exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Red Hat Security Advisory 2015-0125-01

Red Hat Security Advisory 2015-0125-01
Posted Feb 4, 2015
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2015-0125-01 - Red Hat JBoss Web Framework Kit combines popular open source web frameworks into a single solution for Java applications. This release serves as a replacement for Red Hat JBoss Web Framework Kit 2.6.0, and includes bug fixes and enhancements.

tags | advisory, java, web
systems | linux, redhat
advisories | CVE-2012-6153, CVE-2014-3490, CVE-2014-3558, CVE-2014-3577
SHA-256 | 458310105b1d75920acc0a556797f379a84d6fbdc2f973508a56558ed2fb7a7a

Red Hat Security Advisory 2015-0125-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat JBoss Web Framework Kit 2.7.0 update
Advisory ID: RHSA-2015:0125-01
Product: Red Hat JBoss Web Framework Kit
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0125.html
Issue date: 2015-02-04
CVE Names: CVE-2012-6153 CVE-2014-3490 CVE-2014-3558
CVE-2014-3577
=====================================================================

1. Summary:

Red Hat JBoss Web Framework Kit 2.7.0, which fixes multiple security
issues, various bugs, and adds enhancements, is now available from the Red
Hat Customer Portal.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Description:

Red Hat JBoss Web Framework Kit combines popular open source web frameworks
into a single solution for Java applications.

This release serves as a replacement for Red Hat JBoss Web Framework Kit
2.6.0, and includes bug fixes and enhancements. Refer to the 2.7.0 Release
Notes for information on the most significant of these changes, available
shortly from https://access.redhat.com/documentation/

This release also fixes the following security issues:

It was discovered that the HttpClient incorrectly extracted host name from
an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle
attacker could use this flaw to spoof an SSL server using a specially
crafted X.509 certificate. (CVE-2012-6153, CVE-2014-3577)

Note: For additional information on these two flaws, refer to the
Knowledgebase article in the References section.

It was found that external parameter entities were not disabled when the
resteasy.document.expand.entity.references parameter was set to false.
A remote attacker able to send XML requests to a RESTEasy endpoint could
use this flaw to read files accessible to the user running the application
server, and potentially perform other more advanced XXE attacks.
(CVE-2014-3490)

It was discovered that the implementation of
org.hibernate.validator.util.ReflectionHelper together with the permissions
required to run Hibernate Validator under the Java Security Manager could
allow a malicious application deployed in the same application container to
execute several actions with escalated privileges, which might otherwise
not be possible. This flaw could be used to perform various attacks,
including but not restricted to, arbitrary code execution in systems that
are otherwise secured by the Java Security Manager. (CVE-2014-3558)

The CVE-2012-6153 issue was discovered by Florian Weimer of Red Hat Product
Security, and the CVE-2014-3490 issue was discovered by David Jorm of Red
Hat Product Security.

All users of Red Hat JBoss Web Framework Kit 2.6.0 as provided from the Red
Hat Customer Portal are advised to upgrade to Red Hat JBoss Web Framework
Kit 2.7.0.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Before applying this update, back up your
existing installation of Red Hat JBoss Enterprise Application Platform or
Red Hat JBoss Web Server, and applications deployed to it.

The JBoss server process must be restarted for this update to take effect.

4. Bugs fixed (https://bugzilla.redhat.com/):

1107901 - CVE-2014-3490 RESTEasy: XXE via parameter entities
1120495 - CVE-2014-3558 Hibernate Validator: JSM bypass via ReflectionHelper
1129074 - CVE-2014-3577 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-6153 fix
1129916 - CVE-2012-6153 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-5783 fix

5. References:

https://access.redhat.com/security/cve/CVE-2012-6153
https://access.redhat.com/security/cve/CVE-2014-3490
https://access.redhat.com/security/cve/CVE-2014-3558
https://access.redhat.com/security/cve/CVE-2014-3577
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=web.framework.kit&downloadType=distributions
https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Web_Framework_Kit/
https://access.redhat.com/solutions/1165533

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFU0l67XlSAg2UNWIIRAryRAJwON5ylF8jxgdEQmBYR4GsAsW2dZQCeI4ZG
tG8qrYQs5qifvt4ah+s/PXc=
=Pq0U
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close