[RHSA-2007:0151-01] Low: JBoss Application Server security update

bugzilla at redhat.com bugzilla at redhat.com
Mon Apr 16 14:44:15 UTC 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Low: JBoss Application Server security update
Advisory ID:       RHSA-2007:0151-01
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2007-0151.html
Issue date:        2007-04-16
Updated on:        2007-04-16
Product:           JBoss Application Server
CVE Names:         CVE-2007-1354 
- ---------------------------------------------------------------------

1. Summary:

Updated versions of JBoss Application Server that fix a security issue are
now available.

This update has been rated as having low security impact by the Red Hat
Security Response Team.

2. Problem description:

The JBoss Application Server is a powerful J2EE application server.

A flaw was found in the JMX Console fine-grained Access Control feature.
An administrator with 'Read Mode' privileges to the JMX service could
gain additional privileges if another administrator who had 'Write Mode'
privileges was logged into and accessed the console at the same time.
(CVE-2007-1354)

Note: Fine-grained Access Control was first added to JBoss Application
Server in June 2006; earlier versions are not affected by this issue.

Known vulnerable versions include: JBoss AS 4.0.2.GA_CP02, 4.0.2.GA_CP03,
4.0.2.GA_CP04, 4.0.5.GA, 4.0.5_CP01, and 4.0.5_CP02.

This vulnerability is rectified and does not affect JBoss AS releases
5.0.0.Beta2, 4.2.0.GA, 4.0.5.SP1, 3.2.8.SP2, and cumulative patches
4.0.5.GA_CP03, 4.0.2.GA_CP05, 4.0.4.GA_CP06, 4.0.3.SP1_CP05, and
3.2.8.SP1_CP01.

Users with an affected installation of JBoss Application Server who rely on
granting read-only privileges to the console should upgrade to one of these
updated versions.

3. Solution:

Updates are available from the JBoss Customer Support Portal (CSP)
at https://network.jboss.com/

4. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1354
http://jira.jboss.com/jira/browse/ASPATCH-172
http://jira.jboss.com/jira/browse/ASPATCH-175 
http://wiki.jboss.org/wiki/Wiki.jsp?page=AccessControlForJMXConsole
http://www.redhat.com/security/updates/classification/#low

5. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2007 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFGI4uKXlSAg2UNWIIRAhqPAKCFy9r484vOk+k+8H0i7+x0SsvS+gCfXD5Z
cjHeqdDe7gkrDmaLRiKDPxc=
=d8yl
-----END PGP SIGNATURE-----

More information about the Jboss-watch-list mailing list