Australia's Leading Computer Emergency Response Team

ESB-2013.0612 - [Win][Solaris] JBoss Enterprise Web Platform and JBoss Enterprise Application Platform: Multiple vulnerabilities
Date: 02 May 2013
Original URL: http://www.auscert.org.au/render.html?cid=1980&it=17469
References: ESB-2013.0161  ASB-2013.0025  ESB-2013.0316  ESB-2013.0383  ESB-2013.0462  ESB-2013.0629  ESB-2013.0634  ESB-2013.0635  ESB-2013.0642  ESB-2013.0652  


Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.0612
                     Moderate: openssl security update
                                2 May 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           JBoss Enterprise Web Platform
                   JBoss Enterprise Application Platform
Publisher:         Red Hat
Operating System:  Solaris
                   Windows
Impact/Access:     Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-0169 CVE-2013-0166 

Reference:         ASB-2013.0025
                   ESB-2013.0462
                   ESB-2013.0383
                   ESB-2013.0316
                   ESB-2013.0161

Original Bulletin: 
   https://rhn.redhat.com/errata/RHSA-2013-0782.html
   https://rhn.redhat.com/errata/RHSA-2013-0783.html

Comment: This bulletin contains two (2) Red Hat security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: openssl security update
Advisory ID:       RHSA-2013:0782-01
Product:           JBoss Enterprise Web Platform
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2013-0782.html
Issue date:        2013-05-01
CVE Names:         CVE-2013-0166 CVE-2013-0169 
=====================================================================

1. Summary:

An update for the OpenSSL component for JBoss Enterprise Web Platform 5.2.0
for Solaris and Microsoft Windows that fixes two security issues is now
available from the Red Hat Customer Portal.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

2. Description:

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols, as well as a
full-strength, general purpose cryptography library.

A NULL pointer dereference flaw was found in the OCSP response verification
in OpenSSL. A malicious OCSP server could use this flaw to crash
applications performing OCSP verification by sending a specially-crafted
response. (CVE-2013-0166)

It was discovered that OpenSSL leaked timing information when decrypting
TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites
were used. A remote attacker could possibly use this flaw to retrieve plain
text from the encrypted packets by using a TLS/SSL or DTLS server as a
padding oracle. (CVE-2013-0169)

Warning: Before applying this update, back up your existing JBoss
Enterprise Web Platform installation (including all applications and
configuration files).

All users of JBoss Enterprise Web Platform 5.2.0 for Solaris and Microsoft
Windows as provided from the Red Hat Customer Portal are advised to apply
this update.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Before applying the update, back up your
existing JBoss Enterprise Web Platform installation (including all
applications and configuration files).

JBoss server instances configured to use the Tomcat Native library must be
restarted for this update to take effect.

4. Bugs fixed (http://bugzilla.redhat.com/):

907589 - CVE-2013-0169 SSL/TLS: CBC padding timing attack (lucky-13)
908052 - CVE-2013-0166 openssl: DoS due to improper handling of OCSP response verification

5. References:

https://www.redhat.com/security/data/cve/CVE-2013-0166.html
https://www.redhat.com/security/data/cve/CVE-2013-0169.html
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=enterpriseweb.platform&version=5.2.0

6. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2013 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFRgVqwXlSAg2UNWIIRAloIAJ440IYgd4RyDqTRd/p3vntM5kT+WQCgsfEz
HfkVsqpdSu2KzoV8oBlZRxo=
=B/eX
- -----END PGP SIGNATURE-----

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: openssl security update
Advisory ID:       RHSA-2013:0783-01
Product:           JBoss Enterprise Application Platform
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2013-0783.html
Issue date:        2013-05-01
CVE Names:         CVE-2013-0166 CVE-2013-0169 
=====================================================================

1. Summary:

An update for the OpenSSL component for JBoss Enterprise Application
Platform 5.2.0 for Solaris and Microsoft Windows that fixes two security
issues is now available from the Red Hat Customer Portal.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

2. Description:

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols, as well as a
full-strength, general purpose cryptography library.

A NULL pointer dereference flaw was found in the OCSP response verification
in OpenSSL. A malicious OCSP server could use this flaw to crash
applications performing OCSP verification by sending a specially-crafted
response. (CVE-2013-0166)

It was discovered that OpenSSL leaked timing information when decrypting
TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites
were used. A remote attacker could possibly use this flaw to retrieve plain
text from the encrypted packets by using a TLS/SSL or DTLS server as a
padding oracle. (CVE-2013-0169)

Warning: Before applying this update, back up your existing JBoss
Enterprise Application Platform installation (including all applications
and configuration files).

All users of JBoss Enterprise Application Platform 5.2.0 for Solaris and
Microsoft Windows as provided from the Red Hat Customer Portal are advised
to apply this update.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Before applying the update, back up your
existing JBoss Enterprise Application Platform installation (including all
applications and configuration files).

JBoss server instances configured to use the Tomcat Native library must be
restarted for this update to take effect.

4. Bugs fixed (http://bugzilla.redhat.com/):

907589 - CVE-2013-0169 SSL/TLS: CBC padding timing attack (lucky-13)
908052 - CVE-2013-0166 openssl: DoS due to improper handling of OCSP response verification

5. References:

https://www.redhat.com/security/data/cve/CVE-2013-0166.html
https://www.redhat.com/security/data/cve/CVE-2013-0169.html
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=appplatform&version=5.2.0

6. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2013 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFRgVrKXlSAg2UNWIIRAvcsAJ4in5pJNa8IvaAWovQedSRDPT8c5wCgn5mb
Ye1PyaSjfXCbOJGIpqidUF4=
=GOdf
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUYHW9O4yVqjM2NGpAQJkzQ//SXlzaRRWflT+RU3GhYqqP3C4IPfZRWpR
G52WqiPl0A5wfxSDclK4FoYv/jJHrkU3hAnRmTEx21px/pPwFJSJJewBZfyujNPZ
X0E2a/QOuzcyB7MmYAswdcTQmahfi7obKts1RcQ1LZZ+3GCItgU61u4kNCR3uxEs
B1G0OMooJ2HjwoHpbcuT2qJKvNuUO+uMYh3pJ0SHG+n6NA435O0KEebt8qWF/lAm
fNsENVKV5Gvyk458HWoupXyUnTRgp/7E3Tj3t7+4HyT9Of1882S4A6tXo7d79v+M
MoJZFwmKnxWvpCNq2ErlObTbcYXmDvY6//1wbpdAQuOfOqK+FHCMeevAFgnyy91S
JWXl4b9txHE64dp84hXrMfWhXnSkPMkFsRzlPcVgkqf8dSdOntPEzzaRCI5sJSMB
Kz2TKMSSFXOiMR2z2hnJJl5/0bTup0v0jZu2uhh1MRPNhqjtuZ86AJY5xOLIbNm0
qcysJWr2aSbsisxMOrke/8Ex8rTd1SuU6DGt+5HKBqsw4ZsTDhZ4MuVDbTrhgn0+
jFIGrYy7AyS0DDwPuE61wYeHwrxypTdAaXwf2m2SlVa6XlOypVELql8cFVmpcsvH
UsGcYdUJepFBp9d+1t+SndOn298/fQCzB+j6Ndz52rhtDtDacAvmSKUJFgXBWt0B
o8Qivf3betc=
=dkvZ
-----END PGP SIGNATURE-----