- Issued:
- 2015-08-18
- Updated:
- 2015-08-18
RHSA-2015:1642 - Security Advisory
Synopsis
Important: Red Hat JBoss Web Server 2.1.0 security update
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
An update for Red Hat JBoss Web Server 2.1.0 that fixes two security issues
is now available for Red Hat Enterprise Linux 5, 6, and 7.
Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Description
Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the Apache
HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector
(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat
Native library.
A flaw was found in the way the mod_cluster manager processed certain MCMP
messages. An attacker with access to the network from which MCMP messages
are allowed to be sent could use this flaw to execute arbitrary JavaScript
code in the mod_cluster manager web interface. (CVE-2015-0298)
It was discovered that a JkUnmount rule for a subtree of a previous JkMount
rule could be ignored. This could allow a remote attacker to potentially
access a private artifact in a tree that would otherwise not be accessible
to them. (CVE-2014-8111)
All users of Red Hat JBoss Web Server 2.1.0 are advised to apply this
update. The Red Hat JBoss Web Server process must be restarted for the
update to take effect.
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied, and back up your existing Red
Hat JBoss Web Server installation (including all applications and
configuration files).
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
Affected Products
- JBoss Enterprise Web Server 2 for RHEL 7 x86_64
- JBoss Enterprise Web Server 2 for RHEL 6 x86_64
- JBoss Enterprise Web Server 2 for RHEL 6 i386
- JBoss Enterprise Web Server 2 for RHEL 5 x86_64
- JBoss Enterprise Web Server 2 for RHEL 5 i386
Fixes
- BZ - 1182591 - CVE-2014-8111 Tomcat mod_jk: information leak due to incorrect JkMount/JkUnmount directives processing
- BZ - 1197769 - CVE-2015-0298 mod_cluster: JavaScript code injection is possible via MCMP mod_manager messages
JBoss Enterprise Web Server 2 for RHEL 7
| SRPM | |
|---|---|
| mod_cluster-native-1.2.9-4.Final_redhat_2.ep6.el7.src.rpm | SHA-256: 724baddbfbc5a4f98a414ae568f58804727084a57b9cf1cf57c7f73ed3151c15 |
| mod_jk-1.2.40-4.redhat_2.ep6.el7.src.rpm | SHA-256: daacf0194053fa4e7d7dad5fa2656ce0338ac81651686f00c06c6d2665885c5b |
| x86_64 | |
| mod_cluster-native-1.2.9-4.Final_redhat_2.ep6.el7.x86_64.rpm | SHA-256: 5f6d98238ff8f51c32524c627583d6a6c81f17c5b3c0fbc844ab00286c89cbad |
| mod_cluster-native-debuginfo-1.2.9-4.Final_redhat_2.ep6.el7.x86_64.rpm | SHA-256: e61efaa2de58e86a06624cdeac534f0de2f4ca475b416452b919efc1aa44249d |
| mod_jk-ap22-1.2.40-4.redhat_2.ep6.el7.x86_64.rpm | SHA-256: 5d43ee4fed2691efa57bd17bfd187514177f6e470c44ef7a81bee2e4e56752fb |
| mod_jk-debuginfo-1.2.40-4.redhat_2.ep6.el7.x86_64.rpm | SHA-256: b9531ee527f19950552b7916357ace73354e82a5c8d43a91bde2809a1fa69563 |
| mod_jk-manual-1.2.40-4.redhat_2.ep6.el7.x86_64.rpm | SHA-256: 13df19a08bfdbcc88cac5ef14ae82878060c73c5335455ebc563eb872eb1a000 |
JBoss Enterprise Web Server 2 for RHEL 6
| SRPM | |
|---|---|
| mod_cluster-native-1.2.9-4.Final_redhat_2.ep6.el6.src.rpm | SHA-256: bbad66e910e73afc803925c2387b2eed71b390dde3366089beb533102ceee04c |
| mod_jk-1.2.40-4.redhat_2.ep6.el6.src.rpm | SHA-256: a5454f4048741513198428e348e9b04c4566d00a842d842ab7d709eac1d42cfc |
| x86_64 | |
| mod_cluster-native-1.2.9-4.Final_redhat_2.ep6.el6.x86_64.rpm | SHA-256: 9a0b5e6bdb6ab54d0127500506bdc9cbd9f0eebd0b46e710da86d83a0a81f189 |
| mod_cluster-native-debuginfo-1.2.9-4.Final_redhat_2.ep6.el6.x86_64.rpm | SHA-256: 9db160d71dc228d31e315321468775b562727f920c54fa911c221b6a50940db6 |
| mod_jk-ap22-1.2.40-4.redhat_2.ep6.el6.x86_64.rpm | SHA-256: 4719f96e2ce742b5ce3d7f0cfd9e9d8d83720cb53a43e52ec670f1976a556e5c |
| mod_jk-debuginfo-1.2.40-4.redhat_2.ep6.el6.x86_64.rpm | SHA-256: 55783a8f2b6af611c8aa43b508d2ba78d671b8c5aab650d14578839e4a974756 |
| mod_jk-manual-1.2.40-4.redhat_2.ep6.el6.x86_64.rpm | SHA-256: 7e4c412de2c8708ad6b94741660feba0b4687c4e7c868784f5372021b1010b3a |
| i386 | |
| mod_cluster-native-1.2.9-4.Final_redhat_2.ep6.el6.i386.rpm | SHA-256: e9919ade421c3f6f5ab67a291f3f8c027476f5e8255eb4b94eb74c0edf283044 |
| mod_cluster-native-debuginfo-1.2.9-4.Final_redhat_2.ep6.el6.i386.rpm | SHA-256: fbb25f161ff20c1134f1b65f1f5c1098b7a45a6f329e8afbb0572fab1e147df5 |
| mod_jk-ap22-1.2.40-4.redhat_2.ep6.el6.i386.rpm | SHA-256: 4395da2791a6e5d4e51dbf5cad689ed31d06020b4c593636a5be1dd8e5aa77ce |
| mod_jk-debuginfo-1.2.40-4.redhat_2.ep6.el6.i386.rpm | SHA-256: 63fa526f5bb0bb7f52781acf89d569c8bba522ed4c86ec19df8938f3e70ac8c1 |
| mod_jk-manual-1.2.40-4.redhat_2.ep6.el6.i386.rpm | SHA-256: 043bd6ad0dab6805fb33353306f79437fccd358ee8ffa8f44ec58072a76ec2b5 |
JBoss Enterprise Web Server 2 for RHEL 5
| SRPM | |
|---|---|
| mod_cluster-native-1.2.9-4.Final_redhat_2.ep6.el5.src.rpm | SHA-256: 61b42f0b962d3d454039590ba7eb394a0b80a85317150b0311c7e5fba439735e |
| mod_jk-1.2.40-4.redhat_2.ep6.el5.src.rpm | SHA-256: 73adc0550301619ad92f9f17adfb17cade8866e309b9207402f2275e44f30fec |
| x86_64 | |
| mod_cluster-native-1.2.9-4.Final_redhat_2.ep6.el5.x86_64.rpm | SHA-256: b7a2640d8b7bc91cc79293599514f70786a7f3dbb4cd7973d44b45e3f6bbba6a |
| mod_jk-ap22-1.2.40-4.redhat_2.ep6.el5.x86_64.rpm | SHA-256: 5a052c3a9e8ee5a04f4f0168e13364f1604b90e5d4ef2dad22d3f4bcd71ddf6d |
| mod_jk-manual-1.2.40-4.redhat_2.ep6.el5.x86_64.rpm | SHA-256: 09c36f86c373e8eb270bf9f8936500cf5358ac6c269d0e21a50cf0e4a51c72ff |
| i386 | |
| mod_cluster-native-1.2.9-4.Final_redhat_2.ep6.el5.i386.rpm | SHA-256: 6ed9356da45da06666751b782ed5bdf789ce2b7dfd7b71d7943b5a51a92b9718 |
| mod_jk-ap22-1.2.40-4.redhat_2.ep6.el5.i386.rpm | SHA-256: de8288e785c32f2ce8a822de87bbb61627e8ec340fc5b3f20afd483664e8401f |
| mod_jk-manual-1.2.40-4.redhat_2.ep6.el5.i386.rpm | SHA-256: 3c3f626ac3158fba37cfc40f7112f66cd2bea3b3d84ad6a3992b6f3c83ca15e9 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
