[RHSA-2015:1672-01] Moderate: Red Hat JBoss Enterprise Application Platform security update
bugzilla at redhat.com
bugzilla at redhat.com
Mon Aug 24 18:50:03 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform security update
Advisory ID: RHSA-2015:1672-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1672.html
Issue date: 2015-08-24
CVE Names: CVE-2015-3158
=====================================================================
1. Summary:
An updated Red Hat JBoss Enterprise Application Platform 6.4.3 package that
fixes a security issue, several bugs and adds various enhancements is now
available for Red Hat Enterprise Linux 6.
2. Description:
Red Hat JBoss Enterprise Application Platform 6 is a platform for Java
applications based on JBoss Application Server 7.
This release serves as a replacement for Red Hat JBoss Enterprise
Application Platform 6.4.2 and includes bug fixes and enhancements.
Documentation for these changes is available from the Red Hat JBoss
Enterprise Application Platform 6.4.3 Release Notes, linked to in the
References.
The following security issue is also fixed with this release:
It was discovered that under specific conditions that PicketLink
IDP ignores role based authorization. This could lead to an
authenticated user being able to access application resources
that are not permitted for a given role. (CVE-2015-3158)
All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat
Enterprise Linux 6 are advised to upgrade to this updated package, which
fixes these bugs and adds these enhancements. The JBoss server process must
be restarted for the update to take effect.
3. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
4. Bugs fixed (https://bugzilla.redhat.com/):
1216123 - CVE-2015-3158 PicketLink: PicketLink IDP ignores role based authorization
1247691 - RHEL6 RPMs: Upgrade hibernate4-eap6 to 4.2.20.Final-redhat-1
1247695 - RHEL6 RPMs: Upgrade jboss-modules to 1.3.7.Final-redhat-1
1247697 - RHEL6 RPMs: Upgrade jbossts to 4.17.30.Final-redhat-1
1247702 - RHEL6 RPMs: Upgrade jbossweb to 7.5.10.Final-redhat-1
1247707 - RHEL6 RPMs: Upgrade resteasy to 2.3.12.Final-redhat-1
5. References:
https://access.redhat.com/security/cve/CVE-2015-3158
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.4
https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html
6. Contact:
The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFV22daXlSAg2UNWIIRAgmkAJ0WKBA61ZETsa3+RlOF9qBA13alWgCghZV0
aIyNHSdNGH4NbC/hUB8pjd0=
=Aa8K
-----END PGP SIGNATURE-----
More information about the RHSA-announce
mailing list