-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat JBoss Enterprise Application Platform 6.3 openssl security update
Advisory ID:       RHSA-2014:1297-01
Product:           Red Hat JBoss Enterprise Application Platform
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-1297.html
Issue date:        2014-09-24
CVE Names:         CVE-2014-3505 CVE-2014-3506 CVE-2014-3508 
                   CVE-2014-3510 
=====================================================================

1. Summary:

An update for the OpenSSL packages for Red Hat JBoss Enterprise Application
Platform 6.3 that fixes multiple security issues is now available from the
Red Hat Customer Portal.

Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Description:

Red Hat JBoss Enterprise Application Platform 6 is a platform for Java
applications based on JBoss Application Server 7.

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL),
Transport Layer Security (TLS), and Datagram Transport Layer Security
(DTLS) protocols, as well as a full-strength, general purpose cryptography
library.

It was discovered that the OBJ_obj2txt() function could fail to properly
NUL-terminate its output. This could possibly cause an application using
OpenSSL functions to format fields of X.509 certificates to disclose
portions of its memory. (CVE-2014-3508)

Two flaws were discovered in the way OpenSSL handled DTLS packets. A remote
attacker could use these flaws to cause a DTLS server or client using
OpenSSL to crash or use excessive amounts of memory. (CVE-2014-3505,
CVE-2014-3506)

A NULL pointer dereference flaw was found in the way OpenSSL performed a
handshake when using the anonymous Diffie-Hellman (DH) key exchange. A
malicious server could cause a DTLS client using OpenSSL to crash if that
client had anonymous DH cipher suites enabled. (CVE-2014-3510)

All users of Red Hat JBoss Enterprise Application Platform 6.3.0 as
provided from the Red Hat Customer Portal are advised to apply this update.
The JBoss server process must be restarted for the update to take effect.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Before applying this update, back up your
existing Red Hat JBoss Enterprise Application Platform installation and
deployed applications.

4. Bugs fixed (https://bugzilla.redhat.com/):

1127490 - CVE-2014-3508 openssl: information leak in pretty printing functions
1127499 - CVE-2014-3505 openssl: DTLS packet processing double free
1127500 - CVE-2014-3506 openssl: DTLS memory exhaustion
1127503 - CVE-2014-3510 openssl: DTLS anonymous (EC)DH denial of service

5. References:

https://www.redhat.com/security/data/cve/CVE-2014-3505.html
https://www.redhat.com/security/data/cve/CVE-2014-3506.html
https://www.redhat.com/security/data/cve/CVE-2014-3508.html
https://www.redhat.com/security/data/cve/CVE-2014-3510.html
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.3

6. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFUIvg8XlSAg2UNWIIRAs0zAJ9QyXiyAissuTIRiek1ctgMye9PlQCfbT7n
ukDftREdzf34uprOJq9gJnA=
=+lHX
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce