- Issued:
- 2015-08-24
- Updated:
- 2015-08-24
RHSA-2015:1673 - Security Advisory
Synopsis
Moderate: jboss-ec2-eap bug fix security update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
An updated jboss-ec2-eap package that that fixes a security issue, fixes several
bugs and adds various enhancements is now available for Red Hat JBoss Enterprise
Application Platform 6.4.3 on Red Hat Enterprise Linux 6.
Description
Red Hat JBoss Enterprise Application Platform 6 is a platform for Java EE
applications. It is based on JBoss Application Server 7 and incorporates
multiple open-source projects to provide a complete Java EE platform solution.
- The jboss-ec2-eap package provides scripts for Red Hat JBoss Enterprise
Application Platform running on the Amazon Web Services (AWS) Elastic Compute
Cloud (EC2). With this update, the package has been updated to ensure
compatibility with Red Hat JBoss Enterprise Application Platform 6.4.3.
(BZ#1228766)
The following security issue is also fixed with this release:
It was discovered that under specific conditions that PicketLink
IDP ignores role based authorization. This could lead to an
authenticated user being able to access application resources
that are not permitted for a given role. (CVE-2015-3158)
Users of Red Hat JBoss Enterprise Application Platform 6.4.2 jboss-ec2-eap are
advised to upgrade to this updated package, which fixes these bugs and adds
these enhancements.
Solution
Before applying this update, make sure all previously released errata relevant
to your system have been applied. Also, make sure to back up any modified
configuration files, deployments, and all user data. After applying the update,
restart the instance of Red Hat JBoss Enterprise Application Platform for the
changes to take effect.
For details on how to apply this update, refer to:
Affected Products
- JBoss Enterprise Application Platform from RHUI 6 x86_64
- JBoss Enterprise Application Platform from RHUI 6 i386
- JBoss Enterprise Application Platform 6.4 for RHEL 6 x86_64
- JBoss Enterprise Application Platform 6.4 for RHEL 6 i386
- JBoss Enterprise Application Platform 6 for RHEL 6 x86_64
- JBoss Enterprise Application Platform 6 for RHEL 6 i386
Fixes
- BZ - 1216123 - CVE-2015-3158 PicketLink: PicketLink IDP ignores role based authorization
CVEs
JBoss Enterprise Application Platform from RHUI 6
| SRPM | |
|---|---|
| x86_64 | |
| i386 |
JBoss Enterprise Application Platform 6.4 for RHEL 6
| SRPM | |
|---|---|
| jboss-ec2-eap-7.5.3-1.Final_redhat_2.ep6.el6.src.rpm | SHA-256: 4d7ccba2990d84890664644655102bd8af3a351c3a01a6f28459c29d51976cc2 |
| x86_64 | |
| jboss-ec2-eap-7.5.3-1.Final_redhat_2.ep6.el6.noarch.rpm | SHA-256: 4ea4a341a75f237a71f2ae2e77174f2970644b929fe1f4ead1e9750c786e242d |
| jboss-ec2-eap-samples-7.5.3-1.Final_redhat_2.ep6.el6.noarch.rpm | SHA-256: 685d01ae22aadedbba8cdb1a98dc2dca87c004b5f3586ea0e4799d94d523bae5 |
| i386 | |
| jboss-ec2-eap-7.5.3-1.Final_redhat_2.ep6.el6.noarch.rpm | SHA-256: 4ea4a341a75f237a71f2ae2e77174f2970644b929fe1f4ead1e9750c786e242d |
| jboss-ec2-eap-samples-7.5.3-1.Final_redhat_2.ep6.el6.noarch.rpm | SHA-256: 685d01ae22aadedbba8cdb1a98dc2dca87c004b5f3586ea0e4799d94d523bae5 |
JBoss Enterprise Application Platform 6 for RHEL 6
| SRPM | |
|---|---|
| jboss-ec2-eap-7.5.3-1.Final_redhat_2.ep6.el6.src.rpm | SHA-256: 4d7ccba2990d84890664644655102bd8af3a351c3a01a6f28459c29d51976cc2 |
| x86_64 | |
| jboss-ec2-eap-7.5.3-1.Final_redhat_2.ep6.el6.noarch.rpm | SHA-256: 4ea4a341a75f237a71f2ae2e77174f2970644b929fe1f4ead1e9750c786e242d |
| jboss-ec2-eap-samples-7.5.3-1.Final_redhat_2.ep6.el6.noarch.rpm | SHA-256: 685d01ae22aadedbba8cdb1a98dc2dca87c004b5f3586ea0e4799d94d523bae5 |
| i386 | |
| jboss-ec2-eap-7.5.3-1.Final_redhat_2.ep6.el6.noarch.rpm | SHA-256: 4ea4a341a75f237a71f2ae2e77174f2970644b929fe1f4ead1e9750c786e242d |
| jboss-ec2-eap-samples-7.5.3-1.Final_redhat_2.ep6.el6.noarch.rpm | SHA-256: 685d01ae22aadedbba8cdb1a98dc2dca87c004b5f3586ea0e4799d94d523bae5 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
