Red Hat Product Errata RHSA-2015:1642 - Security Advisory

Issued:: 2015-08-18
Updated:: 2015-08-18

RHSA-2015:1642 - Security Advisory

Overview
Updated Packages

Synopsis

Important: Red Hat JBoss Web Server 2.1.0 security update

Type/Severity

Security Advisory: Important

Topic

An update for Red Hat JBoss Web Server 2.1.0 that fixes two security issues
is now available for Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

Description

Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the Apache
HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector
(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat
Native library.

A flaw was found in the way the mod_cluster manager processed certain MCMP
messages. An attacker with access to the network from which MCMP messages
are allowed to be sent could use this flaw to execute arbitrary JavaScript
code in the mod_cluster manager web interface. (CVE-2015-0298)

It was discovered that a JkUnmount rule for a subtree of a previous JkMount
rule could be ignored. This could allow a remote attacker to potentially
access a private artifact in a tree that would otherwise not be accessible
to them. (CVE-2014-8111)

All users of Red Hat JBoss Web Server 2.1.0 are advised to apply this
update. The Red Hat JBoss Web Server process must be restarted for the
update to take effect.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied, and back up your existing Red
Hat JBoss Web Server installation (including all applications and
configuration files).

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258

Affected Products

JBoss Enterprise Web Server 2 for RHEL 7 x86_64
JBoss Enterprise Web Server 2 for RHEL 6 x86_64
JBoss Enterprise Web Server 2 for RHEL 6 i386
JBoss Enterprise Web Server 2 for RHEL 5 x86_64
JBoss Enterprise Web Server 2 for RHEL 5 i386

Fixes

BZ - 1182591 - CVE-2014-8111 Tomcat mod_jk: information leak due to incorrect JkMount/JkUnmount directives processing
BZ - 1197769 - CVE-2015-0298 mod_cluster: JavaScript code injection is possible via MCMP mod_manager messages

CVEs

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

JBoss Enterprise Web Server 2 for RHEL 7

SRPM
mod_cluster-native-1.2.9-4.Final_redhat_2.ep6.el7.src.rpm	SHA-256: 724baddbfbc5a4f98a414ae568f58804727084a57b9cf1cf57c7f73ed3151c15
mod_jk-1.2.40-4.redhat_2.ep6.el7.src.rpm	SHA-256: daacf0194053fa4e7d7dad5fa2656ce0338ac81651686f00c06c6d2665885c5b
x86_64
mod_cluster-native-1.2.9-4.Final_redhat_2.ep6.el7.x86_64.rpm	SHA-256: 5f6d98238ff8f51c32524c627583d6a6c81f17c5b3c0fbc844ab00286c89cbad
mod_cluster-native-debuginfo-1.2.9-4.Final_redhat_2.ep6.el7.x86_64.rpm	SHA-256: e61efaa2de58e86a06624cdeac534f0de2f4ca475b416452b919efc1aa44249d
mod_jk-ap22-1.2.40-4.redhat_2.ep6.el7.x86_64.rpm	SHA-256: 5d43ee4fed2691efa57bd17bfd187514177f6e470c44ef7a81bee2e4e56752fb
mod_jk-debuginfo-1.2.40-4.redhat_2.ep6.el7.x86_64.rpm	SHA-256: b9531ee527f19950552b7916357ace73354e82a5c8d43a91bde2809a1fa69563
mod_jk-manual-1.2.40-4.redhat_2.ep6.el7.x86_64.rpm	SHA-256: 13df19a08bfdbcc88cac5ef14ae82878060c73c5335455ebc563eb872eb1a000

JBoss Enterprise Web Server 2 for RHEL 6

SRPM
mod_cluster-native-1.2.9-4.Final_redhat_2.ep6.el6.src.rpm	SHA-256: bbad66e910e73afc803925c2387b2eed71b390dde3366089beb533102ceee04c
mod_jk-1.2.40-4.redhat_2.ep6.el6.src.rpm	SHA-256: a5454f4048741513198428e348e9b04c4566d00a842d842ab7d709eac1d42cfc
x86_64
mod_cluster-native-1.2.9-4.Final_redhat_2.ep6.el6.x86_64.rpm	SHA-256: 9a0b5e6bdb6ab54d0127500506bdc9cbd9f0eebd0b46e710da86d83a0a81f189
mod_cluster-native-debuginfo-1.2.9-4.Final_redhat_2.ep6.el6.x86_64.rpm	SHA-256: 9db160d71dc228d31e315321468775b562727f920c54fa911c221b6a50940db6
mod_jk-ap22-1.2.40-4.redhat_2.ep6.el6.x86_64.rpm	SHA-256: 4719f96e2ce742b5ce3d7f0cfd9e9d8d83720cb53a43e52ec670f1976a556e5c
mod_jk-debuginfo-1.2.40-4.redhat_2.ep6.el6.x86_64.rpm	SHA-256: 55783a8f2b6af611c8aa43b508d2ba78d671b8c5aab650d14578839e4a974756
mod_jk-manual-1.2.40-4.redhat_2.ep6.el6.x86_64.rpm	SHA-256: 7e4c412de2c8708ad6b94741660feba0b4687c4e7c868784f5372021b1010b3a
i386
mod_cluster-native-1.2.9-4.Final_redhat_2.ep6.el6.i386.rpm	SHA-256: e9919ade421c3f6f5ab67a291f3f8c027476f5e8255eb4b94eb74c0edf283044
mod_cluster-native-debuginfo-1.2.9-4.Final_redhat_2.ep6.el6.i386.rpm	SHA-256: fbb25f161ff20c1134f1b65f1f5c1098b7a45a6f329e8afbb0572fab1e147df5
mod_jk-ap22-1.2.40-4.redhat_2.ep6.el6.i386.rpm	SHA-256: 4395da2791a6e5d4e51dbf5cad689ed31d06020b4c593636a5be1dd8e5aa77ce
mod_jk-debuginfo-1.2.40-4.redhat_2.ep6.el6.i386.rpm	SHA-256: 63fa526f5bb0bb7f52781acf89d569c8bba522ed4c86ec19df8938f3e70ac8c1
mod_jk-manual-1.2.40-4.redhat_2.ep6.el6.i386.rpm	SHA-256: 043bd6ad0dab6805fb33353306f79437fccd358ee8ffa8f44ec58072a76ec2b5

JBoss Enterprise Web Server 2 for RHEL 5

SRPM
mod_cluster-native-1.2.9-4.Final_redhat_2.ep6.el5.src.rpm	SHA-256: 61b42f0b962d3d454039590ba7eb394a0b80a85317150b0311c7e5fba439735e
mod_jk-1.2.40-4.redhat_2.ep6.el5.src.rpm	SHA-256: 73adc0550301619ad92f9f17adfb17cade8866e309b9207402f2275e44f30fec
x86_64
mod_cluster-native-1.2.9-4.Final_redhat_2.ep6.el5.x86_64.rpm	SHA-256: b7a2640d8b7bc91cc79293599514f70786a7f3dbb4cd7973d44b45e3f6bbba6a
mod_jk-ap22-1.2.40-4.redhat_2.ep6.el5.x86_64.rpm	SHA-256: 5a052c3a9e8ee5a04f4f0168e13364f1604b90e5d4ef2dad22d3f4bcd71ddf6d
mod_jk-manual-1.2.40-4.redhat_2.ep6.el5.x86_64.rpm	SHA-256: 09c36f86c373e8eb270bf9f8936500cf5358ac6c269d0e21a50cf0e4a51c72ff
i386
mod_cluster-native-1.2.9-4.Final_redhat_2.ep6.el5.i386.rpm	SHA-256: 6ed9356da45da06666751b782ed5bdf789ce2b7dfd7b71d7943b5a51a92b9718
mod_jk-ap22-1.2.40-4.redhat_2.ep6.el5.i386.rpm	SHA-256: de8288e785c32f2ce8a822de87bbb61627e8ec340fc5b3f20afd483664e8401f
mod_jk-manual-1.2.40-4.redhat_2.ep6.el5.i386.rpm	SHA-256: 3c3f626ac3158fba37cfc40f7112f66cd2bea3b3d84ad6a3992b6f3c83ca15e9

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

Mobile

Services

Tools

Red Hat Insights

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories