RHSA-2016:2036 - Security Advisory
Important: Red Hat JBoss A-MQ 6.3 security update
Security Advisory: Important
Red Hat JBoss A-MQ 6.3, which fixes multiple security issues and includes several bug fixes and enhancements, is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant messaging system that is tailored for use in mission critical applications.
Red Hat JBoss A-MQ 6.3 is a minor product release that updates Red Hat JBoss A-MQ 6.2.1, and includes several bug fixes and enhancements. Refer to the Release Notes document, available from the Product Documentation link in the References section, for a list of these changes.
It was found that Apache Shiro uses a default cipher key for its "remember me" feature. An attacker could use this to devise a malicious request parameter and gain access to unauthorized content. (CVE-2016-4437)
A denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed. (CVE-2015-3192)
It was found that bouncycastle is vulnerable to an invalid curve attack. An attacker could extract private keys used in elliptic curve cryptography with a few thousand queries. (CVE-2015-7940)
Refer to the Product Documentation link in the References section for installation instructions.
The References section of this erratum contains a download link (you must
log in to download the update).
- Red Hat JBoss Middleware Text-Only Advisories for MIDDLEWARE 1 x86_64
- BZ - 1239002 - CVE-2015-3192 Spring Framework: denial-of-service attack with XML input
- BZ - 1276272 - CVE-2015-7940 bouncycastle: Invalid curve attack allowing to extract private keys
- BZ - 1343346 - CVE-2016-4437 shiro: Security constraint bypass
Red Hat JBoss Middleware Text-Only Advisories for MIDDLEWARE 1