-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss Fuse Service Works 6.0.0 security update
Advisory ID:       RHSA-2015:1551-01
Product:           Red Hat JBoss Fuse Service Works
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2015-1551.html
Issue date:        2015-08-05
CVE Names:         CVE-2013-7397 CVE-2013-7398 
=====================================================================

1. Summary:

Red Hat JBoss Fuse Service Works 6.0.0 roll up patch 5, which fixes
two security issues and various bugs, is now available from the Red Hat
Customer Portal.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Description:

Red Hat JBoss Fuse Service Works is the next-generation ESB and business
process automation infrastructure.

This roll up patch serves as a cumulative upgrade for Red Hat JBoss Fuse
Service Works 6.0.0. It includes various bug fixes, which are listed in the
README file included with the patch files.

The following security issues are also fixed with this release:

It was found that async-http-client would disable SSL/TLS certificate
verification under certain conditions, for example if HTTPS communication
also used client certificates. A man-in-the-middle (MITM) attacker could
use this flaw to spoof a valid certificate. (CVE-2013-7397)

It was found that async-http-client did not verify that the server hostname
matched the domain name in the subject's Common Name (CN) or subjectAltName
field in X.509 certificates. This could allow a man-in-the-middle attacker
to spoof an SSL server if they had a certificate that was valid for any
domain name. (CVE-2013-7398)

All users of Red Hat JBoss Fuse Service Works 6.0.0 as provided from the
Red Hat Customer Portal are advised to apply this roll up patch.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Before applying the update, back up your
existing Red Hat JBoss Fuse Service Works installation (including its
databases, applications, configuration files, and so on).

Note that it is recommended to halt the Red Hat JBoss Fuse Service Works
server by stopping the JBoss Application Server process before installing
this update, and then after installing the update, restart the Red Hat
JBoss Fuse Service Works server by starting the JBoss Application
Server process.

4. Bugs fixed (https://bugzilla.redhat.com/):

1133769 - CVE-2013-7397 async-http-client: SSL/TLS certificate verification is disabled under certain conditions
1133773 - CVE-2013-7398 async-http-client: missing hostname verification for SSL certificates

5. References:

https://access.redhat.com/security/cve/CVE-2013-7397
https://access.redhat.com/security/cve/CVE-2013-7398
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse.serviceworks&downloadType=securityPatches&version=6.0.0

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFVwjhOXlSAg2UNWIIRAidOAJ99GuSq7MLaQ6/Ft/o6HHzT/YNfPgCfWFYk
hCFx3CQAQDwA2Omgs3ahiQI=
=S2Ea
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce