Date: 01 August 2012
References: ESB-2012.0841 ASB-2011.0091 ESB-2012.0012 ASB-2012.0009 ESB-2012.0335 ESB-2012.0605 ESB-2012.0905 ESB-2013.0111 ESB-2013.0112
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0718
Important: JBoss Enterprise SOA Platform 5.3.0 update
1 August 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: JBoss Enterprise SOA Platform
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Reduced Security -- Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2012-2377 CVE-2012-0818 CVE-2012-0079
CVE-2011-4838 CVE-2011-4605 CVE-2011-3517
CVE-2011-3506
Reference: ASB-2012.0009
ESB-2012.0605
ESB-2012.0335
ESB-2012.0012
ASB-2011.0091
Original Bulletin:
https://rhn.redhat.com/errata/RHSA-2012-1125.html
Comment: Note that the fix for CVE-2012-0818 requires manually changing a
configuration option.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: JBoss Enterprise SOA Platform 5.3.0 update
Advisory ID: RHSA-2012:1125-01
Product: JBoss Enterprise Middleware
Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1125.html
Issue date: 2012-07-31
CVE Names: CVE-2011-3506 CVE-2011-3517 CVE-2011-4605
CVE-2011-4838 CVE-2012-0079 CVE-2012-0818
CVE-2012-2377
=====================================================================
1. Summary:
JBoss Enterprise SOA Platform 5.3.0, which fixes multiple security issues,
various bugs, and adds enhancements, is now available from the Red Hat
Customer Portal.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
2. Description:
JBoss Enterprise SOA Platform is the next-generation ESB and business
process automation infrastructure.
This release of JBoss Enterprise SOA Platform 5.3.0 serves as a replacement
for JBoss Enterprise SOA Platform 5.2.0. It includes various bug fixes and
enhancements which are detailed in the JBoss Enterprise SOA Platform 5.3.0
Release Notes. The Release Notes will be available shortly from
https://access.redhat.com/knowledge/docs/
The following security issues are also fixed with this release:
It was found that the JBoss JNDI service allowed unauthenticated, remote
write access by default. The JNDI and HA-JNDI services, and the
HAJNDIFactory invoker servlet were all affected. A remote attacker able to
access the JNDI service (port 1099), HA-JNDI service (port 1100), or the
HAJNDIFactory invoker servlet on a JBoss server could use this flaw to add,
delete, and modify items in the JNDI tree. This could have various,
application-specific impacts. (CVE-2011-4605)
A denial of service flaw was found in the implementation of associative
arrays (hashes) in JRuby. An attacker able to supply a large number of
inputs to a JRuby application (such as HTTP POST request parameters sent to
a web application) that are used as keys when inserting data into an array
could trigger multiple hash function collisions, making array operations
take an excessive amount of CPU time. To mitigate this issue, randomization
has been added to the hash function to reduce the chance of an attacker
successfully causing intentional collisions. (CVE-2011-4838)
Note: JBoss Enterprise SOA Platform only provides JRuby as a dependency of
the scripting_chain quickstart example application. The CVE-2011-4838 flaw
is not exposed unless the version of JRuby shipped with that quickstart is
used by a deployed, custom application.
It was found that RESTEasy was vulnerable to XML External Entity (XXE)
attacks. If a remote attacker submitted a request containing an external
XML entity to a RESTEasy endpoint, the entity would be resolved, allowing
the attacker to read files accessible to the user running the application
server. This flaw affected DOM (Document Object Model) Document and JAXB
(Java Architecture for XML Binding) input. The fix for this issue is not
enabled by default. Refer to the Solution section for details.
(CVE-2012-0818)
Multiple flaws were found in the Oracle OpenSSO authentication and
administration components. A remote attacker could use these flaws to
affect the integrity and availability of a service that uses Oracle
OpenSSO. (CVE-2011-3506, CVE-2011-3517, CVE-2012-0079)
Note: JBoss Enterprise SOA Platform only provides Oracle OpenSSO as part of
the opensso quickstart example application. The CVE-2011-3506,
CVE-2011-3517, and CVE-2012-0079 flaws are not exposed unless the opensso
quickstart example application is deployed, or you have created and
deployed a custom application that is packaged with a copy of Oracle
OpenSSO as provided by the opensso quickstart.
The opensso quickstart has been removed in this release to address these
flaws. Users interested in continuing to receive updates for their custom
applications using Oracle OpenSSO are advised to contact Oracle as Red Hat
is no longer supporting OpenSSO.
When a JGroups channel is started, the JGroups diagnostics service would be
enabled by default with no authentication. This service is exposed via IP
multicast. An attacker on an adjacent network could exploit this flaw to
read diagnostics information. (CVE-2012-2377)
Red Hat would like to thank Christian Schlüter (VIADA) for reporting
CVE-2011-4605, and oCERT for reporting CVE-2011-4838. oCERT
acknowledges Julian Wälde and Alexander Klink as the original reporters of
CVE-2011-4838.
Warning: Before installing version 5.3.0, back up your existing JBoss
Enterprise SOA Platform installation (including its databases,
applications, configuration files, and so on).
3. Solution:
All users of JBoss Enterprise SOA Platform 5.2.0 as provided from the Red
Hat Customer Portal are advised to upgrade to JBoss Enterprise SOA Platform
5.3.0.
The References section of this erratum contains a download link (you must
log in to download the new version). Before installing version 5.3.0, back
up your existing JBoss Enterprise SOA Platform installation (including its
databases, applications, configuration files, and so on).
The fix for CVE-2012-0818 is not enabled by default. This update adds a new
configuration option to disable entity expansion in RESTEasy. If
applications on your server expose RESTEasy XML endpoints, a
resteasy.document.expand.entity.references configuration snippet must be
added to their web.xml file to disable entity expansion in RESTEasy. Refer
to Red Hat Bugzilla bug 785631 for details.
4. Bugs fixed (http://bugzilla.redhat.com/):
749078 - CVE-2011-3506 Oracle OpenSSO: unspecified vulnerability in the authentication component
749079 - CVE-2011-3517 Oracle OpenSSO: unspecified vulnerability in the authentication component
766469 - CVE-2011-4605 JNDI: unauthenticated remote write access is permitted by default
770820 - CVE-2011-4838 jruby: hash table collisions DoS (oCERT-2011-003)
783898 - CVE-2012-0079 OpenSSO: Unspecified vulnerability allows remote attackers to affect integrity via unknown vectors
785631 - CVE-2012-0818 RESTEasy: XML eXternal Entity (XXE) flaw
823392 - CVE-2012-2377 JGroups diagnostics service enabled by default with no authentication when a JGroups channel is started
5. References:
https://www.redhat.com/security/data/cve/CVE-2011-3506.html
https://www.redhat.com/security/data/cve/CVE-2011-3517.html
https://www.redhat.com/security/data/cve/CVE-2011-4605.html
https://www.redhat.com/security/data/cve/CVE-2011-4838.html
https://www.redhat.com/security/data/cve/CVE-2012-0079.html
https://www.redhat.com/security/data/cve/CVE-2012-0818.html
https://www.redhat.com/security/data/cve/CVE-2012-2377.html
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform&downloadType=distributions
http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html
http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html
https://bugzilla.redhat.com/show_bug.cgi?id=785631
https://access.redhat.com/knowledge/docs/
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2012 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFQF+z+XlSAg2UNWIIRAu0QAJ0VvHl1qMIEROn4fYZn8w68cxUtYQCcDm7N
oJSh3P9hyFtyzj+JkX2vKZk=
=dqG/
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUBiKA+4yVqjM2NGpAQKHHA//cDtFs8WrIq22Nq1M6+nxQir+4KqUulzd
E/YLPVvh8uwFNA+1UyeV5my3eGWM34ktplUx46cjvY0Y2ySsHTrhI+ig2EXCmbys
9dWDC5wra4gL9p6brQ1TDC2gHyX8WCXbMO0YOE6hA8sAbQ6eHlz7d+UwhNQHqkF6
5LVuQaZBrvTW+lgnuh4AmCPJwSOo1KFUKhMDcm8S4DYoVHwDm2vLowteZ1A30kw5
nmgt18qE/GLxjDo8g1uFXO69R4FaK9kTeRQILIsS8SGfD3+6hMlvSKGLIVGbrrTq
8I158oeK+JPdYauKzn7AniB6U1rZ1EEyIXr3kpwUZA4yHMWdaPq5vDeDT7HW7tmr
LU8Y98mnKKE5035/oJy4RtE9OlqNpiv3J4GZiTeMqkQ1BaNilDuj9uQRyBA6tAjI
Ltc4dzScfA0EyQBUdf4uwv86fwiShHMQRbZ/fGwTI0cRirf0GFdzaLgFGQwwz8Uv
XkgDGkc/eaEV029dLukUereQaCQLkZRsBwl1txlFP9Xx5mIxe5r06ar0cCZTtHDy
MqLqEoZUEv4EPmjU03rsgqwwPUkAmlrtTD4rOu+jri8wbgLFwWsM9ts2orUd9B9G
m0ocE+PfhYdPk6v/odtErl+QdmOdgKHnKuFqVDpNDgC2cP2pab6c/ku6dUNjvRNi
DE9Qy5rVfz0=
=s84e
-----END PGP SIGNATURE-----
|