Red Hat Security Advisory: JBoss Enterprise BRMS Platform 5.3.0 update Security Advisory secalert@redhat.com Red Hat Security Response Team RHSA-2012:1028 Final 1 1 2012-06-22T01:11:00Z Current version 2012-06-22T01:11:00Z 2012-06-22T01:11:00Z Red Hat rhsa-to-cvrf 1.0.1484 2012-06-22T01:21:01Z JBoss Enterprise BRMS Platform 5.3.0, which fixes multiple security issues, various bugs, and adds enhancements is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. JBoss Enterprise BRMS Platform is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules. The Java Naming and Directory Interface (JNDI) Java API allows Java software clients to locate objects or services in an application server. This release of JBoss Enterprise BRMS Platform 5.3.0 serves as a replacement for JBoss Enterprise BRMS Platform 5.2.0. It includes various bug fixes and enhancements which are detailed in the JBoss Enterprise BRMS Platform 5.3.0 Release Notes. The Release Notes will be available shortly from https://docs.redhat.com/docs/en-US/index.html The following security issues are also fixed with this release: It was found that the JBoss JNDI service allowed unauthenticated, remote write access by default. The JNDI and HA-JNDI services, and the HAJNDIFactory invoker servlet were all affected. A remote attacker able to access the JNDI service (port 1099), HA-JNDI service (port 1100), or the HAJNDIFactory invoker servlet on a JBoss server could use this flaw to add, delete, and modify items in the JNDI tree. This could have various, application-specific impacts. (CVE-2011-4605) It was found that the invoker servlets, deployed by default via httpha-invoker, only performed access control on the HTTP GET and POST methods, allowing remote attackers to make unauthenticated requests by using different HTTP methods. Due to the second layer of authentication provided by a security interceptor, this issue is not exploitable on default installations unless an administrator has misconfigured the security interceptor or disabled it. (CVE-2011-4085) When a JGroups channel is started, the JGroups diagnostics service would be enabled by default with no authentication. This service is exposed via IP multicast. An attacker on an adjacent network could exploit this flaw to read diagnostics information. (CVE-2012-2377) Red Hat would like to thank Christian Schlüter (VIADA) for reporting CVE-2011-4605. Warning: Before applying the update, back up your existing JBoss Enterprise BRMS Platform installation (including its databases, applications, configuration files, and so on). All users of JBoss Enterprise BRMS Platform 5.2.0 as provided from the Red Hat Customer Portal are advised to upgrade to JBoss Enterprise BRMS Platform 5.3.0. Please see https://www.redhat.com/footer/terms-of-use.html Copyright © 2012 Red Hat, Inc. All rights reserved. Important https://rhn.redhat.com/errata/RHSA-2012-1028.html https://rhn.redhat.com/errata/RHSA-2012-1028.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=distributions https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=distributions https://docs.redhat.com/docs/en-US/index.html https://docs.redhat.com/docs/en-US/index.html It was found that the invoker servlets, deployed by default via httpha-invoker, only performed access control on the HTTP GET and POST methods, allowing remote attackers to make unauthenticated requests by using different HTTP methods. Due to the second layer of authentication provided by a security interceptor, this issue is not exploitable on default installations unless an administrator has misconfigured the security interceptor or disabled it. 2011-10-26T00:00:00Z 2011-11-16T00:00:00Z CVE-2011-4085 Low 2.6 AV:N/AC:H/Au:N/C:N/I:N/A:P The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise BRMS Platform installation (including its databases, applications, configuration files, and so on). https://rhn.redhat.com/errata/RHSA-2012-1028.html https://www.redhat.com/security/data/cve/CVE-2011-4085.html CVE-2011-4085 https://bugzilla.redhat.com/show_bug.cgi?id=750422 bz#750422: CVE-2011-4085 Invoker servlets authentication bypass (HTTP verb tampering) It was found that the JBoss JNDI service allowed unauthenticated, remote write access by default. The JNDI and HA-JNDI services, and the HAJNDIFactory invoker servlet were all affected. A remote attacker able to access the JNDI service (port 1099), HA-JNDI service (port 1100), or the HAJNDIFactory invoker servlet on a JBoss server could use this flaw to add, delete, and modify items in the JNDI tree. This could have various, application-specific impacts. 2011-12-07T00:00:00Z 2012-06-20T00:00:00Z CVE-2011-4605 Important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise BRMS Platform installation (including its databases, applications, configuration files, and so on). https://rhn.redhat.com/errata/RHSA-2012-1028.html https://www.redhat.com/security/data/cve/CVE-2011-4605.html CVE-2011-4605 https://bugzilla.redhat.com/show_bug.cgi?id=766469 bz#766469: CVE-2011-4605 JNDI: unauthenticated remote write access is permitted by default Red Hat would like to thank Christian Schlüter (VIADA) for reporting this issue. When a JGroups channel is started, the JGroups diagnostics service would be enabled by default with no authentication. This service is exposed via IP multicast. An attacker on an adjacent network could exploit this flaw to read diagnostics information. 2012-05-17T00:00:00Z 2012-06-12T00:00:00Z CVE-2012-2377 Low 3.3 AV:A/AC:L/Au:N/C:P/I:N/A:N The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise BRMS Platform installation (including its databases, applications, configuration files, and so on). https://rhn.redhat.com/errata/RHSA-2012-1028.html https://www.redhat.com/security/data/cve/CVE-2012-2377.html CVE-2012-2377 https://bugzilla.redhat.com/show_bug.cgi?id=823392 bz#823392: CVE-2012-2377 JGroups diagnostics service enabled by default with no authentication when a JGroups channel is started