Red Hat Product Errata RHSA-2015:1551 - Security Advisory
Issued:
2015-08-05
Updated:
2015-08-05

RHSA-2015:1551 - Security Advisory

Synopsis

Important: Red Hat JBoss Fuse Service Works 6.0.0 security update

Type/Severity

Security Advisory: Important

Topic

Red Hat JBoss Fuse Service Works 6.0.0 roll up patch 5, which fixes
two security issues and various bugs, is now available from the Red Hat
Customer Portal.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

Description

Red Hat JBoss Fuse Service Works is the next-generation ESB and business
process automation infrastructure.

This roll up patch serves as a cumulative upgrade for Red Hat JBoss Fuse
Service Works 6.0.0. It includes various bug fixes, which are listed in the
README file included with the patch files.

The following security issues are also fixed with this release:

It was found that async-http-client would disable SSL/TLS certificate
verification under certain conditions, for example if HTTPS communication
also used client certificates. A man-in-the-middle (MITM) attacker could
use this flaw to spoof a valid certificate. (CVE-2013-7397)

It was found that async-http-client did not verify that the server hostname
matched the domain name in the subject's Common Name (CN) or subjectAltName
field in X.509 certificates. This could allow a man-in-the-middle attacker
to spoof an SSL server if they had a certificate that was valid for any
domain name. (CVE-2013-7398)

All users of Red Hat JBoss Fuse Service Works 6.0.0 as provided from the
Red Hat Customer Portal are advised to apply this roll up patch.

Solution

The References section of this erratum contains a download link (you must
log in to download the update). Before applying the update, back up your
existing Red Hat JBoss Fuse Service Works installation (including its
databases, applications, configuration files, and so on).

Note that it is recommended to halt the Red Hat JBoss Fuse Service Works
server by stopping the JBoss Application Server process before installing
this update, and then after installing the update, restart the Red Hat
JBoss Fuse Service Works server by starting the JBoss Application
Server process.

Affected Products

  • Red Hat JBoss Middleware Text-Only Advisories for MIDDLEWARE 1 x86_64

Fixes

  • BZ - 1133769 - CVE-2013-7397 async-http-client: SSL/TLS certificate verification is disabled under certain conditions
  • BZ - 1133773 - CVE-2013-7398 async-http-client: missing hostname verification for SSL certificates

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.