Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.1176
Moderate: Red Hat JBoss Data Grid 6.3.0 update
17 July 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Red Hat JBoss Data Grid
Publisher: Red Hat
Operating System: Red Hat
Windows
Solaris
Impact/Access: Denial of Service -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2014-0119 CVE-2014-0099 CVE-2014-0096
CVE-2014-0075 CVE-2014-0059 CVE-2014-0058
Reference: ASB-2014.0077
ESB-2014.0828
ESB-2014.0236
Original Bulletin:
https://rhn.redhat.com/errata/RHSA-2014-0895.html
Comment: This advisory references vulnerabilities in products which run on
platforms other than Red Hat. It is recommended that administrators
running Red Hat JBoss Data Grid check for an updated version of the
software for their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat JBoss Data Grid 6.3.0 update
Advisory ID: RHSA-2014:0895-01
Product: Red Hat JBoss Data Grid
Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0895.html
Issue date: 2014-07-16
CVE Names: CVE-2014-0058 CVE-2014-0059 CVE-2014-0075
CVE-2014-0096 CVE-2014-0099 CVE-2014-0119
=====================================================================
1. Summary:
Red Hat JBoss Data Grid 6.3.0, which fixes multiple security issues,
various bugs, and adds enhancements, is now available from the Red Hat
Customer Portal.
The Red Hat Security Response Team has rated this update as having Moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Description:
Red Hat JBoss Data Grid is a distributed in-memory data grid, based on
Infinispan.
This release of Red Hat JBoss Data Grid 6.3.0 serves as a replacement for
Red Hat JBoss Data Grid 6.2.1. It includes various bug fixes and
enhancements which are detailed in the Red Hat JBoss Data Grid 6.3.0
Release Notes. The Release Notes will be available shortly from
https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Data_Grid/
This update also fixes the following security issues:
It was discovered that JBoss Web did not limit the length of chunk sizes
when using chunked transfer encoding. A remote attacker could use this flaw
to perform a denial of service attack against JBoss Web by streaming an
unlimited quantity of data, leading to excessive consumption of server
resources. (CVE-2014-0075)
It was found that JBoss Web did not check for overflowing values when
parsing request content length headers. A remote attacker could use this
flaw to perform an HTTP request smuggling attack on a JBoss Web server
located behind a reverse proxy that processed the content length header
correctly. (CVE-2014-0099)
It was found that the security audit functionality, provided by Red Hat
JBoss Data Grid, logged request parameters in plain text. This may have
caused passwords to be included in the audit log files when using BASIC or
FORM-based authentication. A local attacker with access to audit log files
could possibly use this flaw to obtain application or server authentication
credentials. Refer to the Solution section of this advisory for additional
information on the fix for this issue. (CVE-2014-0058)
It was found that the security auditing functionality provided by PicketBox
and JBossSX, both security frameworks for Java applications, used a
world-readable audit.log file to record sensitive information. A local user
could possibly use this flaw to gain access to the sensitive information in
the audit.log file. (CVE-2014-0059)
It was found that the org.apache.catalina.servlets.DefaultServlet
implementation in JBoss Web allowed the definition of XML External Entities
(XXEs) in provided XSLTs. A malicious application could use this to
circumvent intended security restrictions to disclose sensitive
information. (CVE-2014-0096)
It was found that, in certain circumstances, it was possible for a
malicious web application to replace the XML parsers used by JBoss Web to
process XSLTs for the default servlet, JSP documents, tag library
descriptors (TLDs), and tag plug-in configuration files. The injected XML
parser(s) could then bypass the limits imposed on XML external entities
and/or gain access to the XML files processed for other web applications
deployed on the same JBoss Web instance. (CVE-2014-0119)
The CVE-2014-0075 issue was discovered by David Jorm of Red Hat Product
Security.
All users of Red Hat JBoss Data Grid 6.2.1 as provided from the Red Hat
Customer Portal are advised to upgrade to Red Hat JBoss Data Grid 6.3.0.
3. Solution:
The References section of this erratum contains a download link (you must
log in to download the update). Before applying this update, back up your
existing JBoss Data Grid installation.
The provided patch to fix CVE-2014-0058 also allows greater control over
which of the following components of web requests are captured in audit
logs:
- - - parameters
- - - cookies
- - - headers
- - - attributes
It is also possible to selectively mask some elements of headers,
parameters, cookies, and attributes using masks. This capability is
provided by two system properties, which are introduced by this patch:
1) org.jboss.security.web.audit
Description:
This property controls the granularity of the security auditing of web
requests.
Possible values:
off = Disables auditing of web requests
headers = Audits only the headers of web requests
cookies = Audits only the cookies of web requests
parameters = Audits only the parameters of web requests
attributes = Audits only the attributes of web requests
headers,cookies,parameters = Audits the headers, cookies, and parameters of
web requests
headers,cookies = Audits the headers and cookies of web requests
Default Value:
headers, parameters
Examples:
Setting "org.jboss.security.web.audit=off" disables security auditing of
web requests entirely.
Setting "org.jboss.security.web.audit=headers" enables security auditing of
only headers in web requests.
2) org.jboss.security.web.audit.mask
Description:
This property can be used to specify a list of strings to be matched
against headers, parameters, cookies, and attributes of web requests.
Any element matching the specified masks will be excluded from security
audit logging.
Possible values:
Any comma separated string indicating keys of headers, parameters, cookies,
and attributes.
Default Value:
j_password, authorization
Note that currently the matching of the masks is fuzzy rather than strict.
For example, a mask of "authorization" will mask both the header called
authorization and the parameter called "custom_authorization". A future
release may introduce strict masks.
4. Bugs fixed (https://bugzilla.redhat.com/):
1063641 - CVE-2014-0058 Red Hat JBoss EAP6: Plain text password logging during security audit
1063642 - CVE-2014-0059 JBossSX/PicketBox: World readable audit.log file
1072776 - CVE-2014-0075 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding input filter
1088342 - CVE-2014-0096 Tomcat/JBossWeb: XXE vulnerability via user supplied XSLTs
1102030 - CVE-2014-0099 Tomcat/JBossWeb: Request smuggling via malicious content length header
1102038 - CVE-2014-0119 Tomcat/JBossWeb: XML parser hijack by malicious web application
5. References:
https://www.redhat.com/security/data/cve/CVE-2014-0058.html
https://www.redhat.com/security/data/cve/CVE-2014-0059.html
https://www.redhat.com/security/data/cve/CVE-2014-0075.html
https://www.redhat.com/security/data/cve/CVE-2014-0096.html
https://www.redhat.com/security/data/cve/CVE-2014-0099.html
https://www.redhat.com/security/data/cve/CVE-2014-0119.html
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid&downloadType=distributions
https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Data_Grid/
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2014 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFTxsOWXlSAg2UNWIIRAnvFAJ9oo6SpbAMA5fFfcl87bkcnKma7jQCeOY3U
BKYtD4zlGceUuD+E3C1i3vE=
=swqj
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBU8cRshLndAQH1ShLAQJ6CBAAtQcGUDHphUf/L7Fjb2UwnIMz0/kbfTQ+
PnmYBA+vnft/ShyTfe1FLV+0uyv2ObddIWOhqmaX+zWD1pQSI5hs5rINgG/IBDA0
d+girpsDj2bDb76bvd07C121p6UrQRdWCVRmpXct/w8IW+ldOEAwKZB/IFB9a0XK
WzQMpQQv6TWYp0ZGKrYrQjj5/5W1oRdLaVV+s0JYHFmFIKgosys+wnfzHFvNqPbz
H+p5vbiIf0kr301yFdjVUvBJUxQh3m0yxCoAkz2snYLGAEg74426YhchZ6mIKaog
kejQPWF3eiBIuqLzVA+4SkbiCKQqMTNp/LxIz+EOXoFhtKXSRtu2yNL/Dy/69jZ5
3SPrMKdvpEjPIF3iGCnI4yVs5KMHydlRvMPUfpGSjMnq5YnI046U58Gy6jiN7Yme
NfXivYqxlyjt6p1/H+th3Ehd/fY0222N5m1PVO2hX7hR1ep4gXi7ClK1ZvB/Yaip
iuD8vOVrTdp3bT9X9Wu9qklUQvUspc702nFMXtgXvGYl6f0Khk4h6K3wz6ubT8Iw
TiDTuIfYWNMxQgYDDyzdJhnHaa7hQZLTvSgNRWcYOOr/9JmQgeEPUxXWzGcDrH/T
fgpIJ2k3176YaifWW1kBYb1USb54I/qDV+HhrvurZO98mRdbymay54JktHS6a93k
oXXPdFkfXvU=
=mrfM
-----END PGP SIGNATURE-----