Issued:: 2017-06-28
Updated:: 2017-06-28

RHSA-2017:1658 - Security Advisory

Overview
Updated Packages

Synopsis

Important: Red Hat JBoss Enterprise Application Platform 6.4.16 natives update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 6 and Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.

This release includes bug fixes as well as a new release of OpenSSL. For further information, see the knowledge base article linked to in the References section. All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 7 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.

Security Fix(es):

A memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiation. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it enabled OCSP stapling support. (CVE-2016-6304)
It was discovered that OpenSSL did not always use constant time operations when computing Digital Signature Algorithm (DSA) signatures. A local attacker could possibly use this flaw to obtain a private DSA key belonging to another user or service running on the same system. (CVE-2016-2178)
A denial of service flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections form other clients. (CVE-2016-8610)
Multiple integer overflow flaws were found in the way OpenSSL performed pointer arithmetic. A remote attacker could possibly use these flaws to cause a TLS/SSL server or client using OpenSSL to crash. (CVE-2016-2177)

Red Hat would like to thank the OpenSSL project for reporting CVE-2016-6304 and Shi Lei (Gear Team of Qihoo 360 Inc.) for reporting CVE-2016-8610. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original reporter of CVE-2016-6304.

Solution

Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. After installing the updated packages, the httpd daemon will be restarted automatically.

Affected Products

JBoss Enterprise Application Platform 6.4 for RHEL 7 x86_64
JBoss Enterprise Application Platform 6.4 for RHEL 7 ppc64
JBoss Enterprise Application Platform 6.4 for RHEL 6 x86_64
JBoss Enterprise Application Platform 6.4 for RHEL 6 ppc64
JBoss Enterprise Application Platform 6.4 for RHEL 6 i386
JBoss Enterprise Application Platform 6 for RHEL 7 x86_64
JBoss Enterprise Application Platform 6 for RHEL 7 ppc64
JBoss Enterprise Application Platform 6 for RHEL 6 x86_64
JBoss Enterprise Application Platform 6 for RHEL 6 ppc64
JBoss Enterprise Application Platform 6 for RHEL 6 i386

Fixes

BZ - 1341705 - CVE-2016-2177 openssl: Possible integer overflow vulnerabilities in codebase
BZ - 1343400 - CVE-2016-2178 openssl: Non-constant time codepath followed for certain operations in DSA implementation
BZ - 1377600 - CVE-2016-6304 openssl: OCSP Status Request extension unbounded memory growth
BZ - 1384743 - CVE-2016-8610 SSL/TLS: Malformed plain-text ALERT packets could cause remote DoS

CVEs

References

Note: More recent versions of these packages may be available. Click a package name for more details.

JBoss Enterprise Application Platform 6.4 for RHEL 7

SRPM
jbcs-httpd24-openssl-1.0.2h-13.jbcs.el7.src.rpm	SHA-256: ee99051a9e1d5712486418bb479f7b68bea75f20338a8645963456cc4c282d5c
x86_64
jbcs-httpd24-openssl-1.0.2h-13.jbcs.el7.x86_64.rpm	SHA-256: 1eeb3684de60e2f202f6e3e9f3916f090e2a746f8648e6eab500d81bf03de20e
jbcs-httpd24-openssl-debuginfo-1.0.2h-13.jbcs.el7.x86_64.rpm	SHA-256: c9718b67b4c7793f612067aca64fea6fea9517cc050ca1d1bf57fbdbf2ce8e8e
jbcs-httpd24-openssl-devel-1.0.2h-13.jbcs.el7.x86_64.rpm	SHA-256: 83f60d53eaadeecd3304fe1f9dccead3387e98703c8a24869a4d88e17ac33604
jbcs-httpd24-openssl-libs-1.0.2h-13.jbcs.el7.x86_64.rpm	SHA-256: ee2f2e9d5aeda73d21fbd95e2905f869ec8cb361c041c7898c575a5682636dc3
jbcs-httpd24-openssl-perl-1.0.2h-13.jbcs.el7.x86_64.rpm	SHA-256: 17174dda67b0cb3e85b8429df0df7109f4f01cf063b3058fd208ac6041022c45
jbcs-httpd24-openssl-static-1.0.2h-13.jbcs.el7.x86_64.rpm	SHA-256: 6b08a0c3fccb167a290506dad05d8589bb6e96f6f2e3fc0da3b1f916e4729a23
ppc64
jbcs-httpd24-openssl-1.0.2h-13.jbcs.el7.ppc64.rpm	SHA-256: 7a06abfdf44e87c171b70ab52ec9ae500261e996f3a8d883db2efea00a04760a
jbcs-httpd24-openssl-debuginfo-1.0.2h-13.jbcs.el7.ppc64.rpm	SHA-256: 9ca3993cb623872543ce7f6c9598550ff21fe78824d2c5f6926bfab5c0384437
jbcs-httpd24-openssl-devel-1.0.2h-13.jbcs.el7.ppc64.rpm	SHA-256: 1ae458421d9383fb7e414ffeeb19e7671d5c35cb112b32f4a7b27161dafcae12
jbcs-httpd24-openssl-libs-1.0.2h-13.jbcs.el7.ppc64.rpm	SHA-256: 1821ad48725b9ee242e8c50d2c124ba2b8327b4a05a6e2d13230140f27a546d6
jbcs-httpd24-openssl-perl-1.0.2h-13.jbcs.el7.ppc64.rpm	SHA-256: d696886fef17eabeebed18ecfbf16281738cf4ada8513f01883be150890f07ea
jbcs-httpd24-openssl-static-1.0.2h-13.jbcs.el7.ppc64.rpm	SHA-256: 11dd1fdbb9b26f740b990b77b0690ea9baa9dfdd5f70fa2765778c28a0c6659d

JBoss Enterprise Application Platform 6.4 for RHEL 6

SRPM
jbcs-httpd24-openssl-1.0.2h-13.jbcs.el6.src.rpm	SHA-256: a178b3c166fd34a8267256e16735860c4af4d3b79c4c6eeb424d8847c9cdf667
x86_64
jbcs-httpd24-openssl-1.0.2h-13.jbcs.el6.x86_64.rpm	SHA-256: 18d0e2714b07ac3657e1a7e5e984174003634d0dcd5f6139615d1b9338f82457
jbcs-httpd24-openssl-debuginfo-1.0.2h-13.jbcs.el6.x86_64.rpm	SHA-256: 9b4f1f0ca860b11dab3a50ac4bf574c1a4ce3fc3c931f428fc7ac06e0debf348
jbcs-httpd24-openssl-devel-1.0.2h-13.jbcs.el6.x86_64.rpm	SHA-256: ee8db2a8e36302d4ae6859ecb6821b991efd103940becb9700f160dc0f6992d3
jbcs-httpd24-openssl-libs-1.0.2h-13.jbcs.el6.x86_64.rpm	SHA-256: eb950ce95cf94c2b2af79b85559ade42adf07d64cdc9a9f96e0fb48ea76b6d9b
jbcs-httpd24-openssl-perl-1.0.2h-13.jbcs.el6.x86_64.rpm	SHA-256: e658108990ae3a9015e54a142450426873c4475f6557f0078146d4352ac157dd
jbcs-httpd24-openssl-static-1.0.2h-13.jbcs.el6.x86_64.rpm	SHA-256: ef5a7fc42691f2610057c3623c493a1c8b2e9f9c6bd2f6e0f7397c4561dee811
ppc64
jbcs-httpd24-openssl-1.0.2h-13.jbcs.el6.ppc64.rpm	SHA-256: b8fdaae86933a410da29e164eefbc3137301dad4e94782cf396ede04eb1a069e
jbcs-httpd24-openssl-debuginfo-1.0.2h-13.jbcs.el6.ppc64.rpm	SHA-256: a48f6af3f09c63ad8f32072528a2b051c5de6c7e0f31301ddb68720f1447dcce
jbcs-httpd24-openssl-devel-1.0.2h-13.jbcs.el6.ppc64.rpm	SHA-256: 319cdf1ff6b64428597b47178e67b77d76a23589b0cafcd0f2c505f6e8c75208
jbcs-httpd24-openssl-libs-1.0.2h-13.jbcs.el6.ppc64.rpm	SHA-256: de17bab283d1f9e1942293cb744c560a51bd3cf7c571230e29e527587dd5c261
jbcs-httpd24-openssl-perl-1.0.2h-13.jbcs.el6.ppc64.rpm	SHA-256: f39c224e936a72be38cdd8a84d34f7c72456aafbeb4528fb4793e93264d81a29
jbcs-httpd24-openssl-static-1.0.2h-13.jbcs.el6.ppc64.rpm	SHA-256: 289e4f3a980f2cbdedd6e750e21d70e7b9a0ff466b0817a2c18f5390250b78d1
i386
jbcs-httpd24-openssl-1.0.2h-13.jbcs.el6.i686.rpm	SHA-256: 12fdc8388bd656ef5ae81e75ff67adaea4242e5e8ab46eebaf27980faaaa566e
jbcs-httpd24-openssl-debuginfo-1.0.2h-13.jbcs.el6.i686.rpm	SHA-256: 0d721eec463da294dc6524e9b36407128793c8799997457d36623754809fffba
jbcs-httpd24-openssl-devel-1.0.2h-13.jbcs.el6.i686.rpm	SHA-256: b4318bc1df34802f3fb7e271a46b77f45a8d10b21617e685492c7c7ebc2aea1f
jbcs-httpd24-openssl-libs-1.0.2h-13.jbcs.el6.i686.rpm	SHA-256: efffa323986b0967be112446db44db639f6230d22e6ab1a63792a981124c13d2
jbcs-httpd24-openssl-perl-1.0.2h-13.jbcs.el6.i686.rpm	SHA-256: e2df36a03c46e355b000db5a9bdce4f4d296d5cf40a0e21ff0a8087cbfad879e
jbcs-httpd24-openssl-static-1.0.2h-13.jbcs.el6.i686.rpm	SHA-256: 6480af7ff4572f198c667a62346079af57c3076687f324dea6b4ecf06243dc30

JBoss Enterprise Application Platform 6 for RHEL 7

SRPM
jbcs-httpd24-openssl-1.0.2h-13.jbcs.el7.src.rpm	SHA-256: ee99051a9e1d5712486418bb479f7b68bea75f20338a8645963456cc4c282d5c
x86_64
jbcs-httpd24-openssl-1.0.2h-13.jbcs.el7.x86_64.rpm	SHA-256: 1eeb3684de60e2f202f6e3e9f3916f090e2a746f8648e6eab500d81bf03de20e
jbcs-httpd24-openssl-debuginfo-1.0.2h-13.jbcs.el7.x86_64.rpm	SHA-256: c9718b67b4c7793f612067aca64fea6fea9517cc050ca1d1bf57fbdbf2ce8e8e
jbcs-httpd24-openssl-devel-1.0.2h-13.jbcs.el7.x86_64.rpm	SHA-256: 83f60d53eaadeecd3304fe1f9dccead3387e98703c8a24869a4d88e17ac33604
jbcs-httpd24-openssl-libs-1.0.2h-13.jbcs.el7.x86_64.rpm	SHA-256: ee2f2e9d5aeda73d21fbd95e2905f869ec8cb361c041c7898c575a5682636dc3
jbcs-httpd24-openssl-perl-1.0.2h-13.jbcs.el7.x86_64.rpm	SHA-256: 17174dda67b0cb3e85b8429df0df7109f4f01cf063b3058fd208ac6041022c45
jbcs-httpd24-openssl-static-1.0.2h-13.jbcs.el7.x86_64.rpm	SHA-256: 6b08a0c3fccb167a290506dad05d8589bb6e96f6f2e3fc0da3b1f916e4729a23
ppc64
jbcs-httpd24-openssl-1.0.2h-13.jbcs.el7.ppc64.rpm	SHA-256: 7a06abfdf44e87c171b70ab52ec9ae500261e996f3a8d883db2efea00a04760a
jbcs-httpd24-openssl-debuginfo-1.0.2h-13.jbcs.el7.ppc64.rpm	SHA-256: 9ca3993cb623872543ce7f6c9598550ff21fe78824d2c5f6926bfab5c0384437
jbcs-httpd24-openssl-devel-1.0.2h-13.jbcs.el7.ppc64.rpm	SHA-256: 1ae458421d9383fb7e414ffeeb19e7671d5c35cb112b32f4a7b27161dafcae12
jbcs-httpd24-openssl-libs-1.0.2h-13.jbcs.el7.ppc64.rpm	SHA-256: 1821ad48725b9ee242e8c50d2c124ba2b8327b4a05a6e2d13230140f27a546d6
jbcs-httpd24-openssl-perl-1.0.2h-13.jbcs.el7.ppc64.rpm	SHA-256: d696886fef17eabeebed18ecfbf16281738cf4ada8513f01883be150890f07ea
jbcs-httpd24-openssl-static-1.0.2h-13.jbcs.el7.ppc64.rpm	SHA-256: 11dd1fdbb9b26f740b990b77b0690ea9baa9dfdd5f70fa2765778c28a0c6659d

JBoss Enterprise Application Platform 6 for RHEL 6

SRPM
jbcs-httpd24-openssl-1.0.2h-13.jbcs.el6.src.rpm	SHA-256: a178b3c166fd34a8267256e16735860c4af4d3b79c4c6eeb424d8847c9cdf667
x86_64
jbcs-httpd24-openssl-1.0.2h-13.jbcs.el6.x86_64.rpm	SHA-256: 18d0e2714b07ac3657e1a7e5e984174003634d0dcd5f6139615d1b9338f82457
jbcs-httpd24-openssl-debuginfo-1.0.2h-13.jbcs.el6.x86_64.rpm	SHA-256: 9b4f1f0ca860b11dab3a50ac4bf574c1a4ce3fc3c931f428fc7ac06e0debf348
jbcs-httpd24-openssl-devel-1.0.2h-13.jbcs.el6.x86_64.rpm	SHA-256: ee8db2a8e36302d4ae6859ecb6821b991efd103940becb9700f160dc0f6992d3
jbcs-httpd24-openssl-libs-1.0.2h-13.jbcs.el6.x86_64.rpm	SHA-256: eb950ce95cf94c2b2af79b85559ade42adf07d64cdc9a9f96e0fb48ea76b6d9b
jbcs-httpd24-openssl-perl-1.0.2h-13.jbcs.el6.x86_64.rpm	SHA-256: e658108990ae3a9015e54a142450426873c4475f6557f0078146d4352ac157dd
jbcs-httpd24-openssl-static-1.0.2h-13.jbcs.el6.x86_64.rpm	SHA-256: ef5a7fc42691f2610057c3623c493a1c8b2e9f9c6bd2f6e0f7397c4561dee811
ppc64
jbcs-httpd24-openssl-1.0.2h-13.jbcs.el6.ppc64.rpm	SHA-256: b8fdaae86933a410da29e164eefbc3137301dad4e94782cf396ede04eb1a069e
jbcs-httpd24-openssl-debuginfo-1.0.2h-13.jbcs.el6.ppc64.rpm	SHA-256: a48f6af3f09c63ad8f32072528a2b051c5de6c7e0f31301ddb68720f1447dcce
jbcs-httpd24-openssl-devel-1.0.2h-13.jbcs.el6.ppc64.rpm	SHA-256: 319cdf1ff6b64428597b47178e67b77d76a23589b0cafcd0f2c505f6e8c75208
jbcs-httpd24-openssl-libs-1.0.2h-13.jbcs.el6.ppc64.rpm	SHA-256: de17bab283d1f9e1942293cb744c560a51bd3cf7c571230e29e527587dd5c261
jbcs-httpd24-openssl-perl-1.0.2h-13.jbcs.el6.ppc64.rpm	SHA-256: f39c224e936a72be38cdd8a84d34f7c72456aafbeb4528fb4793e93264d81a29
jbcs-httpd24-openssl-static-1.0.2h-13.jbcs.el6.ppc64.rpm	SHA-256: 289e4f3a980f2cbdedd6e750e21d70e7b9a0ff466b0817a2c18f5390250b78d1
i386
jbcs-httpd24-openssl-1.0.2h-13.jbcs.el6.i686.rpm	SHA-256: 12fdc8388bd656ef5ae81e75ff67adaea4242e5e8ab46eebaf27980faaaa566e
jbcs-httpd24-openssl-debuginfo-1.0.2h-13.jbcs.el6.i686.rpm	SHA-256: 0d721eec463da294dc6524e9b36407128793c8799997457d36623754809fffba
jbcs-httpd24-openssl-devel-1.0.2h-13.jbcs.el6.i686.rpm	SHA-256: b4318bc1df34802f3fb7e271a46b77f45a8d10b21617e685492c7c7ebc2aea1f
jbcs-httpd24-openssl-libs-1.0.2h-13.jbcs.el6.i686.rpm	SHA-256: efffa323986b0967be112446db44db639f6230d22e6ab1a63792a981124c13d2
jbcs-httpd24-openssl-perl-1.0.2h-13.jbcs.el6.i686.rpm	SHA-256: e2df36a03c46e355b000db5a9bdce4f4d296d5cf40a0e21ff0a8087cbfad879e
jbcs-httpd24-openssl-static-1.0.2h-13.jbcs.el6.i686.rpm	SHA-256: 6480af7ff4572f198c667a62346079af57c3076687f324dea6b4ecf06243dc30

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation