-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: jbosssx security update Advisory ID: RHSA-2013:0586-01 Product: JBoss Enterprise Middleware Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0586.html Issue date: 2013-03-04 CVE Names: CVE-2012-5629 ===================================================================== 1. Summary: An update for JBoss Enterprise BRMS Platform 5.3.1, JBoss Enterprise Portal Platform 4.3.0 CP07 and 5.2.2, and JBoss Enterprise SOA Platform 4.2.0 CP05, and 4.3.0 CP05 which fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: JBoss Enterprise BRMS Platform is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules. JBoss Enterprise Portal Platform is the open source implementation of the Java EE suite of services and Portal services running atop JBoss Enterprise Application Platform. JBoss Enterprise SOA Platform is the next-generation ESB and business process automation infrastructure. When using LDAP authentication with the provided LDAP login modules (LdapLoginModule/LdapExtLoginModule), empty passwords were allowed by default. An attacker could use this flaw to bypass intended authentication by providing an empty password for a valid username, as the LDAP server may recognize this as an 'unauthenticated authentication' (RFC 4513). This update sets the allowEmptyPasswords option for the LDAP login modules to false if the option is not already configured. (CVE-2012-5629) Warning: Before applying this update, back up your JBoss installation, including any databases, database settings, applications, configuration files, and so on. All users of JBoss Enterprise BRMS Platform 5.3.1, JBoss Enterprise Portal Platform 4.3.0 CP07 and 5.2.2, and JBoss Enterprise SOA Platform 4.2.0 CP05, and 4.3.0 CP05 as provided from the Red Hat Customer Portal are advised to apply this update. 3. Solution: The References section of this erratum contains download links (you must log in to download the update). Before applying this update, back up your JBoss installation, including any databases, database settings, applications, configuration files, and so on. For JBoss Enterprise BRMS Platform, JBoss Enterprise Portal Platform, and JBoss Enterprise SOA Platform, it is recommended to halt the server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the server by starting the JBoss Application Server process. 4. Bugs fixed (http://bugzilla.redhat.com/): 885569 - CVE-2012-5629 JBoss: allows empty password to authenticate against LDAP 5. References: https://www.redhat.com/security/data/cve/CVE-2012-5629.html https://access.redhat.com/security/updates/classification/#important http://tools.ietf.org/html/rfc4513 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=securityPatches&version=5.3.1 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal&downloadType=securityPatches&version=4.3+CP07 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal&downloadType=securityPatches&version=5.2.2 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform&downloadType=securityPatches&version=4.2.0.GA_CP05 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=soaplatform&version=4.3.0.GA_CP05 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRNQ+MXlSAg2UNWIIRAs8XAJwP2jzgF+CZsR5FEyj7Y0n0xQnV3wCfY+hg HmyWnEEOh1jEeElyCfsHVzc= =ePN7 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce