[RHSA-2011:0333-01] Important: JBoss Enterprise SOA Platform 4.3.CP04 and 5.0.2 security update
bugzilla at redhat.com
bugzilla at redhat.com
Wed Mar 9 18:52:08 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: JBoss Enterprise SOA Platform 4.3.CP04 and 5.0.2 security update
Advisory ID: RHSA-2011:0333-01
Product: JBoss Enterprise Middleware
Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-0333.html
Issue date: 2011-03-09
CVE Names: CVE-2010-4476
=====================================================================
1. Summary:
Updated jbossweb-2.0.0.jar and jbossweb-2.1.10.jar files for JBoss
Enterprise SOA Platform 4.3.CP04 and 5.0.2 that fix one security issue are
now available from the Red Hat Customer Portal.
The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.
2. Description:
JBoss Enterprise SOA Platform is the next-generation ESB and business
process automation infrastructure. JBoss Enterprise SOA Platform allows IT
to leverage existing (MoM and EAI), modern (SOA and BPM-Rules), and future
(EDA and CEP) integration methodologies to dramatically improve business
process execution speed and quality.
A denial of service flaw was found in the way certain strings were
converted to Double objects. A remote attacker could use this flaw to cause
JBoss Web Server to hang via a specially-crafted HTTP request.
(CVE-2010-4476)
All users of JBoss Enterprise SOA Platform 4.3.CP04 and 5.0.2 as provided
from the Red Hat Customer Portal are advised to install this update. Refer
to the Solution section of this erratum for update instructions.
3. Solution:
Updated jbossweb-2.0.0.jar (for 4.3.CP04) and jbossweb-2.1.10.jar (for
5.0.2) files that fix CVE-2010-4476 for JBoss Enterprise SOA Platform
4.3.CP04 and 5.0.2 are available from the Red Hat Customer Portal. To
download and install the updated files:
1) Log into the Customer Portal: https://access.redhat.com/login
2) Navigate to
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html
3) On the left-hand side menu, under "JBoss Enterprise Platforms" click
"SOA Platform". Then, using the "Version:" drop down menu, select the SOA
Platform version you are using, such as "4.3.0.GA_CP04" or "5.0.2 GA".
4) From the "Security Advisories" tab, click the "CVE-2010-4476 JBossweb
update fixing JDK double bug..." link in the "Download File" column. The
"Software Details" page is displayed, where you can download the update
and view installation instructions.
5) Backup your existing jbossweb.jar file (refer to the "Software Details"
page, from step 4, for the location of this file).
6) After downloading the update, ensure you backed up your existing
jbossweb.jar file as per step 5, and then follow the manual installation
step on the "Software Details" page. Note that it is recommended to halt
the JBoss Enterprise SOA Platform server by stopping the JBoss Application
Server process before installing this update, and then after installing the
update, restart the JBoss Enterprise SOA Platform server by starting the
JBoss Application Server process.
4. Bugs fixed (http://bugzilla.redhat.com/):
674336 - CVE-2010-4476 JDK Double.parseDouble Denial-Of-Service
5. References:
https://www.redhat.com/security/data/cve/CVE-2010-4476.html
https://access.redhat.com/security/updates/classification/#important
6. Contact:
The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://www.redhat.com/security/team/contact/
Copyright 2011 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFNd8xJXlSAg2UNWIIRAmYSAKCpxwgBz8N1y48HHRcZm1WgITSXcQCfcW2B
7djxaB2eVIzFMv7ZL+6puvU=
=SvR1
-----END PGP SIGNATURE-----
More information about the Jboss-watch-list
mailing list