Red Hat Security Advisory: JBoss Enterprise Portal Platform 5.2.2 update Security Advisory secalert@redhat.com Red Hat Security Response Team RHSA-2012:1232 Final 1 1 2012-09-05T16:25:00Z Current version 2012-09-05T16:25:00Z 2012-09-05T16:25:00Z Red Hat rhsa-to-cvrf 1.0.1484 2012-09-05T16:26:01Z JBoss Enterprise Portal Platform 5.2.2, which fixes multiple security issues and various bugs, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. JBoss Enterprise Portal Platform is the open source implementation of the Java EE suite of services and Portal services running atop JBoss Enterprise Application Platform. It comprises a set of offerings for enterprise customers who are looking for pre-configured profiles of JBoss Enterprise Middleware components that have been tested and certified together to provide an integrated experience. This release of JBoss Enterprise Portal Platform 5.2.2 serves as a replacement for JBoss Enterprise Portal Platform 5.2.1, and includes bug fixes. Refer to the JBoss Enterprise Portal Platform 5.2.2 Release Notes for information on the most significant of these changes. The Release Notes will be available shortly from https://access.redhat.com/knowledge/docs/ The following security issues are also fixed with this release: It was found that the JBoss JNDI service allowed unauthenticated, remote write access by default. The JNDI and HA-JNDI services, and the HAJNDIFactory invoker servlet were all affected. A remote attacker able to access the JNDI service (port 1099), HA-JNDI service (port 1100), or the HAJNDIFactory invoker servlet on a JBoss server could use this flaw to add, delete, and modify items in the JNDI tree. This could have various, application-specific impacts. (CVE-2011-4605) A flaw was found in the way the Apache Xerces2 Java Parser processed the SYSTEM identifier in DTDs. A remote attacker could provide a specially-crafted XML file, which once parsed by an application using the Apache Xerces2 Java Parser, would lead to a denial of service (application hang due to excessive CPU use). (CVE-2009-2625) It was found that the JMX Console did not protect against Cross-Site Request Forgery (CSRF) attacks. If a remote attacker could trick a user, who was logged into the JMX Console, into visiting a specially-crafted URL, the attacker could perform operations on MBeans, which may lead to arbitrary code execution in the context of the JBoss server process. (CVE-2011-2908) A flaw was found in the way Apache POI, a Java API for manipulating files created with a Microsoft Office application, handled memory when processing certain Channel Definition Format (CDF) and Compound File Binary Format (CFBF) documents. A remote attacker could provide a specially-crafted CDF or CFBF document to an application using Apache POI, leading to a denial of service. (CVE-2012-0213) When a JBoss server is configured to use JaccAuthorizationRealm, the WebPermissionMapping class creates permissions that are not checked and can permit access to users without checking their roles. If the ignoreBaseDecision property is set to true on JBossWebRealm, the web authorization process is handled exclusively by JBossAuthorizationEngine, without any input from JBoss Web. This allows any valid user to access an application, without needing to be assigned the role specified in the application's web.xml "security-constraint" tag. (CVE-2012-1167) When a JGroups channel is started, the JGroups diagnostics service would be enabled by default with no authentication. This service is exposed via IP multicast. An attacker on an adjacent network could exploit this flaw to read diagnostics information. (CVE-2012-2377) Red Hat would like to thank Christian Schlüter (VIADA) for reporting the CVE-2011-4605 issue. Warning: Before applying this update, back up all applications deployed on JBoss Enterprise Portal Platform, along with all customized configuration files, and any databases and database settings. All users of JBoss Enterprise Portal Platform 5.2.1 as provided from the Red Hat Customer Portal are advised to upgrade to JBoss Enterprise Portal Platform 5.2.2. Please see https://www.redhat.com/footer/terms-of-use.html Copyright © 2012 Red Hat, Inc. All rights reserved. Important https://rhn.redhat.com/errata/RHSA-2012-1232.html https://rhn.redhat.com/errata/RHSA-2012-1232.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal&downloadType=distributions https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal&downloadType=distributions https://access.redhat.com/knowledge/docs/ https://access.redhat.com/knowledge/docs/ A flaw was found in the way the Apache Xerces2 Java Parser processed the SYSTEM identifier in DTDs. A remote attacker could provide a specially-crafted XML file, which once parsed by an application using the Apache Xerces2 Java Parser, would lead to a denial of service (application hang due to excessive CPU use). 2009-07-20T00:00:00Z 2009-08-05T00:00:00Z CVE-2009-2625 Moderate 5.0 AV:N/AC:L/Au:N/C:N/I:N/A:P The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up all applications deployed on JBoss Enterprise Portal Platform, along with all customized configuration files, and any databases and database settings. https://rhn.redhat.com/errata/RHSA-2012-1232.html https://www.redhat.com/security/data/cve/CVE-2009-2625.html CVE-2009-2625 https://bugzilla.redhat.com/show_bug.cgi?id=512921 bz#512921: CVE-2009-2625 xerces-j2, JDK: XML parsing Denial-Of-Service (6845701) It was found that the JMX Console did not protect against Cross-Site Request Forgery (CSRF) attacks. If a remote attacker could trick a user, who was logged into the JMX Console, into visiting a specially-crafted URL, the attacker could perform operations on MBeans, which may lead to arbitrary code execution in the context of the JBoss server process. 2007-02-22T00:00:00Z 2007-02-22T00:00:00Z CVE-2011-2908 Moderate 4.6 AV:N/AC:H/Au:S/C:P/I:P/A:P The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up all applications deployed on JBoss Enterprise Portal Platform, along with all customized configuration files, and any databases and database settings. https://rhn.redhat.com/errata/RHSA-2012-1232.html https://www.redhat.com/security/data/cve/CVE-2011-2908.html CVE-2011-2908 https://bugzilla.redhat.com/show_bug.cgi?id=730176 bz#730176: CVE-2011-2908 CSRF on jmx-console allows invocation of operations on mbeans It was found that the JBoss JNDI service allowed unauthenticated, remote write access by default. The JNDI and HA-JNDI services, and the HAJNDIFactory invoker servlet were all affected. A remote attacker able to access the JNDI service (port 1099), HA-JNDI service (port 1100), or the HAJNDIFactory invoker servlet on a JBoss server could use this flaw to add, delete, and modify items in the JNDI tree. This could have various, application-specific impacts. 2011-12-07T00:00:00Z 2012-06-20T00:00:00Z CVE-2011-4605 Important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up all applications deployed on JBoss Enterprise Portal Platform, along with all customized configuration files, and any databases and database settings. https://rhn.redhat.com/errata/RHSA-2012-1232.html https://www.redhat.com/security/data/cve/CVE-2011-4605.html CVE-2011-4605 https://bugzilla.redhat.com/show_bug.cgi?id=766469 bz#766469: CVE-2011-4605 JNDI: unauthenticated remote write access is permitted by default Red Hat would like to thank Christian Schlüter (VIADA) for reporting this issue. A flaw was found in the way Apache POI, a Java API for manipulating files created with a Microsoft Office application, handled memory when processing certain Channel Definition Format (CDF) and Compound File Binary Format (CFBF) documents. A remote attacker could provide a specially-crafted CDF or CFBF document to an application using Apache POI, leading to a denial of service. 2012-03-01T00:00:00Z 2012-05-09T00:00:00Z CVE-2012-0213 Moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up all applications deployed on JBoss Enterprise Portal Platform, along with all customized configuration files, and any databases and database settings. https://rhn.redhat.com/errata/RHSA-2012-1232.html https://www.redhat.com/security/data/cve/CVE-2012-0213.html CVE-2012-0213 https://bugzilla.redhat.com/show_bug.cgi?id=799078 bz#799078: CVE-2012-0213 apache-poi, jakarta: JVM destabilization due to memory exhaustion when processing CDF/CFBF files When a JBoss server is configured to use JaccAuthorizationRealm, the WebPermissionMapping class creates permissions that are not checked and can permit access to users without checking their roles. If the ignoreBaseDecision property is set to true on JBossWebRealm, the web authorization process is handled exclusively by JBossAuthorizationEngine, without any input from JBoss Web. This allows any valid user to access an application, without needing to be assigned the role specified in the application's web.xml "security-constraint" tag. 2012-03-13T00:00:00Z 2012-06-12T00:00:00Z CVE-2012-1167 Moderate 4.6 AV:N/AC:H/Au:S/C:P/I:P/A:P The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up all applications deployed on JBoss Enterprise Portal Platform, along with all customized configuration files, and any databases and database settings. https://rhn.redhat.com/errata/RHSA-2012-1232.html https://www.redhat.com/security/data/cve/CVE-2012-1167.html CVE-2012-1167 https://bugzilla.redhat.com/show_bug.cgi?id=802622 bz#802622: CVE-2012-1167 JBoss: authentication bypass when running under JACC with ignoreBaseDecision on JBossWebRealm When a JGroups channel is started, the JGroups diagnostics service would be enabled by default with no authentication. This service is exposed via IP multicast. An attacker on an adjacent network could exploit this flaw to read diagnostics information. 2012-05-17T00:00:00Z 2012-06-12T00:00:00Z CVE-2012-2377 Low 3.3 AV:A/AC:L/Au:N/C:P/I:N/A:N The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up all applications deployed on JBoss Enterprise Portal Platform, along with all customized configuration files, and any databases and database settings. https://rhn.redhat.com/errata/RHSA-2012-1232.html https://www.redhat.com/security/data/cve/CVE-2012-2377.html CVE-2012-2377 https://bugzilla.redhat.com/show_bug.cgi?id=823392 bz#823392: CVE-2012-2377 JGroups diagnostics service enabled by default with no authentication when a JGroups channel is started