-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss A-MQ 6.3 security update Advisory ID: RHSA-2016:2036-01 Product: Red Hat JBoss A-MQ Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2036.html Issue date: 2016-10-06 CVE Names: CVE-2015-3192 CVE-2015-7940 CVE-2016-4437 ===================================================================== 1. Summary: Red Hat JBoss A-MQ 6.3, which fixes multiple security issues and includes several bug fixes and enhancements, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant messaging system that is tailored for use in mission critical applications. Red Hat JBoss A-MQ 6.3 is a minor product release that updates Red Hat JBoss A-MQ 6.2.1, and includes several bug fixes and enhancements. Refer to the Release Notes document, available from the Product Documentation link in the References section, for a list of these changes. Security Fix(es): It was found that Apache Shiro uses a default cipher key for its "remember me" feature. An attacker could use this to devise a malicious request parameter and gain access to unauthorized content. (CVE-2016-4437) A denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed. (CVE-2015-3192) It was found that bouncycastle is vulnerable to an invalid curve attack. An attacker could extract private keys used in elliptic curve cryptography with a few thousand queries. (CVE-2015-7940) Refer to the Product Documentation link in the References section for installation instructions. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1239002 - CVE-2015-3192 Spring Framework: denial-of-service attack with XML input 1276272 - CVE-2015-7940 bouncycastle: Invalid curve attack allowing to extract private keys 1343346 - CVE-2016-4437 shiro: Security constraint bypass 5. References: https://access.redhat.com/security/cve/CVE-2015-3192 https://access.redhat.com/security/cve/CVE-2015-7940 https://access.redhat.com/security/cve/CVE-2016-4437 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq&downloadType=distributions&version=6.3.0 https://access.redhat.com/documentation/en/red-hat-jboss-fuse/?version=6.3 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFX9nl/XlSAg2UNWIIRAn5DAKCeqOJhy3a+EAGO1sG/lNuo/JWFgQCfQRGS 3jDFUUI5eQBAO6ioMdCl8mQ= =CjkF -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce