RHEL 5 : JBoss EAP (RHSA-2014:0564)

This script is Copyright (C) 2014 Tenable Network Security, Inc.


Synopsis :

The remote Red Hat host is missing one or more security updates.

Description :

Updated packages that provide Red Hat JBoss Enterprise Application
Platform 6.2.3 and fix one security issue, several bugs, and add
various enhancements are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having Low
security impact. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available from the
CVE link in the References section.

Red Hat JBoss Enterprise Application Platform 6 is a platform for Java
applications based on JBoss Application Server 7.

It was found that the security auditing functionality provided by
PicketBox and JBossSX, both security frameworks for Java applications,
used a world-readable audit.log file to record sensitive information.
A local user could possibly use this flaw to gain access to the
sensitive information in the audit.log file. (CVE-2014-0059)

This release serves as a replacement for Red Hat JBoss Enterprise
Application Platform 6.2.2, and includes bug fixes and enhancements.
Documentation for these changes will be available shortly from the Red
Hat JBoss Enterprise Application Platform 6.2.3 Release Notes, linked
to in the References.

All users of Red Hat JBoss Enterprise Application Platform 6.2 on Red
Hat Enterprise Linux 5 are advised to upgrade to these updated
packages. The JBoss server process must be restarted for the update to
take effect.

See also :

https://www.redhat.com/security/data/cve/CVE-2014-0059.html
https://access.redhat.com/site/documentation/en-US/
http://rhn.redhat.com/errata/RHSA-2014-0564.html

Solution :

Update the affected packages.

Risk factor :

Low / CVSS Base Score : 2.1
(CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 1.8
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Family: Red Hat Local Security Checks

Nessus Plugin ID: 74207 ()

Bugtraq ID: 67683

CVE ID: CVE-2014-0059