-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Web Framework Kit 2.5.0 security update Advisory ID: RHSA-2014:0785-01 Product: Red Hat JBoss Web Framework Kit Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0785.html Issue date: 2014-06-23 CVE Names: CVE-2014-0248 ===================================================================== 1. Summary: An update for the Seam component of Red Hat JBoss Web Framework Kit 2.5.0 that fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: Red Hat JBoss Web Framework Kit combines popular open source web frameworks into a single solution for Java applications. Seam is an open source development platform for building rich Internet applications in Java. Seam integrates technologies such as Asynchronous JavaScript and XML (AJAX), JavaServer Faces (JSF), Java Persistence API (JPA), and Enterprise Java Beans (EJB). Seam 2.3 provides support for JSF 2, RichFaces 4, and JPA 2 capabilities, running on top of Red Hat JBoss Enterprise Application Platform 6. It was found that the org.jboss.seam.web.AuthenticationFilter class implementation did not properly use Seam logging. A remote attacker could send specially crafted authentication headers to an application, which could result in arbitrary code execution with the privileges of the user running that application. (CVE-2014-0248) All users of Red Hat JBoss Web Framework Kit 2.5.0 as provided from the Red Hat Customer Portal are advised to apply this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing installation of Red Hat JBoss Web Framework Kit. The JBoss server process must be restarted for this update to take effect. 4. Bugs fixed (https://bugzilla.redhat.com/): 1101619 - CVE-2014-0248 JBoss Seam: RCE via unsafe logging in AuthenticationFilter 5. References: https://www.redhat.com/security/data/cve/CVE-2014-0248.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=web.framework.kit&downloadType=securityPatches&version=2.5.0 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTqHdoXlSAg2UNWIIRAtaPAJ45cpvX/0QMR6qHhf9HA53OrvTWVgCeNWNq S++zth5HhzSZjoufaSqYpPU= =aJ59 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce