-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat JBoss Web Framework Kit 2.5.0 security update
Advisory ID:       RHSA-2014:0462-01
Product:           Red Hat JBoss Web Framework Kit
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-0462.html
Issue date:        2014-05-01
CVE Names:         CVE-2014-0149 
=====================================================================

1. Summary:

An update for the seam-remoting component of Red Hat JBoss Web Framework
Kit 2.5.0 that fixes one security issue is now available from the Red Hat
Customer Portal.

The Red Hat Security Response Team has rated this update as having Moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

2. Description:

Red Hat JBoss Web Framework Kit combines popular open source web frameworks
into a single solution for Java applications. The JBoss Seam Remoting
component provides a convenient method for remotely accessing Seam
components from a web page, using AJAX (Asynchronous JavaScript and XML).

It was found that JBoss Seam response envelopes included unsanitized
parameter and ID names provided in the request. This allowed a request to
inject arbitrary XML into the response. A remote attacker could use this
flaw to perform reflected cross-site scripting (XSS) attacks, provided the
JBoss Seam remoting application did not use any cross-site request forgery
(CSRF) protection. (CVE-2014-0149)

All users of Red Hat JBoss Web Framework Kit 2.5.0 as provided from the Red
Hat Customer Portal are advised to apply this update.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Before applying this update, back up your
existing installation of Red Hat JBoss Web Framework Kit.

The JBoss server process must be restarted for this update to take effect.

4. Bugs fixed (https://bugzilla.redhat.com/):

1078646 - CVE-2014-0149 JBoss Seam: XSS flaw in remoting

5. References:

https://www.redhat.com/security/data/cve/CVE-2014-0149.html
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=web.framework.kit&downloadType=securityPatches&version=2.5.0

6. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFTYq/bXlSAg2UNWIIRAu1TAJ9cldYrLDob0iXXwOFcCmXMzYuAuQCfWs9z
6kjy9uEIQ+l3HpsxD27mtrg=
=ssUn
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce