[RHSA-2013:1286-01] Moderate: Red Hat JBoss Fuse/A-MQ 6.0.0 patch 3

bugzilla at redhat.com bugzilla at redhat.com
Thu Sep 26 01:23:24 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat JBoss Fuse/A-MQ 6.0.0 patch 3
Advisory ID:       RHSA-2013:1286-01
Product:           Fuse Enterprise Middleware
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2013-1286.html
Issue date:        2013-09-26
CVE Names:         CVE-2013-4372 
=====================================================================

1. Summary:

Red Hat JBoss Fuse/A-MQ 6.0.0 patch 3, which fixes multiple security issues
and various bugs, is now available from the Red Hat Customer Portal.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

2. Description:

Red Hat JBoss Fuse 6.0.0, based on Apache ServiceMix, provides an
integration platform. Red Hat JBoss A-MQ 6.0.0, based on Apache ActiveMQ,
is a standards compliant messaging system that is tailored for use in
mission critical applications.

Red Hat JBoss Fuse/A-MQ 6.0.0 patch 3 is an update to Red Hat JBoss Fuse
6.0.0 and Red Hat JBoss A-MQ 6.0.0, including bug fixes. Refer to the
readme file included with the patch files for information about these
fixes.

The following security issues are also resolved with this update:

Multiple stored cross-site scripting (XSS) flaws were found in the Fuse
Management Console. A remote attacker could use these flaws to perform an
XSS attack against other users of the Fuse Management Console.
(CVE-2013-4372)

All users of Red Hat JBoss Fuse 6.0.0 and Red Hat JBoss A-MQ 6.0.0 as
provided from the Red Hat Customer Portal are advised to apply this patch.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (http://bugzilla.redhat.com/):

1011736 - CVE-2013-4372 Fuse Management Console: Stored cross-site scripting (XSS)

5. References:

https://www.redhat.com/security/data/cve/CVE-2013-4372.html
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.0.0
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq&downloadType=securityPatches&version=6.0.0

6. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFSQ4x3XlSAg2UNWIIRAnGAAKC/POt1ZOo2W60ndfM7zpnIUPFi4ACgk3ON
f1ooJko08QNKd+zTFnmC5jU=
=Ssiz
-----END PGP SIGNATURE-----

More information about the RHSA-announce mailing list