Red Hat Security Advisory: JBoss Enterprise Application Platform 6.0.1 update Security Advisory secalert@redhat.com Red Hat Security Response Team RHSA-2012:1594 Final 1 1 2012-12-18T22:43:00Z Current version 2012-12-18T22:43:00Z 2012-12-18T22:43:00Z Red Hat rhsa-to-cvrf 1.0.1484 2012-12-18T22:53:02Z JBoss Enterprise Application Platform 6.0.1, which fixes multiple security issues, various bugs, and adds enhancements, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release serves as a replacement for JBoss Enterprise Application Platform 6.0.0, and includes bug fixes and enhancements. Refer to the 6.0.1 Release Notes for information on the most significant of these changes, available shortly from https://access.redhat.com/knowledge/docs/ Security fixes: Apache CXF checked to ensure XML elements were signed or encrypted by a Supporting Token, but not whether the correct token was used. A remote attacker could transmit confidential information without the appropriate security, and potentially circumvent access controls on web services exposed via Apache CXF. (CVE-2012-2379) When using role-based authorization to configure EJB access, JACC permissions should be used to determine access; however, due to a flaw the configured authorization modules (JACC, XACML, etc.) were not called, and the JACC permissions were not used to determine access to an EJB. (CVE-2012-4550) A flaw in the way Apache CXF enforced child policies of WS-SecurityPolicy 1.1 on the client side could, in certain cases, lead to a client failing to sign or encrypt certain elements as directed by the security policy, leading to information disclosure and insecure information transmission. (CVE-2012-2378) A flaw was found in the way IronJacamar authenticated credentials and returned a valid datasource connection when configured to "allow-multiple-users". A remote attacker, provided the correct subject, could obtain a datasource connection that might belong to a privileged user. (CVE-2012-3428) It was found that Apache CXF was vulnerable to SOAPAction spoofing attacks under certain conditions. Note that WS-Policy validation is performed against the operation being invoked, and an attack must pass validation to be successful. (CVE-2012-3451) When there are no allowed roles for an EJB method invocation, the invocation should be denied for all users. It was found that the processInvocation() method in org.jboss.as.ejb3.security.AuthorizationInterceptor incorrectly authorizes all method invocations to proceed when the list of allowed roles is empty. (CVE-2012-4549) The apachectl script set an insecure library search path. Running apachectl in an attacker-controlled directory containing a malicious library file could cause arbitrary code execution with the privileges of the user running the apachectl script (typically the root user). This issue only affected JBoss Enterprise Application Platform on Solaris. (CVE-2012-0883) It was found that in Mojarra, the FacesContext that is made available during application startup is held in a ThreadLocal. The reference is not properly cleaned up in all cases. As a result, if a JavaServer Faces (JSF) WAR calls FacesContext.getCurrentInstance() during application startup, another WAR can get access to the leftover context and thus get access to the other WAR's resources. A local attacker could use this flaw to access another WAR's resources using a crafted, deployed application. (CVE-2012-2672) An input sanitization flaw was found in the mod_negotiation Apache HTTP Server module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use this flaw to conduct cross-site scripting attacks against users visiting the site. (CVE-2008-0455, CVE-2012-2687) Red Hat would like to thank the Apache CXF project for reporting CVE-2012-2379, CVE-2012-2378, and CVE-2012-3451. The CVE-2012-4550 issue was discovered by Josef Cacek of the Red Hat JBoss EAP Quality Engineering team; CVE-2012-3428 and CVE-2012-4549 were discovered by Arun Neelicattu of the Red Hat Security Response Team; and CVE-2012-2672 was discovered by Marek Schmidt and Stan Silvert of Red Hat. Warning: Before applying this update, back up your existing JBoss Enterprise Application Platform installation and deployed applications. Please see https://www.redhat.com/footer/terms-of-use.html Copyright © 2012 Red Hat, Inc. All rights reserved. Important https://rhn.redhat.com/errata/RHSA-2012-1594.html https://rhn.redhat.com/errata/RHSA-2012-1594.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/knowledge/docs/ https://access.redhat.com/knowledge/docs/ https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=distributions https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=distributions An input sanitization flaw was found in the mod_negotiation Apache HTTP Server module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use this flaw to conduct cross-site scripting attacks against users visiting the site. 2012-08-21T00:00:00Z 2012-06-13T00:00:00Z CVE-2008-0455 Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N Users of JBoss Enterprise Application Platform 6.0.0 as provided from the Red Hat Customer Portal are advised to upgrade to JBoss Enterprise Application Platform 6.0.1. The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing JBoss Enterprise Application Platform installation and deployed applications. https://rhn.redhat.com/errata/RHSA-2012-1594.html https://www.redhat.com/security/data/cve/CVE-2008-0455.html CVE-2008-0455 https://bugzilla.redhat.com/show_bug.cgi?id=850794 bz#850794: CVE-2012-2687 CVE-2008-0455 httpd: mod_negotiation XSS via untrusted file names in directories with MultiViews enabled The apachectl script set an insecure library search path. Running apachectl in an attacker-controlled directory containing a malicious library file could cause arbitrary code execution with the privileges of the user running the apachectl script (typically the root user). This issue only affected JBoss Enterprise Application Platform on Solaris. 2012-04-17T00:00:00Z 2012-03-02T00:00:00Z CVE-2012-0883 Low 3.7 AV:L/AC:H/Au:N/C:P/I:P/A:P Users of JBoss Enterprise Application Platform 6.0.0 as provided from the Red Hat Customer Portal are advised to upgrade to JBoss Enterprise Application Platform 6.0.1. The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing JBoss Enterprise Application Platform installation and deployed applications. https://rhn.redhat.com/errata/RHSA-2012-1594.html https://www.redhat.com/security/data/cve/CVE-2012-0883.html CVE-2012-0883 https://bugzilla.redhat.com/show_bug.cgi?id=813559 bz#813559: CVE-2012-0883 httpd: insecure handling of LD_LIBRARY_PATH in envvars A flaw in the way Apache CXF enforced child policies of WS-SecurityPolicy 1.1 on the client side could, in certain cases, lead to a client failing to sign or encrypt certain elements as directed by the security policy, leading to information disclosure and insecure information transmission. 2012-05-28T00:00:00Z 2012-06-07T00:00:00Z CVE-2012-2378 Moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N Users of JBoss Enterprise Application Platform 6.0.0 as provided from the Red Hat Customer Portal are advised to upgrade to JBoss Enterprise Application Platform 6.0.1. The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing JBoss Enterprise Application Platform installation and deployed applications. https://rhn.redhat.com/errata/RHSA-2012-1594.html http://cxf.apache.org/cve-2012-2378.html http://cxf.apache.org/cve-2012-2378.html https://www.redhat.com/security/data/cve/CVE-2012-2378.html CVE-2012-2378 https://bugzilla.redhat.com/show_bug.cgi?id=826533 bz#826533: CVE-2012-2378 jbossws-cxf, apache-cxf: Certain child policies of WS-SecurityPolicy 1.1 SupportingToken policy not applied on the client side Red Hat would like to thank the Apache CXF project for reporting this issue. Apache CXF checked to ensure XML elements were signed or encrypted by a Supporting Token, but not whether the correct token was used. A remote attacker could transmit confidential information without the appropriate security, and potentially circumvent access controls on web services exposed via Apache CXF. 2012-05-28T00:00:00Z 2012-06-07T00:00:00Z CVE-2012-2379 Important 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N Users of JBoss Enterprise Application Platform 6.0.0 as provided from the Red Hat Customer Portal are advised to upgrade to JBoss Enterprise Application Platform 6.0.1. The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing JBoss Enterprise Application Platform installation and deployed applications. https://rhn.redhat.com/errata/RHSA-2012-1594.html http://cxf.apache.org/cve-2012-2379.html http://cxf.apache.org/cve-2012-2379.html https://www.redhat.com/security/data/cve/CVE-2012-2379.html CVE-2012-2379 https://bugzilla.redhat.com/show_bug.cgi?id=826534 bz#826534: CVE-2012-2379 jbossws-cxf, apache-cxf: Apache CXF does not verify that elements were signed / encrypted by a particular Supporting Token Red Hat would like to thank the Apache CXF project for reporting this issue. It was found that in Mojarra, the FacesContext that is made available during application startup is held in a ThreadLocal. The reference is not properly cleaned up in all cases. As a result, if a JavaServer Faces (JSF) WAR calls FacesContext.getCurrentInstance() during application startup, another WAR can get access to the leftover context and thus get access to the other WAR's resources. A local attacker could use this flaw to access another WAR's resources using a crafted, deployed application. 2012-06-01T00:00:00Z 2012-06-01T00:00:00Z CVE-2012-2672 Low 1.9 AV:L/AC:M/Au:N/C:P/I:N/A:N Users of JBoss Enterprise Application Platform 6.0.0 as provided from the Red Hat Customer Portal are advised to upgrade to JBoss Enterprise Application Platform 6.0.1. The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing JBoss Enterprise Application Platform installation and deployed applications. https://rhn.redhat.com/errata/RHSA-2012-1594.html https://www.redhat.com/security/data/cve/CVE-2012-2672.html CVE-2012-2672 https://bugzilla.redhat.com/show_bug.cgi?id=829560 bz#829560: CVE-2012-2672 Mojarra: deployed web applications can read FacesContext from other applications under certain conditions This issue was discovered by Marek Schmidt and Stan Silvert of Red Hat. An input sanitization flaw was found in the mod_negotiation Apache HTTP Server module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use this flaw to conduct cross-site scripting attacks against users visiting the site. 2012-08-21T00:00:00Z 2012-06-13T00:00:00Z CVE-2012-2687 Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N Users of JBoss Enterprise Application Platform 6.0.0 as provided from the Red Hat Customer Portal are advised to upgrade to JBoss Enterprise Application Platform 6.0.1. The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing JBoss Enterprise Application Platform installation and deployed applications. https://rhn.redhat.com/errata/RHSA-2012-1594.html https://www.redhat.com/security/data/cve/CVE-2012-2687.html CVE-2012-2687 A flaw was found in the way IronJacamar authenticated credentials and returned a valid datasource connection when configured to "allow-multiple-users". A remote attacker, provided the correct subject, could obtain a datasource connection that might belong to a privileged user. 2012-07-25T00:00:00Z 2012-12-18T00:00:00Z CVE-2012-3428 Moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Users of JBoss Enterprise Application Platform 6.0.0 as provided from the Red Hat Customer Portal are advised to upgrade to JBoss Enterprise Application Platform 6.0.1. The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing JBoss Enterprise Application Platform installation and deployed applications. https://rhn.redhat.com/errata/RHSA-2012-1594.html https://www.redhat.com/security/data/cve/CVE-2012-3428.html CVE-2012-3428 https://bugzilla.redhat.com/show_bug.cgi?id=843358 bz#843358: CVE-2012-3428 JBoss: Datasource connection manager returns valid connection for wrong credentials when using security-domains This issue was discovered by Arun Neelicattu of the Red Hat Security Response Team. It was found that Apache CXF was vulnerable to SOAPAction spoofing attacks under certain conditions. Note that WS-Policy validation is performed against the operation being invoked, and an attack must pass validation to be successful. 2012-08-25T00:00:00Z 2012-09-19T00:00:00Z CVE-2012-3451 Moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Users of JBoss Enterprise Application Platform 6.0.0 as provided from the Red Hat Customer Portal are advised to upgrade to JBoss Enterprise Application Platform 6.0.1. The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing JBoss Enterprise Application Platform installation and deployed applications. https://rhn.redhat.com/errata/RHSA-2012-1594.html https://www.redhat.com/security/data/cve/CVE-2012-3451.html CVE-2012-3451 https://bugzilla.redhat.com/show_bug.cgi?id=851896 bz#851896: CVE-2012-3451 jbossws-cxf, apache-cxf: SOAPAction spoofing on document literal web services Red Hat would like to thank the Apache CXF project for reporting this issue. When there are no allowed roles for an EJB method invocation, the invocation should be denied for all users. It was found that the processInvocation() method in org.jboss.as.ejb3.security.AuthorizationInterceptor incorrectly authorizes all method invocations to proceed when the list of allowed roles is empty. 2012-10-29T00:00:00Z 2012-12-18T00:00:00Z CVE-2012-4549 Moderate 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N Users of JBoss Enterprise Application Platform 6.0.0 as provided from the Red Hat Customer Portal are advised to upgrade to JBoss Enterprise Application Platform 6.0.1. The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing JBoss Enterprise Application Platform installation and deployed applications. https://rhn.redhat.com/errata/RHSA-2012-1594.html https://www.redhat.com/security/data/cve/CVE-2012-4549.html CVE-2012-4549 https://bugzilla.redhat.com/show_bug.cgi?id=870868 bz#870868: CVE-2012-4549 JBoss AS: EJB authorization succeeds for any role when allowed roles list is empty This issue was discovered by Arun Neelicattu of the Red Hat Security Response Team. When using role-based authorization to configure EJB access, JACC permissions should be used to determine access; however, due to a flaw the configured authorization modules (JACC, XACML, etc.) were not called, and the JACC permissions were not used to determine access to an EJB. 2012-10-24T00:00:00Z 2012-04-19T00:00:00Z CVE-2012-4550 Important 6.8 AV:N/AC:L/Au:N/C:P/I:P/A:N Users of JBoss Enterprise Application Platform 6.0.0 as provided from the Red Hat Customer Portal are advised to upgrade to JBoss Enterprise Application Platform 6.0.1. The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing JBoss Enterprise Application Platform installation and deployed applications. https://rhn.redhat.com/errata/RHSA-2012-1594.html https://www.redhat.com/security/data/cve/CVE-2012-4550.html CVE-2012-4550 https://bugzilla.redhat.com/show_bug.cgi?id=870871 bz#870871: CVE-2012-4550 JBoss JACC: Security constraints configured for EJBs are incorrectly interpreted and not applied This issue was discovered by Josef Cacek of the Red Hat JBoss EAP Quality Engineering team.