-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat JBoss Enterprise Application Platform 6.3.2 update
Advisory ID:       RHSA-2014:1823-01
Product:           Red Hat JBoss Enterprise Application Platform
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-1823.html
Issue date:        2014-11-06
CVE Names:         CVE-2013-4002 
=====================================================================

1. Summary:

Updated packages that provide Red Hat JBoss Enterprise Application Platform
6.3.2 and fix one security issue, several bugs, and add various
enhancements are now available from the Red Hat Customer Portal.

Red Hat Product Security has rated this update as having Moderate security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

2. Description:

Red Hat JBoss Enterprise Application Platform 6 is a platform for Java
applications based on JBoss Application Server 7.

A resource consumption issue was found in the way Xerces-J handled XML
declarations. A remote attacker could use an XML document with a specially
crafted declaration using a long pseudo-attribute name that, when parsed by
an application using Xerces-J, would cause that application to use an
excessive amount of CPU. (CVE-2013-4002)

This release of JBoss Enterprise Application Platform also includes bug
fixes and enhancements. A list of these changes is available from the JBoss
Enterprise Application Platform 6.3.2 Downloads page on the Customer
Portal.

All users of Red Hat JBoss Enterprise Application Platform 6.3 as provided
from the Red Hat Customer Portal are advised to apply this update.
The JBoss server process must be restarted for the update to take effect.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Before applying this update, back up your
existing Red Hat JBoss Enterprise Application Platform installation and
deployed applications.

4. Bugs fixed (https://bugzilla.redhat.com/):

1019176 - CVE-2013-4002 Xerces-J2 OpenJDK: XML parsing Denial of Service (JAXP, 8017298)

5. References:

https://access.redhat.com/security/cve/CVE-2013-4002
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=distributions&version=6.3

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFUW68IXlSAg2UNWIIRAqYVAJ92MIQWF1QZxmtNhBC4d28L7FGFzgCgrUEC
Y1G3ZpLoy23ryegMYfWQB2c=
=Fi5F
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce