Detections
Analytics

RHEL 5 : Red Hat JBoss Enterprise Application Platform 6.2.0 update (Low) (RHSA-2013:1785)

medium Nessus Plugin ID 71224

Language:

Synopsis

The remote Red Hat host is missing one or more security updates.

Description

The remote Redhat Enterprise Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2013:1785 advisory.

 Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7.

 The HawtJNI Library class wrote native libraries to a predictable file name in /tmp/ when the native libraries were bundled in a JAR file, and no custom library path was specified. A local attacker could overwrite these native libraries with malicious versions during the window between when HawtJNI writes them and when they are executed. (CVE-2013-2035)

 A flaw was found in the way method-level authorization for JAX-WS Service endpoints was performed by the EJB invocation handler implementation.
 Any restrictions declared on EJB methods were ignored when executing the JAX-WS handlers, and only class-level restrictions were applied. A remote attacker who is authorized to access the EJB class, could invoke a JAX-WS handler which they were not authorized to invoke. (CVE-2013-2133)

 The CVE-2013-2035 issue was discovered by Florian Weimer of the Red Hat Product Security Team, and the CVE-2013-2133 issue was discovered by Richard Opalka and Arun Neelicattu of Red Hat.

 This release serves as a replacement for JBoss Enterprise Application Platform 6.1.1, and includes bug fixes and enhancements. Documentation for these changes will be available shortly from the JBoss Enterprise Application Platform 6.2.0 Release Notes, linked to in the References.

 All users of JBoss Enterprise Application Platform 6.1.1 on Red Hat Enterprise Linux 5 are advised to upgrade to these updated packages.
 The JBoss server process must be restarted for the update to take effect.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?51de98ca

http://www.nessus.org/u?b58f13e3

https://access.redhat.com/security/updates/classification/#low

https://bugzilla.redhat.com/show_bug.cgi?id=1025512

https://bugzilla.redhat.com/show_bug.cgi?id=1025514

https://bugzilla.redhat.com/show_bug.cgi?id=1025515

https://bugzilla.redhat.com/show_bug.cgi?id=1025516

https://bugzilla.redhat.com/show_bug.cgi?id=1025517

https://bugzilla.redhat.com/show_bug.cgi?id=1025518

https://bugzilla.redhat.com/show_bug.cgi?id=1025519

https://bugzilla.redhat.com/show_bug.cgi?id=1025520

https://bugzilla.redhat.com/show_bug.cgi?id=1025521

https://bugzilla.redhat.com/show_bug.cgi?id=1025522

https://bugzilla.redhat.com/show_bug.cgi?id=1025523

https://bugzilla.redhat.com/show_bug.cgi?id=1025524

https://bugzilla.redhat.com/show_bug.cgi?id=1025525

https://bugzilla.redhat.com/show_bug.cgi?id=1025526

https://bugzilla.redhat.com/show_bug.cgi?id=1025527

https://bugzilla.redhat.com/show_bug.cgi?id=1025528

https://bugzilla.redhat.com/show_bug.cgi?id=1025529

https://bugzilla.redhat.com/show_bug.cgi?id=1025530

https://bugzilla.redhat.com/show_bug.cgi?id=1025531

https://bugzilla.redhat.com/show_bug.cgi?id=1025532

https://bugzilla.redhat.com/show_bug.cgi?id=1025533

https://bugzilla.redhat.com/show_bug.cgi?id=1025534

https://bugzilla.redhat.com/show_bug.cgi?id=1025535

https://bugzilla.redhat.com/show_bug.cgi?id=1025536

https://bugzilla.redhat.com/show_bug.cgi?id=1025537

https://bugzilla.redhat.com/show_bug.cgi?id=1025538

https://bugzilla.redhat.com/show_bug.cgi?id=1025539

https://bugzilla.redhat.com/show_bug.cgi?id=1025540

https://bugzilla.redhat.com/show_bug.cgi?id=1025541

https://bugzilla.redhat.com/show_bug.cgi?id=1025542

https://bugzilla.redhat.com/show_bug.cgi?id=1025543

https://bugzilla.redhat.com/show_bug.cgi?id=1025545

https://bugzilla.redhat.com/show_bug.cgi?id=1025546

https://bugzilla.redhat.com/show_bug.cgi?id=1025547

https://bugzilla.redhat.com/show_bug.cgi?id=1025548

https://bugzilla.redhat.com/show_bug.cgi?id=1025549

https://bugzilla.redhat.com/show_bug.cgi?id=1025550

https://bugzilla.redhat.com/show_bug.cgi?id=1025551

https://bugzilla.redhat.com/show_bug.cgi?id=1025552

https://bugzilla.redhat.com/show_bug.cgi?id=1032135

https://bugzilla.redhat.com/show_bug.cgi?id=1032155

https://bugzilla.redhat.com/show_bug.cgi?id=1032858

https://bugzilla.redhat.com/show_bug.cgi?id=958618

https://bugzilla.redhat.com/show_bug.cgi?id=969924

https://access.redhat.com/errata/RHSA-2013:1785

Plugin Details

Severity: Medium

ID: 71224

File Name: redhat-RHSA-2013-1785.nasl

Version: 1.22

Type: local

Agent: unix

Published: 12/5/2013

Updated: 3/20/2025

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS Score Source: CVE-2013-2133

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:org.apache.felix.log, p-cpe:/a:redhat:enterprise_linux:jbossws-cxf, p-cpe:/a:redhat:enterprise_linux:org.osgi.enterprise-eap6, p-cpe:/a:redhat:enterprise_linux:jettison, p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-appclient, p-cpe:/a:redhat:enterprise_linux:apache-cxf, p-cpe:/a:redhat:enterprise_linux:apache-commons-pool-eap6, p-cpe:/a:redhat:enterprise_linux:xml-commons-resolver-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-client-all, p-cpe:/a:redhat:enterprise_linux:jboss-as-messaging, p-cpe:/a:redhat:enterprise_linux:jboss-aesh, p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-configadmin, p-cpe:/a:redhat:enterprise_linux:infinispan-core, p-cpe:/a:redhat:enterprise_linux:jboss-as-weld, p-cpe:/a:redhat:enterprise_linux:stilts, p-cpe:/a:redhat:enterprise_linux:jboss-as-clustering, p-cpe:/a:redhat:enterprise_linux:jcip-annotations-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-modules, p-cpe:/a:redhat:enterprise_linux:jboss-ejb3-ext-api, p-cpe:/a:redhat:enterprise_linux:mod_cluster-demo, p-cpe:/a:redhat:enterprise_linux:sun-ws-metadata-2.0-api, p-cpe:/a:redhat:enterprise_linux:apache-commons-daemon-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-configadmin, p-cpe:/a:redhat:enterprise_linux:shrinkwrap-api, cpe:/o:redhat:enterprise_linux:5, p-cpe:/a:redhat:enterprise_linux:httpserver, p-cpe:/a:redhat:enterprise_linux:hibernate4-entitymanager-eap6, p-cpe:/a:redhat:enterprise_linux:jbossas-modules-eap, p-cpe:/a:redhat:enterprise_linux:jbossas-welcome-content-eap, p-cpe:/a:redhat:enterprise_linux:weld-core, p-cpe:/a:redhat:enterprise_linux:jboss-dmr, p-cpe:/a:redhat:enterprise_linux:jboss-as-controller, p-cpe:/a:redhat:enterprise_linux:ws-commons-neethi, p-cpe:/a:redhat:enterprise_linux:ws-commons-xmlschema, p-cpe:/a:redhat:enterprise_linux:jboss-as-threads, p-cpe:/a:redhat:enterprise_linux:slf4j, p-cpe:/a:redhat:enterprise_linux:jdom-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-service, p-cpe:/a:redhat:enterprise_linux:jboss-genericjms, p-cpe:/a:redhat:enterprise_linux:apache-commons-cli, p-cpe:/a:redhat:enterprise_linux:jboss-as-jacorb, p-cpe:/a:redhat:enterprise_linux:glassfish-jsf12-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-management-client-content, p-cpe:/a:redhat:enterprise_linux:mod_cluster-native, p-cpe:/a:redhat:enterprise_linux:jboss-as-server, p-cpe:/a:redhat:enterprise_linux:jboss-as-console, p-cpe:/a:redhat:enterprise_linux:picketlink-federation, p-cpe:/a:redhat:enterprise_linux:jboss-as-logging, p-cpe:/a:redhat:enterprise_linux:dom4j-eap6, p-cpe:/a:redhat:enterprise_linux:jaxen, p-cpe:/a:redhat:enterprise_linux:jboss-hal, p-cpe:/a:redhat:enterprise_linux:mod_cluster, p-cpe:/a:redhat:enterprise_linux:jboss-as-version, p-cpe:/a:redhat:enterprise_linux:velocity-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-security-xacml, p-cpe:/a:redhat:enterprise_linux:atinject-eap6, p-cpe:/a:redhat:enterprise_linux:xmltooling, p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-repository, p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-scanner, p-cpe:/a:redhat:enterprise_linux:jboss-as-network, p-cpe:/a:redhat:enterprise_linux:picketbox, p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-api-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-remoting3-jmx, p-cpe:/a:redhat:enterprise_linux:jboss-logmanager, p-cpe:/a:redhat:enterprise_linux:jbossws-api, p-cpe:/a:redhat:enterprise_linux:objectweb-asm-eap6, p-cpe:/a:redhat:enterprise_linux:org.osgi.core-eap6, p-cpe:/a:redhat:enterprise_linux:apache-mime4j, p-cpe:/a:redhat:enterprise_linux:infinispan-cachestore-remote, p-cpe:/a:redhat:enterprise_linux:xom, p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxrs, p-cpe:/a:redhat:enterprise_linux:ws-scout, p-cpe:/a:redhat:enterprise_linux:apache-cxf-xjc-utils, p-cpe:/a:redhat:enterprise_linux:jboss-as-sar, p-cpe:/a:redhat:enterprise_linux:jbossws-native, p-cpe:/a:redhat:enterprise_linux:hibernate4-eap6, p-cpe:/a:redhat:enterprise_linux:ironjacamar-jdbc-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-management, p-cpe:/a:redhat:enterprise_linux:jansi, p-cpe:/a:redhat:enterprise_linux:xerces-j2-eap6, p-cpe:/a:redhat:enterprise_linux:hibernate4-envers-eap6, p-cpe:/a:redhat:enterprise_linux:cxf-xjc-ts, p-cpe:/a:redhat:enterprise_linux:weld-cdi-1.0-api, p-cpe:/a:redhat:enterprise_linux:shrinkwrap-impl-base, p-cpe:/a:redhat:enterprise_linux:cxf-xjc-dv, p-cpe:/a:redhat:enterprise_linux:jboss-as-ee, p-cpe:/a:redhat:enterprise_linux:jbossas-javadocs, p-cpe:/a:redhat:enterprise_linux:ironjacamar-spec-api-eap6, p-cpe:/a:redhat:enterprise_linux:ironjacamar-validator-eap6, p-cpe:/a:redhat:enterprise_linux:ironjacamar-core-impl-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-security, p-cpe:/a:redhat:enterprise_linux:jboss-as-cmp, p-cpe:/a:redhat:enterprise_linux:jboss-vfs2, p-cpe:/a:redhat:enterprise_linux:slf4j-eap6, p-cpe:/a:redhat:enterprise_linux:jbosgi-metadata, p-cpe:/a:redhat:enterprise_linux:jboss-as-host-controller, p-cpe:/a:redhat:enterprise_linux:jbossas-product-eap, p-cpe:/a:redhat:enterprise_linux:jboss-security-negotiation, p-cpe:/a:redhat:enterprise_linux:apache-commons-beanutils, p-cpe:/a:redhat:enterprise_linux:opensaml, p-cpe:/a:redhat:enterprise_linux:apache-commons-configuration, p-cpe:/a:redhat:enterprise_linux:jboss-as-jmx, p-cpe:/a:redhat:enterprise_linux:hornetq-native, p-cpe:/a:redhat:enterprise_linux:juddi, p-cpe:/a:redhat:enterprise_linux:glassfish-jsf-eap6, p-cpe:/a:redhat:enterprise_linux:hornetq, p-cpe:/a:redhat:enterprise_linux:infinispan-client-hotrod, p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-spi-eap6, p-cpe:/a:redhat:enterprise_linux:xml-security, p-cpe:/a:redhat:enterprise_linux:shrinkwrap-parent, p-cpe:/a:redhat:enterprise_linux:jboss-as-cli, p-cpe:/a:redhat:enterprise_linux:jgroups, p-cpe:/a:redhat:enterprise_linux:jbossws-common, p-cpe:/a:redhat:enterprise_linux:jboss-threads, p-cpe:/a:redhat:enterprise_linux:org.osgi-eap6, p-cpe:/a:redhat:enterprise_linux:javassist-eap6, p-cpe:/a:redhat:enterprise_linux:resteasy, p-cpe:/a:redhat:enterprise_linux:mod_jk-ap22, p-cpe:/a:redhat:enterprise_linux:jacorb-jboss, p-cpe:/a:redhat:enterprise_linux:ironjacamar-eap6, p-cpe:/a:redhat:enterprise_linux:jbossas-domain, p-cpe:/a:redhat:enterprise_linux:jboss-as-web, p-cpe:/a:redhat:enterprise_linux:openws, p-cpe:/a:redhat:enterprise_linux:jboss-as-modcluster, p-cpe:/a:redhat:enterprise_linux:ironjacamar-core-api-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-connector, p-cpe:/a:redhat:enterprise_linux:jbossas-bundles, p-cpe:/a:redhat:enterprise_linux:mod_jk, p-cpe:/a:redhat:enterprise_linux:shrinkwrap-spi, p-cpe:/a:redhat:enterprise_linux:jboss-marshalling, p-cpe:/a:redhat:enterprise_linux:jboss-jacc-api_1.4_spec, p-cpe:/a:redhat:enterprise_linux:jbossas-standalone, p-cpe:/a:redhat:enterprise_linux:cxf-xjc-boolean, p-cpe:/a:redhat:enterprise_linux:jboss-as-ee-deployment, p-cpe:/a:redhat:enterprise_linux:jboss-as-process-controller, p-cpe:/a:redhat:enterprise_linux:wsdl4j-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-naming, p-cpe:/a:redhat:enterprise_linux:jboss-as-platform-mbean, p-cpe:/a:redhat:enterprise_linux:jboss-remoting3, p-cpe:/a:redhat:enterprise_linux:wss4j, p-cpe:/a:redhat:enterprise_linux:ironjacamar-deployers-common-eap6, p-cpe:/a:redhat:enterprise_linux:jbossas-core, p-cpe:/a:redhat:enterprise_linux:jbossts, p-cpe:/a:redhat:enterprise_linux:jboss-as-xts, p-cpe:/a:redhat:enterprise_linux:jboss-as-transactions, p-cpe:/a:redhat:enterprise_linux:jboss-as-webservices, p-cpe:/a:redhat:enterprise_linux:jboss-as-core-security, p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi, p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-impl-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-jsr77, p-cpe:/a:redhat:enterprise_linux:hibernate4-core-eap6, p-cpe:/a:redhat:enterprise_linux:xjc-utils, p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-http, p-cpe:/a:redhat:enterprise_linux:jbossas-appclient, p-cpe:/a:redhat:enterprise_linux:gnu-getopt, p-cpe:/a:redhat:enterprise_linux:jboss-as-embedded, p-cpe:/a:redhat:enterprise_linux:infinispan, p-cpe:/a:redhat:enterprise_linux:jboss-as-remoting, p-cpe:/a:redhat:enterprise_linux:jboss-as-jpa, p-cpe:/a:redhat:enterprise_linux:jboss-as-protocol, p-cpe:/a:redhat:enterprise_linux:jboss-as-controller-client, p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxr, p-cpe:/a:redhat:enterprise_linux:jboss-as-jdr, p-cpe:/a:redhat:enterprise_linux:jbossws-spi, p-cpe:/a:redhat:enterprise_linux:jboss-ejb-client, p-cpe:/a:redhat:enterprise_linux:hibernate4-infinispan-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-jsf, p-cpe:/a:redhat:enterprise_linux:scannotation, p-cpe:/a:redhat:enterprise_linux:infinispan-cachestore-jdbc, p-cpe:/a:redhat:enterprise_linux:jboss-weld-1.1-api, p-cpe:/a:redhat:enterprise_linux:jbossas-hornetq-native, p-cpe:/a:redhat:enterprise_linux:jboss-as-pojo, p-cpe:/a:redhat:enterprise_linux:shrinkwrap, p-cpe:/a:redhat:enterprise_linux:jboss-as-mail, p-cpe:/a:redhat:enterprise_linux:org.apache.felix.configadmin, p-cpe:/a:redhat:enterprise_linux:jbossws-common-tools, p-cpe:/a:redhat:enterprise_linux:antlr-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-ejb3, p-cpe:/a:redhat:enterprise_linux:jboss-as-system-jmx

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 12/4/2013

Reference Information

CVE: CVE-2013-2035, CVE-2013-2133

CWE: 377, 862

RHSA: 2013:1785