[RHSA-2014:0373-01] Moderate: Apache Commons Fileupload and JBoss Web security update

bugzilla at redhat.com bugzilla at redhat.com
Thu Apr 3 21:59:24 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Apache Commons Fileupload and JBoss Web security update
Advisory ID:       RHSA-2014:0373-01
Product:           Red Hat JBoss Middleware
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-0373.html
Issue date:        2014-04-03
CVE Names:         CVE-2013-4286 CVE-2014-0050 
=====================================================================

1. Summary:

An update for the Apache Commons Fileupload and JBoss Web components that
fixes two security issues is now available from the Red Hat Customer Portal
for Red Hat JBoss BRMS 6.0.1 and Red Hat JBoss BPM Suite 6.0.1.

The Red Hat Security Response Team has rated this update as having Moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

2. Description:

JBoss Web Server is an enterprise ready web server designed for medium and
large applications, and is based on Tomcat. JBoss Web Server provides
organizations with a single deployment platform for Java Server Pages (JSP)
and Java Servlet technologies, PHP, and CGI. It uses a genuine high
performance hybrid technology that incorporates the best of the most recent
OS technologies for processing high volume data, while keeping all the
reference Java specifications.

Apache Commons FileUpload package makes it easy to add robust,
high-performance, file upload capability to servlets and web applications.

It was found that when JBoss Web processed a series of HTTP requests in
which at least one request contained either multiple content-length
headers, or one content-length header with a chunked transfer-encoding
header, JBoss Web would incorrectly handle the request. A remote attacker
could use this flaw to poison a web cache, perform cross-site scripting
(XSS) attacks, or obtain sensitive information from other requests.
(CVE-2013-4286)

A denial of service flaw was found in the way Apache Commons FileUpload,
which is embedded in the JBoss Web component of JBoss EAP bundled with
JBoss BRMS and BPM Suite, handled small-sized buffers used by
MultipartStream. A remote attacker could use this flaw to create a
malformed Content-Type header for a multipart request, causing JBoss Web to
enter an infinite loop when processing such an incoming request.
(CVE-2014-0050)

All users of the affected products as provided from the Red Hat Customer
Portal are advised to apply this update.

3. Solution:

The References section of this erratum contains download links (you must
log in to download the updates). Before applying the updates, back up
your existing installation, including all applications, configuration
files, databases and database settings, and so on.

It is recommended to halt the server by stopping the JBoss Application
Server process before installing this update, and then after installing the
update, restart the server by starting the JBoss Application Server
process.

4. Bugs fixed (https://bugzilla.redhat.com/):

1062337 - CVE-2014-0050 apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream
1069921 - CVE-2013-4286 tomcat: incomplete fix for CVE-2005-2090

5. References:

https://www.redhat.com/security/data/cve/CVE-2013-4286.html
https://www.redhat.com/security/data/cve/CVE-2014-0050.html
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=securityPatches&version=6.0.1
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=securityPatches&version=6.0.1

6. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFTPdmNXlSAg2UNWIIRAgR7AKCpF/GM0ZPGnl7kk1iEoAqsRnseKwCgvSWn
2LAP5hYcZ4D0KUr31fcButw=
=U9fo
-----END PGP SIGNATURE-----

More information about the RHSA-announce mailing list