[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[RHSA-2014:0195-01] Moderate: Red Hat JBoss Portal 6.1.1 update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat JBoss Portal 6.1.1 update
Advisory ID:       RHSA-2014:0195-01
Product:           Red Hat JBoss Portal
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-0195.html
Issue date:        2014-02-20
CVE Names:         CVE-2013-4517 CVE-2013-6440 
=====================================================================

1. Summary:

Red Hat JBoss Portal 6.1.1, which fixes two security issues and various
bugs, is now available from the Red Hat Customer Portal.

The Red Hat Security Response Team has rated this update as having Moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

2. Description:

Red Hat JBoss Portal is the open source implementation of the Java EE suite
of services and Portal services running atop Red Hat JBoss Enterprise
Application Platform.

This Red Hat JBoss Portal 6.1.1 release serves as a replacement for 6.1.0.
Refer to the 6.1.1 Release Notes for further information, available shortly
from https://access.redhat.com/site/documentation/en-US/

It was found that the ParserPool and Decrypter classes in the OpenSAML Java
implementation resolved external entities, permitting XML External Entity
(XXE) attacks. A remote attacker could use this flaw to read files
accessible to the user running the application server, and potentially
perform other more advanced XXE attacks. (CVE-2013-6440)

It was discovered that the Apache Santuario XML Security for Java project
allowed Document Type Definitions (DTDs) to be processed when applying
Transforms even when secure validation was enabled. A remote attacker could
use this flaw to exhaust all available memory on the system, causing a
denial of service. (CVE-2013-4517)

All users of Red Hat JBoss Portal 6.1.0 as provided from the Red Hat
Customer Portal are advised to upgrade to Red Hat JBoss Portal 6.1.1.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Before applying the update, back up all
applications deployed on JBoss Enterprise Portal Platform, along with all
customized configuration files, and any databases and database settings.

4. Bugs fixed (https://bugzilla.redhat.com/):

1043332 - CVE-2013-6440 XMLTooling-J/OpenSAML Java: XML eXternal Entity (XXE) flaw in ParserPool and Decrypter
1045257 - CVE-2013-4517 Apache Santuario XML Security for Java: Java XML Signature DoS Attack

5. References:

https://www.redhat.com/security/data/cve/CVE-2013-4517.html
https://www.redhat.com/security/data/cve/CVE-2013-6440.html
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal&downloadType=distributions
https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_Portal/

6. Contact:

The Red Hat security contact is <secalert redhat com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFTBjvfXlSAg2UNWIIRAkYnAKCTIxhZ4lhxXU+rqb05KM456wW6PACeKk3I
wRRzvCvkza82sIuR1avyiXQ=
=2ILE
-----END PGP SIGNATURE-----



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]