Red Hat Security Advisory: JBoss Enterprise Portal Platform 5.2.1 update Security Advisory secalert@redhat.com Red Hat Security Response Team RHSA-2012:0519 Final 1 1 2012-04-25T02:01:00Z Current version 2012-04-25T02:01:00Z 2012-04-25T02:01:00Z Red Hat rhsa-to-cvrf 1.0.1478 2012-05-01T14:46:08Z JBoss Enterprise Portal Platform 5.2.1, which fixes two security issues and various bugs, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. JBoss Enterprise Portal Platform is the open source implementation of the Java EE suite of services and Portal services running atop JBoss Enterprise Application Platform. It comprises a set of offerings for enterprise customers who are looking for pre-configured profiles of JBoss Enterprise Middleware components that have been tested and certified together to provide an integrated experience. This release of JBoss Enterprise Portal Platform 5.2.1 serves as a replacement for JBoss Enterprise Portal Platform 5.2.0, and includes bug fixes. Refer to the JBoss Enterprise Portal Platform 5.2.1 Release Notes for information on the most significant of these changes. The Release Notes will be available shortly from https://docs.redhat.com/docs/en-US/index.html The following security issues are also fixed with this release: It was found that RESTEasy was vulnerable to XML External Entity (XXE) attacks. If a remote attacker submitted a request containing an external XML entity to a RESTEasy endpoint, the entity would be resolved, allowing the attacker to read files accessible to the user running the application server. This flaw affected DOM (Document Object Model) Document and JAXB (Java Architecture for XML Binding) input. (CVE-2012-0818) It was found that the Attribute Exchange (AX) extension of OpenID4Java was not checking to ensure attributes were signed. If AX was being used to receive information that an application only trusts the identity provider to assert, a remote attacker could use this flaw to conduct man-in-the-middle attacks and compromise the integrity of the information via a specially-crafted request. By default, only the JBoss Seam openid example application uses OpenID4Java. (CVE-2011-4314) Warning: Before applying this update, back up all applications deployed on JBoss Enterprise Portal Platform, along with all customized configuration files. All users of JBoss Enterprise Portal Platform 5.2.0 as provided from the Red Hat Customer Portal are advised to upgrade to JBoss Enterprise Portal Platform 5.2.1. Please see https://www.redhat.com/footer/terms-of-use.html Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate https://rhn.redhat.com/errata/RHSA-2012-0519.html https://rhn.redhat.com/errata/RHSA-2012-0519.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal&downloadType=distributions https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal&downloadType=distributions https://docs.redhat.com/docs/en-US/index.html https://docs.redhat.com/docs/en-US/index.html It was found that the Attribute Exchange (AX) extension of OpenID4Java was not checking to ensure attributes were signed. If AX was being used to receive information that an application only trusts the identity provider to assert, a remote attacker could use this flaw to conduct man-in-the-middle attacks and compromise the integrity of the information via a specially-crafted request. By default, only the JBoss Seam openid example application uses OpenID4Java. 2011-11-16T00:00:00Z 2011-05-05T00:00:00Z CVE-2011-4314 Low 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up all applications deployed on JBoss Enterprise Portal Platform, along with all customized configuration files. https://rhn.redhat.com/errata/RHSA-2012-0519.html https://www.redhat.com/security/data/cve/CVE-2011-4314.html CVE-2011-4314 https://bugzilla.redhat.com/show_bug.cgi?id=754386 bz#754386: CVE-2011-4314 openid4java (AX extension): MITM due to improper validation of AX attribute signatures It was found that RESTEasy was vulnerable to XML External Entity (XXE) attacks. If a remote attacker submitted a request containing an external XML entity to a RESTEasy endpoint, the entity would be resolved, allowing the attacker to read files accessible to the user running the application server. This flaw affected DOM (Document Object Model) Document and JAXB (Java Architecture for XML Binding) input. 2012-01-24T00:00:00Z 2011-12-30T00:00:00Z CVE-2012-0818 Moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up all applications deployed on JBoss Enterprise Portal Platform, along with all customized configuration files. https://rhn.redhat.com/errata/RHSA-2012-0519.html https://www.redhat.com/security/data/cve/CVE-2012-0818.html CVE-2012-0818 https://bugzilla.redhat.com/show_bug.cgi?id=785631 bz#785631: CVE-2012-0818 RESTEasy: XML eXternal Entity (XXE) flaw