RHSA-2016:0062 - Security Advisory

Topic

An update for Red Hat JBoss Web Server 2.1.0 that fixes four security
issues is now available from the Red Hat Customer Portal.

Red Hat Product Security has rated this update as having Moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

[Updated 15th February 2018]
Previously, this erratum stated that CVE-2012-1148 was fixed .This was incorrect;the erratum text has now been modified to reflect this.

Description

Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the Apache
HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector
(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat
Native library.

Multiple flaws were found in the way httpd parsed HTTP requests and
responses using chunked transfer encoding. A remote attacker could use
these flaws to create a specially crafted request, which httpd would decode
differently from an HTTP proxy software in front of it, possibly leading to
HTTP request smuggling attacks. (CVE-2015-3183)

A denial of service flaw was found in the implementation of hash arrays in
Expat. An attacker could use this flaw to make an application using Expat
consume an excessive amount of CPU time by providing a specially-crafted
XML file that triggers multiple hash function collisions. To mitigate this
issue, randomization has been added to the hash function to reduce the
chance of an attacker successfully causing intentional collisions.
(CVE-2012-0876)

A flaw was found in the way httpd handled HTTP Trailer headers when
processing requests using chunked encoding. A malicious client could use
Trailer headers to set additional HTTP headers after header processing was
performed by other modules. This could, for example, lead to a bypass of
header restrictions defined with mod_headers. (CVE-2013-5704)

All users of Red Hat JBoss Web Server 2.1.0 as provided from the Red Hat
Customer Portal are advised to apply this update. The Red Hat JBoss Web
Server process must be restarted for the update to take effect.

Solution

The References section of this erratum contains a download link (you must
log in to download the update). Before applying the update, back up your
existing Red Hat JBoss Web Server installation (including all applications
and configuration files).

Affected Products

• JBoss Enterprise Web Server Text-Only Advisories x86_64

Fixes

• BZ - 786617 - CVE-2012-0876 expat: hash table collisions CPU usage DoS
• BZ - 1082903 - CVE-2013-5704 httpd: bypass of mod_headers rules via chunked requests
• BZ - 1243887 - CVE-2015-3183 httpd: HTTP request smuggling attack against chunked request parser

CVEs

• CVE-2012-0876
• CVE-2013-5704
• CVE-2015-3183

References

• https://access.redhat.com/security/updates/classification/#moderate
• https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=2.1.0