Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.0500
Moderate: Red Hat JBoss Fuse & A-MQ 6.1.0 update
15 April 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Red Hat JBoss Fuse
Red Hat JBoss A-MQ
Publisher: Red Hat
Operating System: Red Hat
Windows
Solaris
Impact/Access: Access Privileged Data -- Existing Account
Overwrite Arbitrary Files -- Existing Account
Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2014-1904 CVE-2014-0085 CVE-2014-0054
CVE-2014-0050 CVE-2013-6430 CVE-2013-6429
CVE-2013-4517 CVE-2013-4152 CVE-2013-2192
CVE-2013-2172 CVE-2013-2035
Reference: ASB-2013.0113
ESB-2013.0951
Original Bulletin:
https://rhn.redhat.com/errata/RHSA-2014-0400.html
https://rhn.redhat.com/errata/RHSA-2014-0401.html
Comment: This advisory references vulnerabilities in products which run on
platforms other than Red Hat. It is recommended that administrators
running Red Hat JBoss Fuse or Red Hat JBoss A-MQ check for an
updated version of the software for their operating system.
This bulletin contains two (2) Red Hat security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat JBoss Fuse 6.1.0 update
Advisory ID: RHSA-2014:0400-03
Product: Red Hat JBoss Fuse
Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0400.html
Issue date: 2014-04-14
CVE Names: CVE-2013-2035 CVE-2013-2172 CVE-2013-2192
CVE-2013-4152 CVE-2013-4517 CVE-2013-6429
CVE-2013-6430 CVE-2014-0050 CVE-2014-0054
CVE-2014-0085 CVE-2014-1904
=====================================================================
1. Summary:
Red Hat JBoss Fuse 6.1.0, which fixes multiple security issues, several
bugs, and adds various enhancements, is now available from the Red Hat
Customer Portal.
The Red Hat Security Response Team has rated this update as having
Moderate security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Red Hat JBoss Fuse 6.1.0 is a minor product release that updates Red Hat
JBoss Fuse 6.0.0, and includes several bug fixes and enhancements. Refer to
the Release Notes document, available from the link in the References
section, for a list of changes.
2. Description:
Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,
flexible, open source enterprise service bus and integration platform.
Security fixes:
A flaw was found in the way Apache Santuario XML Security for Java
validated XML signatures. Santuario allowed a signature to specify an
arbitrary canonicalization algorithm, which would be applied to the
SignedInfo XML fragment. A remote attacker could exploit this to spoof an
XML signature via a specially crafted XML signature block. (CVE-2013-2172)
A flaw was found in the Apache Hadoop RPC protocol. A man-in-the-middle
attacker could possibly use this flaw to unilaterally disable bidirectional
authentication between a client and a server, forcing a downgrade to simple
(unidirectional) authentication. This flaw only affected users who have
enabled Hadoop's Kerberos security features. (CVE-2013-2192)
It was discovered that the Spring OXM wrapper did not expose any property
for disabling entity resolution when using the JAXB unmarshaller. A remote
attacker could use this flaw to conduct XML External Entity (XXE) attacks
on web sites, and read files in the context of the user running the
application server. (CVE-2013-4152)
It was discovered that the Apache Santuario XML Security for Java project
allowed Document Type Definitions (DTDs) to be processed when applying
Transforms even when secure validation was enabled. A remote attacker could
use this flaw to exhaust all available memory on the system, causing a
denial of service. (CVE-2013-4517)
It was found that the Spring MVC SourceHttpMessageConverter enabled entity
resolution by default. A remote attacker could use this flaw to conduct XXE
attacks on web sites, and read files in the context of the user running the
application server. (CVE-2013-6429)
The Spring JavaScript escape method insufficiently escaped some characters.
Applications using this method to escape user-supplied content, which would
be rendered in HTML5 documents, could be exposed to cross-site scripting
(XSS) flaws. (CVE-2013-6430)
A denial of service flaw was found in the way Apache Commons FileUpload
handled small-sized buffers used by MultipartStream. A remote attacker
could use this flaw to create a malformed Content-Type header for a
multipart request, causing Apache Commons FileUpload to enter an infinite
loop when processing such an incoming request. (CVE-2014-0050)
It was found that fixes for the CVE-2013-4152 and CVE-2013-6429 XXE issues
in Spring were incomplete. Spring MVC processed user-provided XML and
neither disabled XML external entities nor provided an option to disable
them, possibly allowing a remote attacker to conduct XXE attacks.
(CVE-2014-0054)
A cross-site scripting (XSS) flaw was found in the Spring Framework when
using Spring MVC. When the action was not specified in a Spring form, the
action field would be populated with the requested URI, allowing an
attacker to inject malicious content into the form. (CVE-2014-1904)
The HawtJNI Library class wrote native libraries to a predictable file name
in /tmp when the native libraries were bundled in a JAR file, and no custom
library path was specified. A local attacker could overwrite these native
libraries with malicious versions during the window between when HawtJNI
writes them and when they are executed. (CVE-2013-2035)
An information disclosure flaw was found in the way Apache Zookeeper stored
the password of an administrative user in the log files. A local user with
access to these log files could use the exposed sensitive information to
gain administrative access to an application using Apache Zookeeper.
(CVE-2014-0085)
The CVE-2013-6430 issue was discovered by Jon Passki of Coverity SRL and
Arun Neelicattu of the Red Hat Security Response Team, the CVE-2013-2035
issue was discovered by Florian Weimer of the Red Hat Product Security
Team, and the CVE-2014-0085 issue was discovered by Graeme Colman of
Red Hat.
3. Solution:
All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer
Portal are advised to apply this update.
The References section of this erratum contains a download link (you must
log in to download the update).
4. Bugs fixed (https://bugzilla.redhat.com/):
958618 - CVE-2013-2035 HawtJNI: predictable temporary file name leading to local arbitrary code execution
999263 - CVE-2013-2172 Apache Santuario XML Security for Java: XML signature spoofing
1000186 - CVE-2013-4152 Spring Framework: XML External Entity (XXE) injection flaw
1001326 - CVE-2013-2192 hadoop: man-in-the-middle vulnerability
1039783 - CVE-2013-6430 Spring Framework: org.spring.web.util.JavaScriptUtils.javaScriptEscape insufficient escaping of characters
1045257 - CVE-2013-4517 Apache Santuario XML Security for Java: Java XML Signature DoS Attack
1053290 - CVE-2013-6429 Spring Framework: XML External Entity (XXE) injection flaw
1062337 - CVE-2014-0050 apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream
1067265 - CVE-2014-0085 Apache Zookeeper: admin user cleartext password appears in logging
1075296 - CVE-2014-1904 Spring Framework: cross-site scripting flaw when using Spring MVC
1075328 - CVE-2014-0054 Spring Framework: incomplete fix for CVE-2013-4152/CVE-2013-6429
5. References:
https://www.redhat.com/security/data/cve/CVE-2013-2035.html
https://www.redhat.com/security/data/cve/CVE-2013-2172.html
https://www.redhat.com/security/data/cve/CVE-2013-2192.html
https://www.redhat.com/security/data/cve/CVE-2013-4152.html
https://www.redhat.com/security/data/cve/CVE-2013-4517.html
https://www.redhat.com/security/data/cve/CVE-2013-6429.html
https://www.redhat.com/security/data/cve/CVE-2013-6430.html
https://www.redhat.com/security/data/cve/CVE-2014-0050.html
https://www.redhat.com/security/data/cve/CVE-2014-0054.html
https://www.redhat.com/security/data/cve/CVE-2014-0085.html
https://www.redhat.com/security/data/cve/CVE-2014-1904.html
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=6.1.0
https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_Fuse/
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2014 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFTS/JWXlSAg2UNWIIRAh+fAJ9677T5eyaDWJuYLiFlhdkjOhZncgCgwPG0
4iA38miFgmWgRtUp0Xztb6E=
=/1+z
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat JBoss A-MQ 6.1.0 update
Advisory ID: RHSA-2014:0401-02
Product: Red Hat JBoss A-MQ
Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0401.html
Issue date: 2014-04-14
CVE Names: CVE-2013-2035 CVE-2013-2192 CVE-2013-4152
CVE-2013-6429 CVE-2013-6430 CVE-2014-0050
CVE-2014-0054 CVE-2014-0085 CVE-2014-1904
=====================================================================
1. Summary:
Red Hat JBoss A-MQ 6.1.0, which fixes multiple security issues, several
bugs, and adds various enhancements, is now available from the Red Hat
Customer Portal.
The Red Hat Security Response Team has rated this update as having
Moderate security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
2. Description:
Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant
messaging system that is tailored for use in mission critical applications.
Red Hat JBoss A-MQ 6.1.0 is a minor product release that updates Red Hat
JBoss A-MQ 6.0.0 and includes several bug fixes and enhancements. Refer to
the Release Notes document, available from the link in the References
section, for a list of changes.
The following security issues are resolved with this update:
A flaw was found in the Apache Hadoop RPC protocol. A man-in-the-middle
attacker could possibly use this flaw to unilaterally disable bidirectional
authentication between a client and a server, forcing a downgrade to simple
(unidirectional) authentication. This flaw only affected users who have
enabled Hadoop's Kerberos security features. (CVE-2013-2192)
It was discovered that the Spring OXM wrapper did not expose any property
for disabling entity resolution when using the JAXB unmarshaller. A remote
attacker could use this flaw to conduct XML External Entity (XXE) attacks
on web sites, and read files in the context of the user running the
application server. The patch for this flaw disables external entity
processing by default, and provides a configuration directive to re-enable
it. (CVE-2013-4152)
It was found that the Spring MVC SourceHttpMessageConverter enabled entity
resolution by default. A remote attacker could use this flaw to conduct XXE
attacks on web sites, and read files in the context of the user running the
application server. The patch for this flaw disables external entity
processing by default, and introduces a property to re-enable it.
(CVE-2013-6429)
The Spring JavaScript escape method insufficiently escaped some characters.
Applications using this method to escape user-supplied content, which would
be rendered in HTML5 documents, could be exposed to cross-site scripting
(XSS) flaws. (CVE-2013-6430)
A denial of service flaw was found in the way Apache Commons FileUpload
handled small-sized buffers used by MultipartStream. A remote attacker
could use this flaw to create a malformed Content-Type header for a
multipart request, causing Apache Commons FileUpload to enter an infinite
loop when processing such an incoming request. (CVE-2014-0050)
It was found that fixes for the CVE-2013-4152 and CVE-2013-6429 XXE issues
in Spring were incomplete. Spring MVC processed user-provided XML and
neither disabled XML external entities nor provided an option to disable
them, possibly allowing a remote attacker to conduct XXE attacks.
(CVE-2014-0054)
A cross-site scripting (XSS) flaw was found in the Spring Framework when
using Spring MVC. When the action was not specified in a Spring form, the
action field would be populated with the requested URI, allowing an
attacker to inject malicious content into the form. (CVE-2014-1904)
The HawtJNI Library class wrote native libraries to a predictable file name
in /tmp when the native libraries were bundled in a JAR file, and no custom
library path was specified. A local attacker could overwrite these native
libraries with malicious versions during the window between when HawtJNI
writes them and when they are executed. (CVE-2013-2035)
An information disclosure flaw was found in the way Apache Zookeeper stored
the password of an administrative user in the log files. A local user with
access to these log files could use the exposed sensitive information to
gain administrative access to an application using Apache Zookeeper.
(CVE-2014-0085)
The CVE-2013-6430 issue was discovered by Jon Passki of Coverity SRL and
Arun Neelicattu of the Red Hat Security Response Team, the CVE-2013-2035
issue was discovered by Florian Weimer of the Red Hat Product Security
Team, and the CVE-2014-0085 issue was discovered by Graeme Colman of
Red Hat.
All users of Red Hat JBoss A-MQ 6.0.0 as provided from the Red Hat Customer
Portal are advised to apply this update.
3. Solution:
The References section of this erratum contains a download link (you must
log in to download the update).
4. Bugs fixed (https://bugzilla.redhat.com/):
958618 - CVE-2013-2035 HawtJNI: predictable temporary file name leading to local arbitrary code execution
1000186 - CVE-2013-4152 Spring Framework: XML External Entity (XXE) injection flaw
1001326 - CVE-2013-2192 hadoop: man-in-the-middle vulnerability
1039783 - CVE-2013-6430 Spring Framework: org.spring.web.util.JavaScriptUtils.javaScriptEscape insufficient escaping of characters
1053290 - CVE-2013-6429 Spring Framework: XML External Entity (XXE) injection flaw
1062337 - CVE-2014-0050 apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream
1067265 - CVE-2014-0085 Apache Zookeeper: admin user cleartext password appears in logging
1075296 - CVE-2014-1904 Spring Framework: cross-site scripting flaw when using Spring MVC
1075328 - CVE-2014-0054 Spring Framework: incomplete fix for CVE-2013-4152/CVE-2013-6429
5. References:
https://www.redhat.com/security/data/cve/CVE-2013-2035.html
https://www.redhat.com/security/data/cve/CVE-2013-2192.html
https://www.redhat.com/security/data/cve/CVE-2013-4152.html
https://www.redhat.com/security/data/cve/CVE-2013-6429.html
https://www.redhat.com/security/data/cve/CVE-2013-6430.html
https://www.redhat.com/security/data/cve/CVE-2014-0050.html
https://www.redhat.com/security/data/cve/CVE-2014-0054.html
https://www.redhat.com/security/data/cve/CVE-2014-0085.html
https://www.redhat.com/security/data/cve/CVE-2014-1904.html
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq&downloadType=distributions&version=6.1.0
https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_A-MQ/
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2014 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFTS/SnXlSAg2UNWIIRAjfhAJ9FI0X+7Dz06mH7UxBXwT82JEYWdACgn/2k
ft7Xn9xiuZb/emiN+JXVSF4=
=qShr
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBU0yDJhLndAQH1ShLAQJl4BAAj5Z6plvU8XWSiyNKm0Q5teOg17Kvkbk1
fPJPjvbTZEA7w07cYzI/vjUNJt8JL65W67PoT7Rvc/mSbF/vbKjIVKyfjEzhyRF2
5KRyU/2sL5OUsSq93pxLO9yYztgvrM5hUSwVfOxOl3sLtr53UUqclw0bcSGxEubO
4M9gDQTA5oBGmq4B7dchKC05xwxlbdyhol4siE41JJBjS/Wfs/aYo+oiAE1BpB+T
HGRfSk75cd8dtgsnCdw72y1NEDXE0zi5J7enG7X5wxobjMe+k0U3a2kFabB7VFaP
9JDB4TfyRgZu77t6kbA5BlBJcKSG7YhJXN2c5jxqR42YL1e8WQFcxJuYDmD9xZiY
4zbTyDVc8wa3UqghG5LT7fvjzzVJ//mvG9TRhLyPqUqh0UMmP3CYSIwDmwGPi66N
0PYq4SWhAfSkIZQ6Mf4JwH9yChqMlCOScS5jnJ2i/uk0MuEpffIQK/BjQZwtTl1N
62+3v8bwhSaIh0qfKK7RoytSRRbiLaIuj6qI8zMK23es9/BjFKAKgpN+49AYvrYq
vXZj1NwW6X67llqT4QPv0SFNX1rBzswFddvOQiQaVlbZwgY+rKYa+TbfyzvAQhoq
t6USkSiej3k/Dm6R1O+e9dSj3nO30dyuKmRJgsRr8wMR+u7k+eRrM2sNita62oKi
hIP66n0VWFI=
=Bouk
-----END PGP SIGNATURE-----