RHSA-2016:2036 - Security Advisory
Security Advisory: Important
Red Hat JBoss A-MQ 6.3, which fixes multiple security issues and includes several bug fixes and enhancements, is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant messaging system that is tailored for use in mission critical applications.
Red Hat JBoss A-MQ 6.3 is a minor product release that updates Red Hat JBoss A-MQ 6.2.1, and includes several bug fixes and enhancements. Refer to the Release Notes document, available from the Product Documentation link in the References section, for a list of these changes.
It was found that Apache Shiro uses a default cipher key for its "remember me" feature. An attacker could use this to devise a malicious request parameter and gain access to unauthorized content. (CVE-2016-4437)
A denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed. (CVE-2015-3192)
It was found that bouncycastle is vulnerable to an invalid curve attack. An attacker could extract private keys used in elliptic curve cryptography with a few thousand queries. (CVE-2015-7940)
Refer to the Product Documentation link in the References section for installation instructions.
The References section of this erratum contains a download link (you must
log in to download the update).
- Red Hat JBoss Middleware Text-Only Advisories for MIDDLEWARE 1 x86_64
Red Hat JBoss Middleware Text-Only Advisories for MIDDLEWARE 1