Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.0841 Important: JBoss Enterprise Portal Platform 5.2.2 update 6 September 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: JBoss Enterprise Middleware Publisher: Red Hat Operating System: UNIX variants (UNIX, Linux, OSX) Windows Red Hat Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Cross-site Request Forgery -- Remote with User Interaction Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2012-2377 CVE-2012-1167 CVE-2012-0213 CVE-2011-4605 CVE-2011-2908 CVE-2009-2625 Reference: ESB-2012.0757 ESB-2012.0750 ESB-2012.0718 ESB-2012.0605 ESB-2012.0596 ESB-2012.0595 ESB-2012.0570 ESB-2011.0609 ASB-2009.1109 Original Bulletin: https://rhn.redhat.com/errata/RHSA-2012-1232.html Comment: This advisory references vulnerabilities in products which run on platforms other than Red Hat. It is recommended that administrators running JBoss Enterprise Middleware check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Enterprise Portal Platform 5.2.2 update Advisory ID: RHSA-2012:1232-01 Product: JBoss Enterprise Middleware Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1232.html Issue date: 2012-09-05 CVE Names: CVE-2009-2625 CVE-2011-2908 CVE-2011-4605 CVE-2012-0213 CVE-2012-1167 CVE-2012-2377 ===================================================================== 1. Summary: JBoss Enterprise Portal Platform 5.2.2, which fixes multiple security issues and various bugs, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: JBoss Enterprise Portal Platform is the open source implementation of the Java EE suite of services and Portal services running atop JBoss Enterprise Application Platform. It comprises a set of offerings for enterprise customers who are looking for pre-configured profiles of JBoss Enterprise Middleware components that have been tested and certified together to provide an integrated experience. This release of JBoss Enterprise Portal Platform 5.2.2 serves as a replacement for JBoss Enterprise Portal Platform 5.2.1, and includes bug fixes. Refer to the JBoss Enterprise Portal Platform 5.2.2 Release Notes for information on the most significant of these changes. The Release Notes will be available shortly from https://access.redhat.com/knowledge/docs/ The following security issues are also fixed with this release: It was found that the JBoss JNDI service allowed unauthenticated, remote write access by default. The JNDI and HA-JNDI services, and the HAJNDIFactory invoker servlet were all affected. A remote attacker able to access the JNDI service (port 1099), HA-JNDI service (port 1100), or the HAJNDIFactory invoker servlet on a JBoss server could use this flaw to add, delete, and modify items in the JNDI tree. This could have various, application-specific impacts. (CVE-2011-4605) A flaw was found in the way the Apache Xerces2 Java Parser processed the SYSTEM identifier in DTDs. A remote attacker could provide a specially-crafted XML file, which once parsed by an application using the Apache Xerces2 Java Parser, would lead to a denial of service (application hang due to excessive CPU use). (CVE-2009-2625) It was found that the JMX Console did not protect against Cross-Site Request Forgery (CSRF) attacks. If a remote attacker could trick a user, who was logged into the JMX Console, into visiting a specially-crafted URL, the attacker could perform operations on MBeans, which may lead to arbitrary code execution in the context of the JBoss server process. (CVE-2011-2908) A flaw was found in the way Apache POI, a Java API for manipulating files created with a Microsoft Office application, handled memory when processing certain Channel Definition Format (CDF) and Compound File Binary Format (CFBF) documents. A remote attacker could provide a specially-crafted CDF or CFBF document to an application using Apache POI, leading to a denial of service. (CVE-2012-0213) When a JBoss server is configured to use JaccAuthorizationRealm, the WebPermissionMapping class creates permissions that are not checked and can permit access to users without checking their roles. If the ignoreBaseDecision property is set to true on JBossWebRealm, the web authorization process is handled exclusively by JBossAuthorizationEngine, without any input from JBoss Web. This allows any valid user to access an application, without needing to be assigned the role specified in the application's web.xml "security-constraint" tag. (CVE-2012-1167) When a JGroups channel is started, the JGroups diagnostics service would be enabled by default with no authentication. This service is exposed via IP multicast. An attacker on an adjacent network could exploit this flaw to read diagnostics information. (CVE-2012-2377) Red Hat would like to thank Christian Schlüter (VIADA) for reporting the CVE-2011-4605 issue. Warning: Before applying this update, back up all applications deployed on JBoss Enterprise Portal Platform, along with all customized configuration files, and any databases and database settings. All users of JBoss Enterprise Portal Platform 5.2.1 as provided from the Red Hat Customer Portal are advised to upgrade to JBoss Enterprise Portal Platform 5.2.2. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up all applications deployed on JBoss Enterprise Portal Platform, along with all customized configuration files, and any databases and database settings. 4. Bugs fixed (http://bugzilla.redhat.com/): 512921 - CVE-2009-2625 xerces-j2, JDK: XML parsing Denial-Of-Service (6845701) 730176 - CVE-2011-2908 CSRF on jmx-console allows invocation of operations on mbeans 766469 - CVE-2011-4605 JNDI: unauthenticated remote write access is permitted by default 799078 - CVE-2012-0213 apache-poi, jakarta: JVM destabilization due to memory exhaustion when processing CDF/CFBF files 802622 - CVE-2012-1167 JBoss: authentication bypass when running under JACC with ignoreBaseDecision on JBossWebRealm 823392 - CVE-2012-2377 JGroups diagnostics service enabled by default with no authentication when a JGroups channel is started 5. References: https://www.redhat.com/security/data/cve/CVE-2009-2625.html https://www.redhat.com/security/data/cve/CVE-2011-2908.html https://www.redhat.com/security/data/cve/CVE-2011-4605.html https://www.redhat.com/security/data/cve/CVE-2012-0213.html https://www.redhat.com/security/data/cve/CVE-2012-1167.html https://www.redhat.com/security/data/cve/CVE-2012-2377.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal&downloadType=distributions https://access.redhat.com/knowledge/docs/ 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQR4XoXlSAg2UNWIIRAm+LAJ9fqWBG9OIv4KjYXevxQYn6bUepwQCgpbKq M2WbydVCnMssMB1PdZAC6s4= =eLbW - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUEggTu4yVqjM2NGpAQIGEA//YhmNHzHWsaEwuQB6synJI37DzGUpBGe3 uafuUonmpkdUFjRjxy6VvLvjxFvM27P3uJuxYQTt8UFnIndc6CBrXXbv/4tbUQGK 7RECkNgWz30/CVtj5jBKkU9QGTgq23OxIrDHp7xV0Twc4EeyVWlLPLz9hkTPrpdj 7T2JSo7IKGHqVRMYRQ9whHl2LJ25qb7EebZLBlMwKkFuSsh3KMfx6rBM4PkfYXju OkaKtf5ffECZ1ExwQ6txeJBggx7px/eF6bpiLLqcx8HpVoYl+3zWSlv9kDExkuMM I6KHudV/sLkWA/5FYGMwFjD2zKRT9GQLwqqdANZYLzQqkaCdmSfuVruuPo0PHM1y Vb/hgcK7npslACmkNjpKtknq5l8SDDW0eAX2UYXI2ERkKm8mMXhfyk7frso4bq+m AxtJXQYmm5CzHedbpCZJmRzsGEj9LPBlPxALqmYK2mInc1EL235TxlZdpEBy0Lj9 X9VhDwprzqj2RVl81mgylsZP2Q41v2iXOG6+IVVM/Ga1qvLDMgyi5tzmR7yxMDUL OQBNwupu16x5XkgbyAHKUkDygyoceJBZ5xeOK3HpfIiOELcodPQyRWgf8tbQ65je +vPjvfFmPxfNukSWGo5t6fQPft0Id0dN518gtq78DmYIOjDDekroQECvrCbKjv+l 6RD2v7e8Wy8= =MHAU -----END PGP SIGNATURE-----