQ 6.1.0, which fixes multiple security issues, several
bugs, and adds various enhancements, is now available from the Red Hat
Customer Portal.

The Red Hat Security Response Team has rated this update as having
Moderate security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

Description

Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant
messaging system that is tailored for use in mission critical applications.

Red Hat JBoss A-MQ 6.1.0 is a minor product release that updates Red Hat
JBoss A-MQ 6.0.0 and includes several bug fixes and enhancements. Refer to
the Release Notes document, available from the link in the References
section, for a list of changes.

The following security issues are resolved with this update:

A flaw was found in the Apache Hadoop RPC protocol. A man-in-the-middle
attacker could possibly use this flaw to unilaterally disable bidirectional
authentication between a client and a server, forcing a downgrade to simple
(unidirectional) authentication. This flaw only affected users who have
enabled Hadoop's Kerberos security features. (CVE-2013-2192)

It was discovered that the Spring OXM wrapper did not expose any property
for disabling entity resolution when using the JAXB unmarshaller. A remote
attacker could use this flaw to conduct XML External Entity (XXE) attacks
on web sites, and read files in the context of the user running the
application server. The patch for this flaw disables external entity
processing by default, and provides a configuration directive to re-enable
it. (CVE-2013-4152)

It was found that the Spring MVC SourceHttpMessageConverter enabled entity
resolution by default. A remote attacker could use this flaw to conduct XXE
attacks on web sites, and read files in the context of the user running the
application server. The patch for this flaw disables external entity
processing by default, and introduces a property to re-enable it.
(CVE-2013-6429)

The Spring JavaScript escape method insufficiently escaped some characters.
Applications using this method to escape user-supplied content, which would
be rendered in HTML5 documents, could be exposed to cross-site scripting
(XSS) flaws. (CVE-2013-6430)

A denial of service flaw was found in the way Apache Commons FileUpload
handled small-sized buffers used by MultipartStream. A remote attacker
could use this flaw to create a malformed Content-Type header for a
multipart request, causing Apache Commons FileUpload to enter an infinite
loop when processing such an incoming request. (CVE-2014-0050)

It was found that fixes for the CVE-2013-4152 and CVE-2013-6429 XXE issues
in Spring were incomplete. Spring MVC processed user-provided XML and
neither disabled XML external entities nor provided an option to disable
them, possibly allowing a remote attacker to conduct XXE attacks.
(CVE-2014-0054)

A cross-site scripting (XSS) flaw was found in the Spring Framework when
using Spring MVC. When the action was not specified in a Spring form, the
action field would be populated with the requested URI, allowing an
attacker to inject malicious content into the form. (CVE-2014-1904)

The HawtJNI Library class wrote native libraries to a predictable file name
in /tmp when the native libraries were bundled in a JAR file, and no custom
library path was specified. A local attacker could overwrite these native
libraries with malicious versions during the window between when HawtJNI
writes them and when they are executed. (CVE-2013-2035)

An information disclosure flaw was found in the way Apache Zookeeper stored
the password of an administrative user in the log files. A local user with
access to these log files could use the exposed sensitive information to
gain administrative access to an application using Apache Zookeeper.
(CVE-2014-0085)

The CVE-2013-6430 issue was discovered by Jon Passki of Coverity SRL and
Arun Neelicattu of the Red Hat Security Response Team, the CVE-2013-2035
issue was discovered by Florian Weimer of the Red Hat Product Security
Team, and the CVE-2014-0085 issue was discovered by Graeme Colman of
Red Hat.

All users of Red Hat JBoss A-MQ 6.0.0 as provided from the Red Hat Customer
Portal are advised to apply this update.

Solution

The References section of this erratum contains a download link (you must
log in to download the update).

Affected Products

• Red Hat JBoss Middleware Text-Only Advisories for MIDDLEWARE 1 x86_64

Fixes

• BZ - 958618 - CVE-2013-2035 HawtJNI: predictable temporary file name leading to local arbitrary code execution
• BZ - 1000186 - CVE-2013-4152 Spring Framework: XML External Entity (XXE) injection flaw
• BZ - 1001326 - CVE-2013-2192 hadoop: man-in-the-middle vulnerability
• BZ - 1039783 - CVE-2013-6430 Spring Framework: org.spring.web.util.JavaScriptUtils.javaScriptEscape insufficient escaping of characters
• BZ - 1053290 - CVE-2013-6429 Spring Framework: XML External Entity (XXE) injection flaw
• BZ - 1062337 - CVE-2014-0050 apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream
• BZ - 1067265 - CVE-2014-0085 Fuse: admin user cleartext password appears in logging
• BZ - 1075296 - CVE-2014-1904 Spring Framework: cross-site scripting flaw when using Spring MVC
• BZ - 1075328 - CVE-2014-0054 Spring Framework: incomplete fix for CVE-2013-7315/CVE-2013-6429

CVEs

• CVE-2013-1624
• CVE-2013-2035
• CVE-2013-2192
• CVE-2013-4152
• CVE-2013-6429
• CVE-2013-6430
• CVE-2014-0050
• CVE-2014-0054
• CVE-2014-0085
• CVE-2014-1904

References

• https://access.redhat.com/security/updates/classification/#moderate
• https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq&downloadType=distributions&version=6.1.0
• https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_A-MQ/