copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2014.1092.2 - UPDATE [RedHat] Red Hat JBoss Enterprise Application Platform 6.2.4: Multiple vulnerabilities

Date: 09 July 2014
References: ESB-2014.0828  ESB-2014.1073  ESB-2014.1082  ASB-2014.0074  ESB-2014.1126  ESB-2014.1343  ESB-2014.1363  ESB-2014.1507  ESB-2015.0391  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2014.1092.2
          Moderate: Red Hat JBoss Enterprise Application Platform
                           6.2.4 security update
                                9 July 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Hat JBoss Enterprise Application Platform 6.2.4
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Denial of Service        -- Remote/Unauthenticated      
                   Reduced Security         -- Remote/Unauthenticated      
                   Access Confidential Data -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-0119 CVE-2014-0099 CVE-2014-0096
                   CVE-2014-0075  

Reference:         ESB-2014.1082
                   ESB-2014.1073
                   ESB-2014.0828

Original Bulletin: 
   https://rhn.redhat.com/errata/RHSA-2014-0842.html
   https://rhn.redhat.com/errata/RHSA-2014-0843.html

Comment: This bulletin contains two (2) Red Hat security advisories.

Revision History:  July 9 2014: Fixed OS field
                   July 8 2014: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat JBoss Enterprise Application Platform 6.2.4 security update
Advisory ID:       RHSA-2014:0842-01
Product:           Red Hat JBoss Enterprise Application Platform
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-0842.html
Issue date:        2014-07-07
CVE Names:         CVE-2014-0075 CVE-2014-0096 CVE-2014-0099 
                   CVE-2014-0119 
=====================================================================

1. Summary:

An update for Red Hat JBoss Enterprise Application Platform 6.2.4 that
fixes multiple security issues is now available from the Red Hat Customer
Portal.

The Red Hat Security Response Team has rated this update as having Moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

2. Description:

Red Hat JBoss Enterprise Application Platform 6 is a platform for Java
applications based on JBoss Application Server 7.

It was discovered that JBoss Web did not limit the length of chunk sizes
when using chunked transfer encoding. A remote attacker could use this flaw
to perform a denial of service attack against JBoss Web by streaming an
unlimited quantity of data, leading to excessive consumption of server
resources. (CVE-2014-0075)

It was found that JBoss Web did not check for overflowing values when
parsing request content length headers. A remote attacker could use this
flaw to perform an HTTP request smuggling attack on a JBoss Web server
located behind a reverse proxy that processed the content length header
correctly. (CVE-2014-0099)

It was found that the org.apache.catalina.servlets.DefaultServlet
implementation in JBoss Web allowed the definition of XML External Entities
(XXEs) in provided XSLTs. A malicious application could use this to
circumvent intended security restrictions to disclose sensitive
information. (CVE-2014-0096)

It was found that, in certain circumstances, it was possible for a
malicious web application to replace the XML parsers used by JBoss Web to
process XSLTs for the default servlet, JSP documents, tag library
descriptors (TLDs), and tag plug-in configuration files. The injected XML
parser(s) could then bypass the limits imposed on XML external entities
and/or gain access to the XML files processed for other web applications
deployed on the same JBoss Web instance. (CVE-2014-0119)

The CVE-2014-0075 issue was discovered by David Jorm of Red Hat Product
Security.

All users of Red Hat JBoss Enterprise Application Platform 6.2.4 as
provided from the Red Hat Customer Portal are advised to apply this update.
The JBoss server process must be restarted for the update to take effect.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Before applying this update, back up your
existing Red Hat JBoss Enterprise Application Platform installation and
deployed applications.

4. Bugs fixed (https://bugzilla.redhat.com/):

1072776 - CVE-2014-0075 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding input filter
1088342 - CVE-2014-0096 Tomcat/JBossWeb: XXE vulnerability via user supplied XSLTs
1102030 - CVE-2014-0099 Tomcat/JBossWeb: Request smuggling via malicious content length header
1102038 - CVE-2014-0119 Tomcat/JBossWeb: XML parser hijack by malicious web application

5. References:

https://www.redhat.com/security/data/cve/CVE-2014-0075.html
https://www.redhat.com/security/data/cve/CVE-2014-0096.html
https://www.redhat.com/security/data/cve/CVE-2014-0099.html
https://www.redhat.com/security/data/cve/CVE-2014-0119.html
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.2.0

6. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFTurYSXlSAg2UNWIIRAlDYAJ496i6dFcgxkX/W2eSS7Z+dvfpakQCbBRrD
Pq39VOFGH547g3Gu3ZXbBuk=
=0pO5
- -----END PGP SIGNATURE-----

- - -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat JBoss Enterprise Application Platform 6.2.4 security update
Advisory ID:       RHSA-2014:0843-01
Product:           Red Hat JBoss Enterprise Application Platform
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-0843.html
Issue date:        2014-07-07
CVE Names:         CVE-2014-0075 CVE-2014-0096 CVE-2014-0099 
                   CVE-2014-0119 
=====================================================================

1. Summary:

Updated Red Hat JBoss Enterprise Application Platform 6.2.4 packages that
fix multiple security issues are now available for Red Hat Enterprise Linux
5 and 6.

The Red Hat Security Response Team has rated this update as having Moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

2. Relevant releases/architectures:

Red Hat JBoss Enterprise Application Platform 6.2 for RHEL 5 Server - noarch
Red Hat JBoss Enterprise Application Platform 6.2 for RHEL 6 Server - noarch

3. Description:

Red Hat JBoss Enterprise Application Platform 6 is a platform for Java
applications based on JBoss Application Server 7.

It was discovered that JBoss Web did not limit the length of chunk sizes
when using chunked transfer encoding. A remote attacker could use this flaw
to perform a denial of service attack against JBoss Web by streaming an
unlimited quantity of data, leading to excessive consumption of server
resources. (CVE-2014-0075)

It was found that JBoss Web did not check for overflowing values when
parsing request content length headers. A remote attacker could use this
flaw to perform an HTTP request smuggling attack on a JBoss Web server
located behind a reverse proxy that processed the content length header
correctly. (CVE-2014-0099)

It was found that the org.apache.catalina.servlets.DefaultServlet
implementation in JBoss Web allowed the definition of XML External Entities
(XXEs) in provided XSLTs. A malicious application could use this to
circumvent intended security restrictions to disclose sensitive
information. (CVE-2014-0096)

It was found that, in certain circumstances, it was possible for a
malicious web application to replace the XML parsers used by JBoss Web to
process XSLTs for the default servlet, JSP documents, tag library
descriptors (TLDs), and tag plug-in configuration files. The injected XML
parser(s) could then bypass the limits imposed on XML external entities
and/or gain access to the XML files processed for other web applications
deployed on the same JBoss Web instance. (CVE-2014-0119)

The CVE-2014-0075 issue was discovered by David Jorm of Red Hat Product
Security.

All users of Red Hat JBoss Enterprise Application Platform 6.2.4 on Red Hat
Enterprise Linux 5 and 6 are advised to upgrade to these updated packages.
The JBoss server process must be restarted for the update to take effect.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied. Also, back up any customized Red
Hat JBoss Enterprise Application Platform 6 configuration files. On update,
the configuration files that have been locally modified will not be
updated. The updated version of such files will be stored as the rpmnew
files. Make sure to locate any such files after the update and merge any
changes manually.

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1072776 - CVE-2014-0075 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding input filter
1088342 - CVE-2014-0096 Tomcat/JBossWeb: XXE vulnerability via user supplied XSLTs
1102030 - CVE-2014-0099 Tomcat/JBossWeb: Request smuggling via malicious content length header
1102038 - CVE-2014-0119 Tomcat/JBossWeb: XML parser hijack by malicious web application

6. Package List:

Red Hat JBoss Enterprise Application Platform 6.2 for RHEL 5 Server:

Source:
jbossweb-7.3.2-4.Final_redhat_3.1.ep6.el5.src.rpm

noarch:
jbossweb-7.3.2-4.Final_redhat_3.1.ep6.el5.noarch.rpm

Red Hat JBoss Enterprise Application Platform 6.2 for RHEL 6 Server:

Source:
jbossweb-7.3.2-4.Final_redhat_3.1.ep6.el6.src.rpm

noarch:
jbossweb-7.3.2-4.Final_redhat_3.1.ep6.el6.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2014-0075.html
https://www.redhat.com/security/data/cve/CVE-2014-0096.html
https://www.redhat.com/security/data/cve/CVE-2014-0099.html
https://www.redhat.com/security/data/cve/CVE-2014-0119.html
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
- - -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFTurZGXlSAg2UNWIIRAjQuAJ9G3FrmmxQq8xNK5ngLTL/E35dXQgCdFTvu
rNpjwHEU4w/Fa4I/WyPuVh0=
=tXq5
- - -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU7x75BLndAQH1ShLAQLSUA//VHo8rM81+BrZ7wO4eiS6vrkXBMap9T+i
5n96LR0Vd/4tb/8hGTB2Z4Fe//hbH1iTvDS/VA8NBeraT8Zd59hlaMP1MPNZdM0R
xD9LC1PoRTkU/tosNwz3lwEswAY/1DDHonHDAAX8gmU1tAOc3b6h/txWl6DXgpHh
aAW0bDjZoP8+/vlARLPlrS+tQPtCCGrBHOzto4jxQ3BRrb/ezQOaqQx1HsLWxkeS
8yOW/X4GCaNUWZxeCF73lWyfXs+VKTYxk8RQk3kKKZknlKj3sjWgcq1h77jmUPSM
kxoPbICRHgYvsf+ABTNO2jtlzX4dgZg4uMM61xuDuxV0d0n+2Om7z0jHdszuhdS0
9XHYo7JKX3vWS/FkOKxVk+Yr7yI3/mTuQoV0MmGAStW68aQcrLeDCKhQXlbgzvSM
Ho9z7VlgY2trBBMs5f2KfDb/3y1DyFwrVscJqljwxFCD7bQgCrupDw2Ch0jXUJRz
J/PsOtK68ul+SZUUaWjZVbZlrjoCLWjYHl0G4A4ScdhEemCduiu1YbQiMu1izwcW
DgJTxN9e+Ik7TQ/5Ovw0/E40MPDhjbTk3nXozmkP2bl2TP2l9K81FfrShfIFYrzK
0VRDycR9IOiUjVSykoG/p+rimAfgjJ42aPlA2dGt5lSaWHh+xAw9wUdiSsJEnqub
gZc6vGJ1Saw=
=6NcH
-----END PGP SIGNATURE-----