-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: openssl security update Advisory ID: RHSA-2013:0783-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0783.html Issue date: 2013-05-01 CVE Names: CVE-2013-0166 CVE-2013-0169 ===================================================================== 1. Summary: An update for the OpenSSL component for JBoss Enterprise Application Platform 5.2.0 for Solaris and Microsoft Windows that fixes two security issues is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. A NULL pointer dereference flaw was found in the OCSP response verification in OpenSSL. A malicious OCSP server could use this flaw to crash applications performing OCSP verification by sending a specially-crafted response. (CVE-2013-0166) It was discovered that OpenSSL leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. (CVE-2013-0169) Warning: Before applying this update, back up your existing JBoss Enterprise Application Platform installation (including all applications and configuration files). All users of JBoss Enterprise Application Platform 5.2.0 for Solaris and Microsoft Windows as provided from the Red Hat Customer Portal are advised to apply this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise Application Platform installation (including all applications and configuration files). JBoss server instances configured to use the Tomcat Native library must be restarted for this update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 907589 - CVE-2013-0169 SSL/TLS: CBC padding timing attack (lucky-13) 908052 - CVE-2013-0166 openssl: DoS due to improper handling of OCSP response verification 5. References: https://www.redhat.com/security/data/cve/CVE-2013-0166.html https://www.redhat.com/security/data/cve/CVE-2013-0169.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=appplatform&version=5.2.0 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRgVrKXlSAg2UNWIIRAvcsAJ4in5pJNa8IvaAWovQedSRDPT8c5wCgn5mb Ye1PyaSjfXCbOJGIpqidUF4= =GOdf -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce