RHEL 5 / 6 : JBoss EAP (RHSA-2014:0843)

This script is Copyright (C) 2014 Tenable Network Security, Inc.


Synopsis :

The remote Red Hat host is missing a security update.

Description :

Updated Red Hat JBoss Enterprise Application Platform 6.2.4 packages
that fix multiple security issues are now available for Red Hat
Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having
Moderate security impact. Common Vulnerability Scoring System (CVSS)
base scores, which give detailed severity ratings, are available for
each vulnerability from the CVE links in the References section.

Red Hat JBoss Enterprise Application Platform 6 is a platform for Java
applications based on JBoss Application Server 7.

It was discovered that JBoss Web did not limit the length of chunk
sizes when using chunked transfer encoding. A remote attacker could
use this flaw to perform a denial of service attack against JBoss Web
by streaming an unlimited quantity of data, leading to excessive
consumption of server resources. (CVE-2014-0075)

It was found that JBoss Web did not check for overflowing values when
parsing request content length headers. A remote attacker could use
this flaw to perform an HTTP request smuggling attack on a JBoss Web
server located behind a reverse proxy that processed the content
length header correctly. (CVE-2014-0099)

It was found that the org.apache.catalina.servlets.DefaultServlet
implementation in JBoss Web allowed the definition of XML External
Entities (XXEs) in provided XSLTs. A malicious application could use
this to circumvent intended security restrictions to disclose
sensitive information. (CVE-2014-0096)

It was found that, in certain circumstances, it was possible for a
malicious web application to replace the XML parsers used by JBoss Web
to process XSLTs for the default servlet, JSP documents, tag library
descriptors (TLDs), and tag plug-in configuration files. The injected
XML parser(s) could then bypass the limits imposed on XML external
entities and/or gain access to the XML files processed for other web
applications deployed on the same JBoss Web instance. (CVE-2014-0119)

The CVE-2014-0075 issue was discovered by David Jorm of Red Hat
Product Security.

All users of Red Hat JBoss Enterprise Application Platform 6.2.4 on
Red Hat Enterprise Linux 5 and 6 are advised to upgrade to these
updated packages. The JBoss server process must be restarted for the
update to take effect.

See also :

https://www.redhat.com/security/data/cve/CVE-2014-0075.html
https://www.redhat.com/security/data/cve/CVE-2014-0096.html
https://www.redhat.com/security/data/cve/CVE-2014-0099.html
https://www.redhat.com/security/data/cve/CVE-2014-0119.html
http://rhn.redhat.com/errata/RHSA-2014-0843.html

Solution :

Update the affected jbossweb package.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score : 4.3
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Family: Red Hat Local Security Checks

Nessus Plugin ID: 76401 ()

Bugtraq ID: 67667
67668
67669
67671

CVE ID: CVE-2014-0075
CVE-2014-0096
CVE-2014-0099
CVE-2014-0119