what you don't know can hurt you

Red Hat Security Advisory 2014-1727-01

Red Hat Security Advisory 2014-1727-01
Posted Oct 29, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-1727-01 - Red Hat JBoss Enterprise Web Platform is a platform for Java applications, which integrates the JBoss Web Server with JBoss Hibernate and JBoss Seam. It was discovered that the Apache Santuario XML Security for Java project allowed Document Type Definitions to be processed when applying Transforms even when secure validation was enabled. A remote attacker could use this flaw to exhaust all available memory on the system, causing a denial of service. All users of Red Hat JBoss Enterprise Web Platform 5.2.0 as provided from the Red Hat Customer Portal are advised to apply this update. The JBoss server process must be restarted for this update to take effect.

tags | advisory, java, remote, web, denial of service
systems | linux, redhat
advisories | CVE-2013-4517
MD5 | 108b58b4580825a446f80b58a869e2e5

Red Hat Security Advisory 2014-1727-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Red Hat JBoss Enterprise Web Platform 5.2.0 security update
Advisory ID: RHSA-2014:1727-01
Product: Red Hat JBoss Web Platform
Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1727.html
Issue date: 2014-10-28
CVE Names: CVE-2013-4517
=====================================================================

1. Summary:

An update for Red Hat JBoss Enterprise Web Platform 5.2.0 that fixes one
security issue is now available from the Red Hat Customer Portal.

Red Hat Product Security has rated this update as having Moderate security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

2. Description:

Red Hat JBoss Enterprise Web Platform is a platform for Java applications,
which integrates the JBoss Web Server with JBoss Hibernate and JBoss Seam.

It was discovered that the Apache Santuario XML Security for Java project
allowed Document Type Definitions (DTDs) to be processed when applying
Transforms even when secure validation was enabled. A remote attacker could
use this flaw to exhaust all available memory on the system, causing a
denial of service. (CVE-2013-4517)

All users of Red Hat JBoss Enterprise Web Platform 5.2.0 as provided from
the Red Hat Customer Portal are advised to apply this update. The JBoss
server process must be restarted for this update to take effect.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Before applying the update, back up your
existing JBoss Enterprise Web Platform installation (including all
applications and configuration files).

4. Bugs fixed (https://bugzilla.redhat.com/):

1045257 - CVE-2013-4517 Apache Santuario XML Security for Java: Java XML Signature DoS Attack

5. References:

https://access.redhat.com/security/cve/CVE-2013-4517
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=enterpriseweb.platform&downloadType=securityPatches&version=5.2.0

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFUUA5QXlSAg2UNWIIRAsqeAJ9iDCgOScgWOzz2C6oo/p+p9KOW9gCeP/0h
5KwgEnzfv2Xa4Fzio2L8Sn4=
=4SWh
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    60 Files
  • 2
    Apr 2nd
    20 Files
  • 3
    Apr 3rd
    15 Files
  • 4
    Apr 4th
    5 Files
  • 5
    Apr 5th
    5 Files
  • 6
    Apr 6th
    27 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    0 Files
  • 9
    Apr 9th
    0 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    0 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close