Red Hat Product Errata RHSA-2014:1891 - Security Advisory

Issued:: 2014-11-24
Updated:: 2014-11-24

RHSA-2014:1891 - Security Advisory

Overview
Updated Packages

Synopsis

Important: Red Hat JBoss BRMS 6.0.3 security update

Type/Severity

Security Advisory: Important

Topic

Red Hat JBoss BRMS 6.0.3 roll up patch 1, which fixes two security issues,
several bugs, and adds various enhancements, is now available from the Red
Hat Customer Portal.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

Description

Red Hat JBoss BRMS is a business rules management system for the
management, storage, creation, modification, and deployment of JBoss Rules.

This roll up patch serves as a cumulative upgrade for Red Hat JBoss BRMS
6.0.3, and includes bug fixes and enhancements. It includes various bug
fixes, which are listed in the README file included with the patch files.

The following security issues are fixed with this release:

It was discovered that Jakarta Commons HttpClient incorrectly extracted the
host name from an X.509 certificate subject's Common Name (CN) field.
A man-in-the-middle attacker could use this flaw to spoof an SSL server
using a specially crafted X.509 certificate. (CVE-2012-6153, CVE-2014-3577)

The CVE-2012-6153 issue was discovered by Florian Weimer of Red Hat
Product Security.

All users of Red Hat JBoss BRMS 6.0.3 as provided from the Red Hat Customer
Portal are advised to apply this roll up patch.

Solution

The References section of this erratum contains a download link (you must
log in to download the update). Before applying the update, back up your
existing installation, including all applications, configuration files,
databases and database settings, and so on.

It is recommended to halt the server by stopping the JBoss Application
Server process before installing this update, and then after installing the
update, restart the server by starting the JBoss Application Server
process.

Affected Products

Red Hat JBoss Middleware Text-Only Advisories for MIDDLEWARE 1 x86_64

Fixes

BZ - 1129074 - CVE-2014-3577 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-6153 fix
BZ - 1129916 - CVE-2012-6153 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-5783 fix

CVEs

References

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat JBoss Middleware Text-Only Advisories for MIDDLEWARE 1

SRPM
x86_64

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Insights

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories