copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2016.0158 - [RedHat] Red Hat JBoss Web Server: Multiple vulnerabilities

Date: 22 January 2016
References: ASB-2015.0009  ASB-2015.0070  ASB-2015.0103  ASB-2016.0004  ESB-2016.0548  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.0158
            Moderate: Red Hat JBoss Web Server Security Updates
                              22 January 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Hat JBoss Web Server
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 5
                   Red Hat Enterprise Linux Server 6
                   Red Hat Enterprise Linux Server 7
Impact/Access:     Denial of Service              -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
                   Unauthorised Access            -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-3183 CVE-2013-5704 CVE-2012-1148
                   CVE-2012-0876  

Reference:         ASB-2016.0004
                   ASB-2015.0103
                   ASB-2015.0070
                   ASB-2015.0009

Original Bulletin: 
   https://rhn.redhat.com/errata/RHSA-2016-0061.html
   https://rhn.redhat.com/errata/RHSA-2016-0062.html

Comment: This bulletin contains two (2) Red Hat security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: httpd and httpd22 security update
Advisory ID:       RHSA-2016:0061-01
Product:           Red Hat JBoss Web Server
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2016-0061.html
Issue date:        2016-01-21
CVE Names:         CVE-2013-5704 CVE-2015-3183 
=====================================================================

1. Summary:

Updated httpd and httpd22 packages that fix two security issues are now
available for Red Hat JBoss Web Server 2.1.0 for Red Hat Enterprise Linux
5, 6, and 7.

Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which
give detailed severity ratings, are available from the CVE links in the
References section.

2. Relevant releases/architectures:

Red Hat JBoss Web Server 2 for RHEL 5 Server - i386, x86_64
Red Hat JBoss Web Server 2 for RHEL 6 Server - i386, x86_64
Red Hat JBoss Web Server 2 for RHEL 7 Server - x86_64

3. Description:

Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the Apache
HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector
(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat
Native library.

Multiple flaws were found in the way httpd parsed HTTP requests and
responses using chunked transfer encoding. A remote attacker could use
these flaws to create a specially crafted request, which httpd would decode
differently from an HTTP proxy software in front of it, possibly leading to
HTTP request smuggling attacks. (CVE-2015-3183)

A flaw was found in the way httpd handled HTTP Trailer headers when
processing requests using chunked encoding. A malicious client could use
Trailer headers to set additional HTTP headers after header processing was
performed by other modules. This could, for example, lead to a bypass of
header restrictions defined with mod_headers. (CVE-2013-5704)

Users of httpd or httpd22 are advised to upgrade to these updated packages,
which contain a backported patch to correct this issue. After installing
the updated packages, the httpd or httpd22 service must be restarted
manually for this update to take effect.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1082903 - CVE-2013-5704 httpd: bypass of mod_headers rules via chunked requests
1243887 - CVE-2015-3183 httpd: HTTP request smuggling attack against chunked request parser

6. Package List:

Red Hat JBoss Web Server 2 for RHEL 5 Server:

Source:
httpd-2.2.26-41.ep6.el5.src.rpm
mod_cluster-native-1.2.9-6.Final_redhat_2.ep6.el5.src.rpm

i386:
httpd-2.2.26-41.ep6.el5.i386.rpm
httpd-debuginfo-2.2.26-41.ep6.el5.i386.rpm
httpd-devel-2.2.26-41.ep6.el5.i386.rpm
httpd-manual-2.2.26-41.ep6.el5.i386.rpm
httpd-tools-2.2.26-41.ep6.el5.i386.rpm
mod_cluster-native-1.2.9-6.Final_redhat_2.ep6.el5.i386.rpm
mod_cluster-native-debuginfo-1.2.9-6.Final_redhat_2.ep6.el5.i386.rpm
mod_ssl-2.2.26-41.ep6.el5.i386.rpm

x86_64:
httpd-2.2.26-41.ep6.el5.x86_64.rpm
httpd-debuginfo-2.2.26-41.ep6.el5.x86_64.rpm
httpd-devel-2.2.26-41.ep6.el5.x86_64.rpm
httpd-manual-2.2.26-41.ep6.el5.x86_64.rpm
httpd-tools-2.2.26-41.ep6.el5.x86_64.rpm
mod_cluster-native-1.2.9-6.Final_redhat_2.ep6.el5.x86_64.rpm
mod_cluster-native-debuginfo-1.2.9-6.Final_redhat_2.ep6.el5.x86_64.rpm
mod_ssl-2.2.26-41.ep6.el5.x86_64.rpm

Red Hat JBoss Web Server 2 for RHEL 6 Server:

Source:
httpd-2.2.26-41.ep6.el6.src.rpm
mod_cluster-native-1.2.9-6.Final_redhat_2.ep6.el6.src.rpm

i386:
httpd-2.2.26-41.ep6.el6.i386.rpm
httpd-debuginfo-2.2.26-41.ep6.el6.i386.rpm
httpd-devel-2.2.26-41.ep6.el6.i386.rpm
httpd-manual-2.2.26-41.ep6.el6.i386.rpm
httpd-tools-2.2.26-41.ep6.el6.i386.rpm
mod_cluster-native-1.2.9-6.Final_redhat_2.ep6.el6.i386.rpm
mod_cluster-native-debuginfo-1.2.9-6.Final_redhat_2.ep6.el6.i386.rpm
mod_ssl-2.2.26-41.ep6.el6.i386.rpm

x86_64:
httpd-2.2.26-41.ep6.el6.x86_64.rpm
httpd-debuginfo-2.2.26-41.ep6.el6.x86_64.rpm
httpd-devel-2.2.26-41.ep6.el6.x86_64.rpm
httpd-manual-2.2.26-41.ep6.el6.x86_64.rpm
httpd-tools-2.2.26-41.ep6.el6.x86_64.rpm
mod_cluster-native-1.2.9-6.Final_redhat_2.ep6.el6.x86_64.rpm
mod_cluster-native-debuginfo-1.2.9-6.Final_redhat_2.ep6.el6.x86_64.rpm
mod_ssl-2.2.26-41.ep6.el6.x86_64.rpm

Red Hat JBoss Web Server 2 for RHEL 7 Server:

Source:
httpd22-2.2.26-42.ep6.el7.src.rpm
mod_cluster-native-1.2.9-6.Final_redhat_2.ep6.el7.src.rpm

x86_64:
httpd22-2.2.26-42.ep6.el7.x86_64.rpm
httpd22-debuginfo-2.2.26-42.ep6.el7.x86_64.rpm
httpd22-devel-2.2.26-42.ep6.el7.x86_64.rpm
httpd22-manual-2.2.26-42.ep6.el7.x86_64.rpm
httpd22-tools-2.2.26-42.ep6.el7.x86_64.rpm
mod_cluster-native-1.2.9-6.Final_redhat_2.ep6.el7.x86_64.rpm
mod_cluster-native-debuginfo-1.2.9-6.Final_redhat_2.ep6.el7.x86_64.rpm
mod_ssl22-2.2.26-42.ep6.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2013-5704
https://access.redhat.com/security/cve/CVE-2015-3183
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2016 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFWoP+GXlSAg2UNWIIRAl+vAJ0Xcs6ZW4dyE4Po3FbTYRTnC5eibwCghna6
uwTN3stBd2AbzXGPk9SFRDI=
=n95V
- -----END PGP SIGNATURE-----

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat JBoss Web Server 2.1.0 security update
Advisory ID:       RHSA-2016:0062-01
Product:           Red Hat JBoss Web Server
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2016-0062.html
Issue date:        2016-01-21
CVE Names:         CVE-2012-0876 CVE-2012-1148 CVE-2013-5704 
                   CVE-2015-3183 
=====================================================================

1. Summary:

An update for Red Hat JBoss Web Server 2.1.0 that fixes four security
issues is now available from the Red Hat Customer Portal.

Red Hat Product Security has rated this update as having Moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores, 
which give detailed severity ratings, are available for each vulnerability 
from the CVE links in the References section.

2. Description:

Red Hat JBoss Web Server is a fully integrated and certified set of 
components for hosting Java web applications. It is comprised of the Apache
HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector 
(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat 
Native library.

Multiple flaws were found in the way httpd parsed HTTP requests and
responses using chunked transfer encoding. A remote attacker could use
these flaws to create a specially crafted request, which httpd would decode
differently from an HTTP proxy software in front of it, possibly leading to
HTTP request smuggling attacks. (CVE-2015-3183)

A denial of service flaw was found in the implementation of hash arrays in 
Expat. An attacker could use this flaw to make an application using Expat 
consume an excessive amount of CPU time by providing a specially-crafted
XML file that triggers multiple hash function collisions. To mitigate this
issue, randomization has been added to the hash function to reduce the
chance of an attacker successfully causing intentional collisions.
(CVE-2012-0876)

A memory leak flaw was found in Expat. If an XML file processed by an 
application linked against Expat triggered a memory re-allocation failure, 
Expat failed to free the previously allocated memory. This could cause the 
application to exit unexpectedly or crash when all available memory is 
exhausted. (CVE-2012-1148)

A flaw was found in the way httpd handled HTTP Trailer headers when 
processing requests using chunked encoding. A malicious client could use 
Trailer headers to set additional HTTP headers after header processing was 
performed by other modules. This could, for example, lead to a bypass of 
header restrictions defined with mod_headers. (CVE-2013-5704)

All users of Red Hat JBoss Web Server 2.1.0 as provided from the Red Hat 
Customer Portal are advised to apply this update. The Red Hat JBoss Web 
Server process must be restarted for the update to take effect.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Before applying the update, back up your
existing Red Hat JBoss Web Server installation (including all applications
and configuration files).

4. Bugs fixed (https://bugzilla.redhat.com/):

786617 - CVE-2012-0876 expat: hash table collisions CPU usage DoS
801648 - CVE-2012-1148 expat: Memory leak in poolGrow
1082903 - CVE-2013-5704 httpd: bypass of mod_headers rules via chunked requests
1243887 - CVE-2015-3183 httpd: HTTP request smuggling attack against chunked request parser

5. References:

https://access.redhat.com/security/cve/CVE-2012-0876
https://access.redhat.com/security/cve/CVE-2012-1148
https://access.redhat.com/security/cve/CVE-2013-5704
https://access.redhat.com/security/cve/CVE-2015-3183
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=2.1.0

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2016 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFWoP+OXlSAg2UNWIIRAmwSAJ9P8tubWwCMgf0/pn0FHW0+9lJi5gCfRjzk
uZNZSNVSpGDhmFbDwlBzdyw=
=oXVf
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVqGLuX6ZAP0PgtI9AQL7WA/8Cx/HZLXJhznemokh0ZAM2uiAjD6a3pSr
62VwI/ZGpm0+YR6wFQBHBNTUif8pBx1lECUl1860AY9PFuiZt3mnkgmPd8Ovgrs1
kvgLtP+bnXKGn3lFexW8FpQLVv1hgdHwxvLtfO0gswrVC8Rzepd1eMZWMSB7qYb1
6SezR3kekmKWRp4D7CsqLq8evOlzzVWzYr68Nt1Jdbss2sKzNCOfGML+fD0VM5A5
pnkVRHztJXOvU1q84pWqvxidlT2NKOYJOZBZz5Brsykg1IztYGWvXAsR/QQG7uOr
eQColTtoXTFovGgD3GpvuMYOPKE1G5Dw+5QmWXsNz/Z+l1N0kxVe3lnTQ+w+BeLU
WgiZZWY36efKN5RtR8viYPWh5eNxoYenRAu9nRrZ95fbSSCQmwIJqdbySajE6jEg
y5vbkSkUJkmsLv+9YkUCr0zpec0I6phZ8+rllrgZCvmH91/LH+FRC48y1cBVU8C6
wiyV2Ib6zohhknYkphIC/nWnOiHHuWVckr+Nzm+Hxbcm9b3sbQmZ0CvltSnvWF0P
cSNTF+K4y3rgowfpPIOZl//MtbXkj25sy83Jf5axBGP80yzCzyAp47EnXqKJKt2B
1YbsMuQ+xYZO/Af+Kj4E++sexTaCwuRqGpCV/DbbehcT+b8DOH71+hwDZAemEM+P
4usUO5ImhJk=
=3hTg
-----END PGP SIGNATURE-----