AusCERT - ESB-2011.0279 - [RedHat] JBoss Enterprise SOA Platform 4.3.CP04 and 5.0.2: Denial of service

HOME
About AusCERT
Membership
PKI Services
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
ESB-2011.0279 - [RedHat] JBoss Enterprise SOA Platform 4.3.CP04 and 5.0.2: Denial of service - Remote/unauthenticated
Date: 10 March 2011
References: ASB-2011.0013

Click here for printable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2011.0279
Important: JBoss Enterprise SOA Platform 4.3.CP04 and 5.0.2 security update
                               10 March 2011

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           JBoss Enterprise SOA Platform 4.3.CP04 and 5.0.2
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2010-4476  

Reference:         ASB-2011.0013

Original Bulletin: 
   https://rhn.redhat.com/errata/RHSA-2011-0333.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: JBoss Enterprise SOA Platform 4.3.CP04 and 5.0.2 security update
Advisory ID:       RHSA-2011:0333-01
Product:           JBoss Enterprise Middleware
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2011-0333.html
Issue date:        2011-03-09
CVE Names:         CVE-2010-4476 
=====================================================================

1. Summary:

Updated jbossweb-2.0.0.jar and jbossweb-2.1.10.jar files for JBoss
Enterprise SOA Platform 4.3.CP04 and 5.0.2 that fix one security issue are
now available from the Red Hat Customer Portal.

The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

2. Description:

JBoss Enterprise SOA Platform is the next-generation ESB and business
process automation infrastructure. JBoss Enterprise SOA Platform allows IT
to leverage existing (MoM and EAI), modern (SOA and BPM-Rules), and future
(EDA and CEP) integration methodologies to dramatically improve business
process execution speed and quality.

A denial of service flaw was found in the way certain strings were
converted to Double objects. A remote attacker could use this flaw to cause
JBoss Web Server to hang via a specially-crafted HTTP request.
(CVE-2010-4476)

All users of JBoss Enterprise SOA Platform 4.3.CP04 and 5.0.2 as provided
from the Red Hat Customer Portal are advised to install this update. Refer
to the Solution section of this erratum for update instructions.

3. Solution:

Updated jbossweb-2.0.0.jar (for 4.3.CP04) and jbossweb-2.1.10.jar (for
5.0.2) files that fix CVE-2010-4476 for JBoss Enterprise SOA Platform
4.3.CP04 and 5.0.2 are available from the Red Hat Customer Portal. To
download and install the updated files:

1) Log into the Customer Portal: https://access.redhat.com/login

2) Navigate to
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html

3) On the left-hand side menu, under "JBoss Enterprise Platforms" click
"SOA Platform". Then, using the "Version:" drop down menu, select the SOA
Platform version you are using, such as "4.3.0.GA_CP04" or "5.0.2 GA".

4) From the "Security Advisories" tab, click the "CVE-2010-4476 JBossweb
update fixing JDK double bug..." link in the "Download File" column. The
"Software Details" page is displayed, where you can download the update
and view installation instructions.

5) Backup your existing jbossweb.jar file (refer to the "Software Details"
page, from step 4, for the location of this file).

6) After downloading the update, ensure you backed up your existing
jbossweb.jar file as per step 5, and then follow the manual installation
step on the "Software Details" page. Note that it is recommended to halt
the JBoss Enterprise SOA Platform server by stopping the JBoss Application
Server process before installing this update, and then after installing the
update, restart the JBoss Enterprise SOA Platform server by starting the
JBoss Application Server process.

4. Bugs fixed (http://bugzilla.redhat.com/):

674336 - CVE-2010-4476 JDK Double.parseDouble Denial-Of-Service

5. References:

https://www.redhat.com/security/data/cve/CVE-2010-4476.html
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2011 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFNd8xJXlSAg2UNWIIRAmYSAKCpxwgBz8N1y48HHRcZm1WgITSXcQCfcW2B
7djxaB2eVIzFMv7ZL+6puvU=
=SvR1
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFNeCeg/iFOrG6YcBERAky8AKC9fUR6BYXNWVwp2DBI1qbqSS1IxwCcCPxY
S/LlI6QJ3HwVD8Mp6NNyWNc=
=x0FJ
-----END PGP SIGNATURE-----