Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.0912 Important: openssl security update 25 September 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: JBoss Enterprise Web Server 1.0.2 JBoss Enterprise Application Platform 5.1.2 JBoss Enterprise Application Platform 6.0.0 Publisher: JBoss Enterprise Web Server 1.0.2 JBoss Enterprise Application Platform 5.1.2 JBoss Enterprise Application Platform 6.0.0 Operating System: Windows Solaris Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2012-2333 CVE-2012-2110 CVE-2012-1165 CVE-2012-0884 CVE-2011-4619 CVE-2011-4576 CVE-2011-4109 CVE-2011-4108 Reference: ESB-2012.0467 ESB-2012.0388 ESB-2012.0269 ESB-2012.0074 ESB-2012.0027 Original Bulletin: https://rhn.redhat.com/errata/RHSA-2012-1306.html https://rhn.redhat.com/errata/RHSA-2012-1307.html https://rhn.redhat.com/errata/RHSA-2012-1308.html Comment: This bulletin contains three (3) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: openssl security update Advisory ID: RHSA-2012:1306-01 Product: JBoss Enterprise Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1306.html Issue date: 2012-09-24 CVE Names: CVE-2011-4108 CVE-2011-4109 CVE-2011-4576 CVE-2011-4619 CVE-2012-0884 CVE-2012-1165 CVE-2012-2110 CVE-2012-2333 ===================================================================== 1. Summary: An update for the OpenSSL component for JBoss Enterprise Web Server 1.0.2 for Solaris and Microsoft Windows that fixes multiple security issues is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. Multiple numeric conversion errors, leading to a buffer overflow, were found in the way OpenSSL parsed ASN.1 (Abstract Syntax Notation One) data from BIO (OpenSSL's I/O abstraction) inputs. Specially-crafted DER (Distinguished Encoding Rules) encoded data read from a file or other BIO input could cause an application using the OpenSSL library to crash or, potentially, execute arbitrary code. (CVE-2012-2110) A double free flaw was discovered in the policy checking code in OpenSSL. A remote attacker could use this flaw to crash an application that uses OpenSSL by providing an X.509 certificate that has specially-crafted policy extension data. (CVE-2011-4109) An information leak flaw was found in the SSL 3.0 protocol implementation in OpenSSL. Incorrect initialization of SSL record padding bytes could cause an SSL client or server to send a limited amount of possibly sensitive data to its SSL peer via the encrypted connection. (CVE-2011-4576) It was discovered that OpenSSL did not limit the number of TLS/SSL handshake restarts required to support Server Gated Cryptography. A remote attacker could use this flaw to make a TLS/SSL server using OpenSSL consume an excessive amount of CPU by continuously restarting the handshake. (CVE-2011-4619) This update also fixes additional security issues in OpenSSL that are not exposed in JBoss Enterprise Web Server: CVE-2011-4108, CVE-2012-0884, CVE-2012-1165, and CVE-2012-2333. Warning: Before applying the update, back up your existing JBoss Enterprise Web Server installation (including all applications and configuration files). All users of JBoss Enterprise Web Server 1.0.2 for Solaris and Microsoft Windows as provided from the Red Hat Customer Portal are advised to apply this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise Web Server installation (including all applications and configuration files). The Apache HTTP Server must be restarted for this update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 771770 - CVE-2011-4108 openssl: DTLS plaintext recovery attack 771771 - CVE-2011-4109 openssl: double-free in policy checks 771775 - CVE-2011-4576 openssl: uninitialized SSL 3.0 padding 771780 - CVE-2011-4619 openssl: SGC restart DoS attack 802489 - CVE-2012-1165 openssl: mime_param_cmp NULL dereference crash 802725 - CVE-2012-0884 openssl: CMS and PKCS#7 Bleichenbacher attack 814185 - CVE-2012-2110 openssl: asn1_d2i_read_bio integer errors leading to buffer overflow 820686 - CVE-2012-2333 openssl: record length handling integer underflow 5. References: https://www.redhat.com/security/data/cve/CVE-2011-4108.html https://www.redhat.com/security/data/cve/CVE-2011-4109.html https://www.redhat.com/security/data/cve/CVE-2011-4576.html https://www.redhat.com/security/data/cve/CVE-2011-4619.html https://www.redhat.com/security/data/cve/CVE-2012-0884.html https://www.redhat.com/security/data/cve/CVE-2012-1165.html https://www.redhat.com/security/data/cve/CVE-2012-2110.html https://www.redhat.com/security/data/cve/CVE-2012-2333.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=1.0.2 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQYIVjXlSAg2UNWIIRApThAKCqRtnjOMmmU6ldxMfe8IgtnTKI+gCfTN5F /o7sBLv6lDNlbf5UeJpK2G0= =xlR2 - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: openssl security update Advisory ID: RHSA-2012:1307-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1307.html Issue date: 2012-09-24 CVE Names: CVE-2011-4108 CVE-2011-4109 CVE-2011-4576 CVE-2011-4619 CVE-2012-0884 CVE-2012-1165 CVE-2012-2110 CVE-2012-2333 ===================================================================== 1. Summary: An update for the OpenSSL component for JBoss Enterprise Application Platform 5.1.2 for Solaris and Microsoft Windows that fixes multiple security issues is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. Multiple numeric conversion errors, leading to a buffer overflow, were found in the way OpenSSL parsed ASN.1 (Abstract Syntax Notation One) data from BIO (OpenSSL's I/O abstraction) inputs. Specially-crafted DER (Distinguished Encoding Rules) encoded data read from a file or other BIO input could cause an application using the OpenSSL library to crash or, potentially, execute arbitrary code. (CVE-2012-2110) A double free flaw was discovered in the policy checking code in OpenSSL. A remote attacker could use this flaw to crash an application that uses OpenSSL by providing an X.509 certificate that has specially-crafted policy extension data. (CVE-2011-4109) An information leak flaw was found in the SSL 3.0 protocol implementation in OpenSSL. Incorrect initialization of SSL record padding bytes could cause an SSL client or server to send a limited amount of possibly sensitive data to its SSL peer via the encrypted connection. (CVE-2011-4576) It was discovered that OpenSSL did not limit the number of TLS/SSL handshake restarts required to support Server Gated Cryptography. A remote attacker could use this flaw to make a TLS/SSL server using OpenSSL consume an excessive amount of CPU by continuously restarting the handshake. (CVE-2011-4619) This update also fixes additional security issues in OpenSSL that are not exposed in JBoss Enterprise Application Platform: CVE-2011-4108, CVE-2012-0884, CVE-2012-1165, and CVE-2012-2333. Warning: Before applying this update, back up your JBoss Enterprise Application Platform's "server/[PROFILE]/deploy/" directory, along with all other customized configuration files. All users of JBoss Enterprise Application Platform 5.1.2 for Solaris and Microsoft Windows as provided from the Red Hat Customer Portal are advised to apply this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise Application Platform installation (including all applications and configuration files). JBoss server instances configured to use the Tomcat Native library must be restarted for this update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 771770 - CVE-2011-4108 openssl: DTLS plaintext recovery attack 771771 - CVE-2011-4109 openssl: double-free in policy checks 771775 - CVE-2011-4576 openssl: uninitialized SSL 3.0 padding 771780 - CVE-2011-4619 openssl: SGC restart DoS attack 802489 - CVE-2012-1165 openssl: mime_param_cmp NULL dereference crash 802725 - CVE-2012-0884 openssl: CMS and PKCS#7 Bleichenbacher attack 814185 - CVE-2012-2110 openssl: asn1_d2i_read_bio integer errors leading to buffer overflow 820686 - CVE-2012-2333 openssl: record length handling integer underflow 5. References: https://www.redhat.com/security/data/cve/CVE-2011-4108.html https://www.redhat.com/security/data/cve/CVE-2011-4109.html https://www.redhat.com/security/data/cve/CVE-2011-4576.html https://www.redhat.com/security/data/cve/CVE-2011-4619.html https://www.redhat.com/security/data/cve/CVE-2012-0884.html https://www.redhat.com/security/data/cve/CVE-2012-1165.html https://www.redhat.com/security/data/cve/CVE-2012-2110.html https://www.redhat.com/security/data/cve/CVE-2012-2333.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=5.1.2 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQYIWAXlSAg2UNWIIRAvuYAJ9pO3bR7gaailCeXKyqndaw+Ir+7gCdEc8+ MFp7NNG88KAnEksVM43FKv8= =LjcO - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: openssl security update Advisory ID: RHSA-2012:1308-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1308.html Issue date: 2012-09-24 CVE Names: CVE-2011-4108 CVE-2011-4109 CVE-2011-4576 CVE-2011-4619 CVE-2012-0884 CVE-2012-1165 CVE-2012-2110 CVE-2012-2333 ===================================================================== 1. Summary: An update for the OpenSSL component for JBoss Enterprise Application Platform 6.0.0 for Solaris and Microsoft Windows that fixes multiple security issues is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. Multiple numeric conversion errors, leading to a buffer overflow, were found in the way OpenSSL parsed ASN.1 (Abstract Syntax Notation One) data from BIO (OpenSSL's I/O abstraction) inputs. Specially-crafted DER (Distinguished Encoding Rules) encoded data read from a file or other BIO input could cause an application using the OpenSSL library to crash or, potentially, execute arbitrary code. (CVE-2012-2110) A double free flaw was discovered in the policy checking code in OpenSSL. A remote attacker could use this flaw to crash an application that uses OpenSSL by providing an X.509 certificate that has specially-crafted policy extension data. (CVE-2011-4109) An information leak flaw was found in the SSL 3.0 protocol implementation in OpenSSL. Incorrect initialization of SSL record padding bytes could cause an SSL client or server to send a limited amount of possibly sensitive data to its SSL peer via the encrypted connection. (CVE-2011-4576) It was discovered that OpenSSL did not limit the number of TLS/SSL handshake restarts required to support Server Gated Cryptography. A remote attacker could use this flaw to make a TLS/SSL server using OpenSSL consume an excessive amount of CPU by continuously restarting the handshake. (CVE-2011-4619) This update also fixes additional security issues in OpenSSL that are not exposed in JBoss Enterprise Application Platform: CVE-2011-4108, CVE-2012-0884, CVE-2012-1165, and CVE-2012-2333. Warning: Before applying this update, back up your existing JBoss Enterprise Application Platform installation and deployed applications, and also back up your existing Apache HTTP Server installation (including all applications and configuration files). All users of JBoss Enterprise Application Platform 6.0.0 for Solaris and Microsoft Windows as provided from the Red Hat Customer Portal are advised to apply this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise Application Platform installation and deployed applications, and also back up your existing Apache HTTP Server installation (including all applications and configuration files). The Apache HTTP Server, as well as JBoss server instances configured to use the Tomcat Native library, must be restarted for this update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 771770 - CVE-2011-4108 openssl: DTLS plaintext recovery attack 771771 - CVE-2011-4109 openssl: double-free in policy checks 771775 - CVE-2011-4576 openssl: uninitialized SSL 3.0 padding 771780 - CVE-2011-4619 openssl: SGC restart DoS attack 802489 - CVE-2012-1165 openssl: mime_param_cmp NULL dereference crash 802725 - CVE-2012-0884 openssl: CMS and PKCS#7 Bleichenbacher attack 814185 - CVE-2012-2110 openssl: asn1_d2i_read_bio integer errors leading to buffer overflow 820686 - CVE-2012-2333 openssl: record length handling integer underflow 5. References: https://www.redhat.com/security/data/cve/CVE-2011-4108.html https://www.redhat.com/security/data/cve/CVE-2011-4109.html https://www.redhat.com/security/data/cve/CVE-2011-4576.html https://www.redhat.com/security/data/cve/CVE-2011-4619.html https://www.redhat.com/security/data/cve/CVE-2012-0884.html https://www.redhat.com/security/data/cve/CVE-2012-1165.html https://www.redhat.com/security/data/cve/CVE-2012-2110.html https://www.redhat.com/security/data/cve/CVE-2012-2333.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.0.0 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQYIWVXlSAg2UNWIIRAnQAAJ4sJHSdVIcJ+L/lv5GbpA6ACqopbACePszM HdiI0G5eFHP1ZFRXVrTzZ58= =87qT - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUGEP9+4yVqjM2NGpAQI25RAAmqioGp3rCK3IFF4Ufz+6AnCR70pApWhq jMMmf7BAtY6jJUrX76bSgmEdyBzch35gkt9srTmdmzRZWNmsIuRDr/gu0N8DDcBu wunrA5jkDcI4AEKrQLg9dhr4627Be+vu9k2pMiZi4Qyfivpn3ilyzxPFxm4fJdK5 PzMv1tBwK7LnXFvOTkBFbCirGZxGUsZRdOWN+MT6LdmIbkzc9W7ToaFaZs1tzu1T B7ZxplJca2ayB/aaqMU1pTjv9gc4PEzi2cdDRygqMOgmOEgxXpdniR7qrGN7RhTg EwTq7kTwoXyaYFD5Zqrh2zQ+zPXgT/ygcKb86kclBmYXsr1K4wC//nklhyc/mwJA JlcylEZ0n2saCBTPyTBeTYqxHyHi6iqzvdxL1PErPv7yPqMPOoI+Elhd+GIwtNbb je7uuIaiVnVSAcTpdAVE44fm4QPrsAIcGHXq0SUgaRNTG3IxjYoOiUv+vygQRFvs BD6HT8zLkTM3mgdhzcuS9RxNn15BfVwWtF+69ujKvlKiPI6zApavFY8TLpc15hCB UMUwZjcbZMssHVEqFKgztrM4eQ0Gt9cdYjjZcR91bY9rY1NIGFBhlp2f+7HQCL2R QKSn64cp0QtOYfWn7IskUsYo3vSpgEaTlbmnxSdTk1+s2dNCB64h/a0E20xZ2mrP IU0ElRTihCU= =FDz/ -----END PGP SIGNATURE-----