-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Web Server 2.1.0 security update Advisory ID: RHSA-2015:1641-03 Product: Red Hat JBoss Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1641.html Issue date: 2015-08-18 CVE Names: CVE-2014-8111 CVE-2015-0298 ===================================================================== 1. Summary: An update for Red Hat JBoss Web Server 2.1.0 that fixes two security issues is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. A flaw was found in the way the mod_cluster manager processed certain MCMP messages. An attacker with access to the network from which MCMP messages are allowed to be sent could use this flaw to execute arbitrary JavaScript code in the mod_cluster manager web interface. (CVE-2015-0298) It was discovered that a JkUnmount rule for a subtree of a previous JkMount rule could be ignored. This could allow a remote attacker to potentially access a private artifact in a tree that would otherwise not be accessible to them. (CVE-2014-8111) All users of Red Hat JBoss Web Server 2.1.0 as provided from the Red Hat Customer Portal are advised to apply this update. The Red Hat JBoss Web Server process must be restarted for the update to take effect. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). 4. Bugs fixed (https://bugzilla.redhat.com/): 1182591 - CVE-2014-8111 Tomcat mod_jk: information leak due to incorrect JkMount/JkUnmount directives processing 1197769 - CVE-2015-0298 mod_cluster: JavaScript code injection is possible via MCMP mod_manager messages 5. References: https://access.redhat.com/security/cve/CVE-2014-8111 https://access.redhat.com/security/cve/CVE-2015-0298 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=2.1.0 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFV04JIXlSAg2UNWIIRAvwWAJ0TyWHgLfvmuHxeo/yw3cxUHMFQwQCfUQTT AZazcWpVed8aBxNQ4iAzRMY= =gX+U -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce