-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Enterprise SOA Platform 5.1.0 security update Advisory ID: RHSA-2011:1334-01 Product: JBoss Enterprise Middleware Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-1334.html Issue date: 2011-09-22 CVE Names: CVE-2011-2894 ===================================================================== 1. Summary: Updated Spring Framework 3 files for JBoss Enterprise SOA Platform 5.1.0 that fix multiple security issues are now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: JBoss Enterprise SOA Platform is the next-generation ESB and business process automation infrastructure. JBoss Enterprise SOA Platform allows IT to leverage existing (MoM and EAI), modern (SOA and BPM-Rules), and future (EDA and CEP) integration methodologies to dramatically improve business process execution speed and quality. Multiple flaws were found in the way Spring Framework 3 deserialized certain Java objects. If an attacker were able to control the stream from which an application with the Spring Framework 3 AOP in its class-path was deserializing objects, they could use these flaws to execute arbitrary code with the privileges of the JBoss Application Server process via a specially-crafted, serialized Java object. (CVE-2011-2894) Note: JBoss Enterprise SOA Platform does not expose applications that deserialize objects from an untrusted source by default. These flaws would affect applications configured to trust a malicious source, for example, if the messaging service was configured to look up a remote messaging queue, and an attacker had control of that queue. All users of JBoss Enterprise SOA Platform 5.1.0 as provided from the Red Hat Customer Portal are advised to install this update. Refer to the Solution section for information about installing the update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise SOA Platform installation (including its databases, applications, configuration files, and so on). If you have created custom applications that are packaged with a copy of the Spring Framework 3 library, those applications must be rebuilt with the Spring Framework 3 files provided by this update. Note that it is recommended to halt the JBoss Enterprise SOA Platform server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the JBoss Enterprise SOA Platform server by starting the JBoss Application Server process. 4. Bugs fixed (http://bugzilla.redhat.com/): 737611 - CVE-2011-2894 Spring Framework, Spring Security: Chosen commands execution on the server (Framework) or authentication token bypass (Security) by objects de-serialization 5. References: https://www.redhat.com/security/data/cve/CVE-2011-2894.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform&downloadType=securityPatches&version=5.1.0+GA 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2011 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFOe2u0XlSAg2UNWIIRAko1AJ9jCnICBuYt0Ou2XIybJd3dHE/axACfQe48 rPSltdXnEliw5kYHw+eukDg= =b+0C -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce