- Issued:
- 2016-10-06
- Updated:
- 2016-10-06
RHSA-2016:2036 - Security Advisory
Synopsis
Important: Red Hat JBoss A-MQ 6.3 security update
Type/Severity
Security Advisory: Important
Topic
Red Hat JBoss A-MQ 6.3, which fixes multiple security issues and includes several bug fixes and enhancements, is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant messaging system that is tailored for use in mission critical applications.
Red Hat JBoss A-MQ 6.3 is a minor product release that updates Red Hat JBoss A-MQ 6.2.1, and includes several bug fixes and enhancements. Refer to the Release Notes document, available from the Product Documentation link in the References section, for a list of these changes.
Security Fix(es):
It was found that Apache Shiro uses a default cipher key for its "remember me" feature. An attacker could use this to devise a malicious request parameter and gain access to unauthorized content. (CVE-2016-4437)
A denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed. (CVE-2015-3192)
It was found that bouncycastle is vulnerable to an invalid curve attack. An attacker could extract private keys used in elliptic curve cryptography with a few thousand queries. (CVE-2015-7940)
Refer to the Product Documentation link in the References section for installation instructions.
Solution
The References section of this erratum contains a download link (you must
log in to download the update).
Affected Products
- Red Hat JBoss Middleware Text-Only Advisories for MIDDLEWARE 1 x86_64
Fixes
- BZ - 1239002 - CVE-2015-3192 Spring Framework: denial-of-service attack with XML input
- BZ - 1276272 - CVE-2015-7940 bouncycastle: Invalid curve attack allowing to extract private keys
- BZ - 1343346 - CVE-2016-4437 shiro: Security constraint bypass
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.