RHEL 5 : JBoss EAP (RHSA-2012:1591)

This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.


Synopsis :

The remote Red Hat host is missing one or more security updates.

Description :

Updated JBoss Enterprise Application Platform 6.0.1 packages that fix
multiple security issues, various bugs, and add enhancements are now
available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS)
base scores, which give detailed severity ratings, are available for
each vulnerability from the CVE links in the References section.

JBoss Enterprise Application Platform 6 is a platform for Java
applications based on JBoss Application Server 7.

This release serves as a replacement for JBoss Enterprise Application
Platform 6.0.0, and includes bug fixes and enhancements. Refer to the
6.0.1 Release Notes for information on the most significant of these
changes, available shortly from
https://access.redhat.com/knowledge/docs/

This update removes unused signed JARs
unused SHA1 checksums from JAR
MANIFEST.MF files to reduce the Server memory footprint
adds
MANIFEST.MF to JAR files where it was previously missing
and removes
redundant Javadoc files from the main packages. (BZ#853551)

Security fixes :

Apache CXF checked to ensure XML elements were signed or encrypted by
a Supporting Token, but not whether the correct token was used. A
remote attacker could transmit confidential information without the
appropriate security, and potentially circumvent access controls on
web services exposed via Apache CXF. (CVE-2012-2379)

When using role-based authorization to configure EJB access, JACC
permissions should be used to determine access
however, due to a flaw
the configured authorization modules (JACC, XACML, etc.) were not
called, and the JACC permissions were not used to determine access to
an EJB. (CVE-2012-4550)

A flaw in the way Apache CXF enforced child policies of
WS-SecurityPolicy 1.1 on the client side could, in certain cases, lead
to a client failing to sign or encrypt certain elements as directed by
the security policy, leading to information disclosure and insecure
information transmission. (CVE-2012-2378)

A flaw was found in the way IronJacamar authenticated credentials and
returned a valid datasource connection when configured to
'allow-multiple-users'. A remote attacker, provided the correct
subject, could obtain a datasource connection that might belong to a
privileged user. (CVE-2012-3428)

It was found that Apache CXF was vulnerable to SOAPAction spoofing
attacks under certain conditions. Note that WS-Policy validation is
performed against the operation being invoked, and an attack must pass
validation to be successful. (CVE-2012-3451)

When there are no allowed roles for an EJB method invocation, the
invocation should be denied for all users. It was found that the
processInvocation() method in
org.jboss.as.ejb3.security.AuthorizationInterceptor incorrectly
authorizes all method invocations to proceed when the list of allowed
roles is empty. (CVE-2012-4549)

It was found that in Mojarra, the FacesContext that is made available
during application startup is held in a ThreadLocal. The reference is
not properly cleaned up in all cases. As a result, if a JavaServer
Faces (JSF) WAR calls FacesContext.getCurrentInstance() during
application startup, another WAR can get access to the leftover
context and thus get access to the other WAR's resources. A local
attacker could use this flaw to access another WAR's resources using a
crafted, deployed application. (CVE-2012-2672)

An input sanitization flaw was found in the mod_negotiation Apache
HTTP Server module. A remote attacker able to upload or create files
with arbitrary names in a directory that has the MultiViews options
enabled, could use this flaw to conduct cross-site scripting attacks
against users visiting the site. (CVE-2008-0455, CVE-2012-2687)

Red Hat would like to thank the Apache CXF project for reporting
CVE-2012-2379, CVE-2012-2378, and CVE-2012-3451. The CVE-2012-4550
issue was discovered by Josef Cacek of the Red Hat JBoss EAP Quality
Engineering team
CVE-2012-3428 and CVE-2012-4549 were discovered by
Arun Neelicattu of the Red Hat Security Response Team
and
CVE-2012-2672 was discovered by Marek Schmidt and Stan Silvert of Red
Hat.

Warning: Before applying this update, back up your existing JBoss
Enterprise Application Platform installation and deployed
applications. Refer to the Solution section for further details.

See also :

https://www.redhat.com/security/data/cve/CVE-2008-0455.html
https://www.redhat.com/security/data/cve/CVE-2012-2378.html
https://www.redhat.com/security/data/cve/CVE-2012-2379.html
https://www.redhat.com/security/data/cve/CVE-2012-2672.html
https://www.redhat.com/security/data/cve/CVE-2012-2687.html
https://www.redhat.com/security/data/cve/CVE-2012-3428.html
https://www.redhat.com/security/data/cve/CVE-2012-3451.html
https://www.redhat.com/security/data/cve/CVE-2012-4549.html
https://www.redhat.com/security/data/cve/CVE-2012-4550.html
https://access.redhat.com/knowledge/docs/
http://rhn.redhat.com/errata/RHSA-2012-1591.html

Solution :

Update the affected packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.3
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true