Red Hat Product Errata RHSA-2014:0792 - Security Advisory

Issued:: 2014-06-25
Updated:: 2014-06-25

RHSA-2014:0792 - Security Advisory

Overview
Updated Packages

Synopsis

Important: Red Hat JBoss Enterprise Web Platform 5.2.0 security update

Type/Severity

Security Advisory: Important

Topic

Updated packages for Red Hat JBoss Enterprise Web Platform 5.2.0 that fix
one security issue are now available for Red Hat Enterprise Linux 4, 5,
and 6.

The Red Hat Security Response Team has rated this update as having
Important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

Description

Red Hat JBoss Enterprise Web Platform is a platform for Java applications,
which integrates the JBoss Web Server with JBoss Hibernate and JBoss Seam.

It was found that the org.jboss.seam.web.AuthenticationFilter class
implementation did not properly use Seam logging. A remote attacker could
send specially crafted authentication headers to an application, which
could result in arbitrary code execution with the privileges of the user
running that application. (CVE-2014-0248)

The CVE-2014-0248 issue was discovered by Marek Schmidt of Red Hat.

All users of Red Hat JBoss Enterprise Web Platform 5.2.0 on Red Hat
Enterprise Linux 4, 5, and 6 are advised to upgrade to these updated
packages. The JBoss server process must be restarted for the update to take
effect.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied. Also, back up your existing Red
Hat JBoss Enterprise Web Platform 5 installation (including all
applications and configuration files).

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Affected Products

JBoss Enterprise Web Platform 5 for RHEL 6 x86_64
JBoss Enterprise Web Platform 5 for RHEL 6 i386
JBoss Enterprise Web Platform 5 for RHEL 5 x86_64
JBoss Enterprise Web Platform 5 for RHEL 5 i386

Fixes

BZ - 1101619 - CVE-2014-0248 JBoss Seam: RCE via unsafe logging in AuthenticationFilter

CVEs

CVE-2014-0248

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

JBoss Enterprise Web Platform 5 for RHEL 6

SRPM
jboss-seam2-2.2.6.EAP5-16.el6_5.src.rpm	SHA-256: 584f792d9e3eeef873cded077d59879a2035719b395055963235badca812b1ac
x86_64
jboss-seam2-2.2.6.EAP5-16.el6_5.noarch.rpm	SHA-256: a545e8a0cd313311a9da889705cee366f5709102ab3db993baeaa88f981f7f7b
jboss-seam2-docs-2.2.6.EAP5-16.el6_5.noarch.rpm	SHA-256: 42104d0be4619fc8c726a4f16b035143b6f8dd9aff321e68ce0ad38e817bf58f
jboss-seam2-examples-2.2.6.EAP5-16.el6_5.noarch.rpm	SHA-256: f3c43d6e38fb7c7921007267ae9c9d93d679e20db2a8999159ddbf2e5afd5f51
jboss-seam2-runtime-2.2.6.EAP5-16.el6_5.noarch.rpm	SHA-256: 4c9421ac3669290015b5962cde4ace4601b0e42b385e341615d24b61e3a67a4b
i386
jboss-seam2-2.2.6.EAP5-16.el6_5.noarch.rpm	SHA-256: a545e8a0cd313311a9da889705cee366f5709102ab3db993baeaa88f981f7f7b
jboss-seam2-docs-2.2.6.EAP5-16.el6_5.noarch.rpm	SHA-256: 42104d0be4619fc8c726a4f16b035143b6f8dd9aff321e68ce0ad38e817bf58f
jboss-seam2-examples-2.2.6.EAP5-16.el6_5.noarch.rpm	SHA-256: f3c43d6e38fb7c7921007267ae9c9d93d679e20db2a8999159ddbf2e5afd5f51
jboss-seam2-runtime-2.2.6.EAP5-16.el6_5.noarch.rpm	SHA-256: 4c9421ac3669290015b5962cde4ace4601b0e42b385e341615d24b61e3a67a4b

JBoss Enterprise Web Platform 5 for RHEL 5

SRPM
jboss-seam2-2.2.6.EAP5-12.ep5.el5.src.rpm	SHA-256: 08bfbb0b59448560e3fd126387ab50fa62b4a538515b8a08589f608795fa1e3e
x86_64
jboss-seam2-2.2.6.EAP5-12.ep5.el5.noarch.rpm	SHA-256: ce4d9bc3b7d247209498384fa7e240172b1977873fe331963bb495180384f97f
jboss-seam2-docs-2.2.6.EAP5-12.ep5.el5.noarch.rpm	SHA-256: f941a46a37ae0558662177dfe73a55a5399355d047124be5c4d380f401fa9024
jboss-seam2-examples-2.2.6.EAP5-12.ep5.el5.noarch.rpm	SHA-256: 77cba9a4dcba2ec04adfc845a5552e1ad721cd7c2b4bfb21d3bc287c24a7f76f
jboss-seam2-runtime-2.2.6.EAP5-12.ep5.el5.noarch.rpm	SHA-256: f0e5891e5893b8a7ac6c318beecdb8e820448834239322cfe2e3b7f8b13f9103
i386
jboss-seam2-2.2.6.EAP5-12.ep5.el5.noarch.rpm	SHA-256: ce4d9bc3b7d247209498384fa7e240172b1977873fe331963bb495180384f97f
jboss-seam2-docs-2.2.6.EAP5-12.ep5.el5.noarch.rpm	SHA-256: f941a46a37ae0558662177dfe73a55a5399355d047124be5c4d380f401fa9024
jboss-seam2-examples-2.2.6.EAP5-12.ep5.el5.noarch.rpm	SHA-256: 77cba9a4dcba2ec04adfc845a5552e1ad721cd7c2b4bfb21d3bc287c24a7f76f
jboss-seam2-runtime-2.2.6.EAP5-12.ep5.el5.noarch.rpm	SHA-256: f0e5891e5893b8a7ac6c318beecdb8e820448834239322cfe2e3b7f8b13f9103

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories