-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss Web Framework Kit 2.7.0 security update
Advisory ID:       RHSA-2015:0719-01
Product:           Red Hat JBoss Web Framework Kit
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2015-0719.html
Issue date:        2015-03-24
CVE Names:         CVE-2015-0279 
=====================================================================

1. Summary:

An update for the RichFaces component of Red Hat JBoss Web Framework Kit
2.7.0 that fixes one security issue is now available from the Red Hat
Customer Portal.

Red Hat Product Security has rated this update as having Important security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

2. Description:

Red Hat JBoss Web Framework Kit combines popular open source web
frameworks into a single solution for Java applications. RichFaces is an
open source framework that adds Ajax capability into existing JavaServer
Faces (JSF) applications.

It was found that the 'do' parameter permitted expression language (EL)
injection, which could allow a remote attacker to execute Java methods on
an affected server. (CVE-2015-0279)

Red Hat would like to thank Takeshi Terada of Mitsui Bussan Secure
Directions, Inc. for reporting this issue.

All users of Red Hat JBoss Web Framework Kit 2.7.0 as provided from the Red
Hat Customer Portal are advised to apply this update.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Before applying this update, back up your
existing installation of Red Hat JBoss Web Framework Kit.

The JBoss server process must be restarted for this update to take effect.

4. Bugs fixed (https://bugzilla.redhat.com/):

1192140 - CVE-2015-0279 RichFaces: Remote Command Execution via insufficient EL parameter sanitization

5. References:

https://access.redhat.com/security/cve/CVE-2015-0279
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=web.framework.kit&downloadType=securityPatches&version=2.7.0

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFVEdKHXlSAg2UNWIIRAi3aAJ4+HUJGVvAKoEnWwiZnCc0QlH2VhQCfTwoY
WYUdV6y9owOQEr6uudu0WQw=
=CHVs
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce