-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat JBoss Fuse/A-MQ 6.2.1 security and bug fix update
Advisory ID:       RHSA-2016:1424-01
Product:           Red Hat JBoss Fuse
Advisory URL:      https://access.redhat.com/errata/RHSA-2016:1424
Issue date:        2016-07-13
CVE Names:         CVE-2016-0734 CVE-2016-0782 
=====================================================================

1. Summary:

Red Hat JBoss Fuse and A-MQ 6.2.1 Rollup Patch 3, which fixes two security
issues and includes several bug fixes and various enhancements, is now
available from the Red Hat Customer Portal.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,
flexible, open source enterprise service bus and integration platform. Red
Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant
messaging system that is tailored for use in mission critical applications.

This patch is an update to Red Hat JBoss Fuse 6.2.1 and Red Hat JBoss A-MQ
6.2.1. It includes several bug fixes, which are documented in the
readme.txt file included with the patch files.

Security Fix(es):

* It was reported that the web based administration console does not set
the X-Frame-Options header in HTTP responses. This allows the console to be
embedded in a frame or iframe which could then be used to cause a user to
perform an unintended action in the console. (CVE-2016-0734)

* It was found that Apache Active MQ administration web console did not
validate input correctly when creating a queue. An authenticated attacker
could exploit this flaw via cross-site scripting and use it to access
sensitive information or further attacks. (CVE-2016-0782)

Refer to the readme.txt file included with the patch files for installation
instructions.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

1317516 - CVE-2016-0782 activemq: Cross-site scripting vulnerabilities in web console
1317520 - CVE-2016-0734 activemq: Clickjacking in Web Console

5. References:

https://access.redhat.com/security/cve/CVE-2016-0734
https://access.redhat.com/security/cve/CVE-2016-0782
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.2.1
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq&downloadType=securityPatches&version=6.2.1

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFXhpswXlSAg2UNWIIRAisjAJsG9br7eUjvXFeKmU4weY0+ANFyzwCdHnuJ
j/k4C4djIpvW6L6Ek+ncAoQ=
=7RFX
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce