Security Advisory Moderate: JBoss Enterprise Application Platform 4.3.0CP01 security update

Advisory: RHSA-2008:0828-4
Type: Security Advisory
Severity: Moderate
Issued on: 2008-08-05
Last updated on: 2008-08-05
Affected Products: JBoss Enterprise Application Platform 4.3.0 EL5
OVAL: N/A
CVEs (cve.mitre.org): CVE-2008-1285
CVE-2008-3273

Details

Updated JBoss Enterprise Application Platform (JBoss EAP) packages that fix
various security issues are now available for Red Hat Enterprise Linux 5.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

JBoss EAP is a middleware platform for Java 2 Platform, Enterprise Edition
(J2EE) applications.

This release of JBoss EAP for Red Hat Enterprise Linux 5 contains the JBoss
Application Server and JBoss Seam. This release serves as a replacement to
JBoss EAP 4.3.0.GA, and fixes the following security issues:

The JavaServer Faces (JSF) component was vulnerable to multiple cross-site
scripting (XSS) vulnerabilities. An attacker could use these flaws to
inject arbitrary web script or HTML. (CVE-2008-1285)

Unauthenticated users were able to access the status servlet, which could
allow remote attackers to acquire details about deployed web contexts.
(CVE-2008-3273)

These updated packages include bug fixes and enhancements which are not
listed here. For a full list, refer to the JBoss EAP 4.3.0.CP01 release
notes, linked to in the "References" section of this advisory.

Warning: before applying this update, please back up the JBoss EAP
"server/[configuration]/deploy/" directory, and any customized
configuration files.

All users of JBoss EAP on Red Hat Enterprise Linux 5 are advised to upgrade
to these updated packages, which resolve these issues.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

JBoss Enterprise Application Platform 4.3.0 EL5
SRPMS:
asm-1.5.3-1jpp.ep1.2.el5.src.rpm     01ad09dacec276e6bcc5f3c6377de20e
cglib-2.1.3-2jpp.ep1.6.el5.src.rpm     77ecac60ab173b2c6ecf54047a993388
concurrent-1.3.4-8jpp.ep1.6.el5.1.src.rpm     4b1a28a0f5cbad38c9089aa8efabc2e4
glassfish-jaf-1.1.0-0jpp.ep1.11.el5.1.src.rpm
File outdated by:  RHSA-2008:0832		     a52abf6b9237443c9da7cd7bb60f43ec
glassfish-javamail-1.4.0-0jpp.ep1.9.el5.src.rpm
File outdated by:  RHSA-2008:0832		     4e2ec32fd5f3badd6a8b49b9a3c8abe9
glassfish-jsf-1.2_08-0jpp.ep1.2.el5.src.rpm
File outdated by:  RHSA-2009:0349		     fd4e5a4dea4d5438b21db1a7cbeb8d63
hibernate3-3.2.4-1.SP1_CP03.0jpp.ep1.1.el5.src.rpm
File outdated by:  RHSA-2009:0349		     475729cf3acb012536589cacc336dbfb
hibernate3-annotations-3.2.1-1.patch02.1jpp.ep1.3.el5.1.src.rpm
File outdated by:  RHBA-2008:0930		     4517b9e095093fe3df93eedb4480a40a
hibernate3-entitymanager-3.2.1-1jpp.ep1.7.el5.src.rpm
File outdated by:  RHBA-2008:0930		     8c43069f1ceb28f926b06bfaf5bf3007
jboss-aop-1.5.5-1.CP01.0jpp.ep1.1.el5.src.rpm
File outdated by:  RHBA-2008:0930		     a86660adad7d6f14bc02b73e85090660
jboss-cache-1.4.1-4.SP9.1jpp.ep1.1.el5.src.rpm
File outdated by:  RHSA-2009:0349		     411eb8aea1a884415876321e5d8263c2
jboss-messaging-1.4.0-1.SP3_CP02.0jpp.ep1.6.el5.src.rpm
File outdated by:  RHSA-2009:0349		     cc520c0958dbe9df787e1c93c9441405
jboss-remoting-2.2.2-3.SP7.0jpp.ep1.3.el5.src.rpm
File outdated by:  RHSA-2009:0349		     a332de1b929de6b4a06fb12707968c54
jboss-seam-1.2.1-3.JBPAPP_4_3_0_GA.ep1.5.el5.1.src.rpm
File outdated by:  RHSA-2009:0349		     3940a81dd92c0f8005c9ab1a241e3121
jbossas-4.3.0-2.GA_CP01.ep1.6.el5.1.src.rpm
File outdated by:  RHSA-2009:0349		     e67649a3b46b1493527dafa8336110f2
jbossts-4.2.3-1.SP5_CP01.1jpp.ep1.1.el5.src.rpm
File outdated by:  RHSA-2009:0349		     de0378f8f437eff2fefa54bcb56a7429
jbossws-2.0.1-2.SP2_CP01.0jpp.ep1.2.el5.src.rpm
File outdated by:  RHSA-2009:0349		     ffc4025337e39dacdba3b281985b53a4
jbossxb-1.0.0-2.SP1.0jpp.ep1.2.el5.1.src.rpm
File outdated by:  RHSA-2008:0832		     32dae1e08f4e6ea44c1b3bcea5de09a9
jcommon-1.0.12-1jpp.ep1.3.el5.src.rpm     b90e5ed85726914466bb94c597761a54
jfreechart-1.0.9-1jpp.ep1.3.el5.1.src.rpm     44eb3a939a14d805a58ee3020c6dc450
jgroups-2.4.2-1.GA_CP01.0jpp.ep1.1.el5.src.rpm
File outdated by:  RHSA-2009:0349		     45e1b2578c2273ed9edda53ac50c2be4
rh-eap-docs-4.3.0-2.GA_CP01.ep1.4.el5.src.rpm
File outdated by:  RHSA-2009:0349		     0c5abaef894ad707f7d9b988a08cc69b
 
IA-32:
asm-1.5.3-1jpp.ep1.2.el5.noarch.rpm     d787c43e4bce216b275f8c71ab891961
cglib-2.1.3-2jpp.ep1.6.el5.noarch.rpm     403c91c1047e222c1cb16f36da017e9a
concurrent-1.3.4-8jpp.ep1.6.el5.1.noarch.rpm     fe545180815317bf224f14110ef6c7e6
glassfish-jaf-1.1.0-0jpp.ep1.11.el5.1.noarch.rpm
File outdated by:  RHSA-2008:0832		     743733c669f6efda6e9426d16627f676
glassfish-javamail-1.4.0-0jpp.ep1.9.el5.noarch.rpm
File outdated by:  RHSA-2008:0832		     ae6038fffe54a0c276279db9781f3f2c
glassfish-jsf-1.2_08-0jpp.ep1.2.el5.noarch.rpm
File outdated by:  RHSA-2009:0349		     c37cb2a4430a682d0e0f191586303c91
hibernate3-annotations-3.2.1-1.patch02.1jpp.ep1.3.el5.1.noarch.rpm
File outdated by:  RHBA-2008:0930		     d0191f66c956b18f25518315dca72f97
hibernate3-annotations-javadoc-3.2.1-1.patch02.1jpp.ep1.3.el5.1.noarch.r
File outdated by:  RHBA-2008:0930		     58f4fb76f60ef0b02bd7825caa64bf73
hibernate3-entitymanager-3.2.1-1jpp.ep1.7.el5.noarch.rpm
File outdated by:  RHBA-2008:0930		     7a0a47e75345fe4306a5bfc7f82d1179
hibernate3-entitymanager-javadoc-3.2.1-1jpp.ep1.7.el5.noarch.rpm
File outdated by:  RHBA-2008:0930		     fbd1128319fbe54a1d7d71f27456e0af
hibernate3-javadoc-3.2.4-1.SP1_CP03.0jpp.ep1.1.el5.noarch.rpm
File outdated by:  RHSA-2009:0349		     10e4eeecf50844b2a02378382f22ffbc
jboss-aop-1.5.5-1.CP01.0jpp.ep1.1.el5.noarch.rpm
File outdated by:  RHBA-2008:0930		     cc5490755f79618e7dd9439d89773efb
jboss-cache-1.4.1-4.SP9.1jpp.ep1.1.el5.noarch.rpm
File outdated by:  RHSA-2009:0349		     5a4143ea9360ba9955d813b0dc28406e
jboss-messaging-1.4.0-1.SP3_CP02.0jpp.ep1.6.el5.noarch.rpm
File outdated by:  RHSA-2009:0349		     160cf55c075474c2ce53c9ef0aa905bc
jboss-remoting-2.2.2-3.SP7.0jpp.ep1.3.el5.noarch.rpm
File outdated by:  RHSA-2009:0349		     50d17afc31b9cc3c383cc10c25c606c7
jboss-seam-1.2.1-3.JBPAPP_4_3_0_GA.ep1.5.el5.1.noarch.rpm
File outdated by:  RHSA-2009:0349		     e1ee24bd21f046b135c08a14e0fcc073
jboss-seam-docs-1.2.1-3.JBPAPP_4_3_0_GA.ep1.5.el5.1.noarch.rpm
File outdated by:  RHSA-2009:0349		     122f1677e1a91c3e3b5dc1d7d4df463f
jbossas-4.3.0-2.GA_CP01.ep1.6.el5.1.noarch.rpm
File outdated by:  RHSA-2009:0349		     83c7d2358be6a7de8c83f142a743c86e
jbossts-4.2.3-1.SP5_CP01.1jpp.ep1.1.el5.noarch.rpm
File outdated by:  RHSA-2009:0349		     fa271bee571393b7515f4dbc12f56beb
jbossws-2.0.1-2.SP2_CP01.0jpp.ep1.2.el5.noarch.rpm
File outdated by:  RHSA-2009:0349		     6a21d4d3f00781591c7e8fbb9c2b7e55
jbossws-native42-2.0.1-2.SP2_CP01.0jpp.ep1.2.el5.noarch.rpm     f8ad194d6e630ebe4efbd21a830729a3
jbossxb-1.0.0-2.SP1.0jpp.ep1.2.el5.1.noarch.rpm
File outdated by:  RHSA-2008:0832		     f1919486974d8af039dc376c40e4d28c
jcommon-1.0.12-1jpp.ep1.3.el5.noarch.rpm     dec511ca8b55cf97dfec1043afbbdf46
jfreechart-1.0.9-1jpp.ep1.3.el5.1.noarch.rpm     e3019ba8e1922bba8f6f087a71a0cf8e
jgroups-2.4.2-1.GA_CP01.0jpp.ep1.1.el5.noarch.rpm
File outdated by:  RHSA-2009:0349		     b40ec6ffcfc43924e0c3dfba20f3dd59
rh-eap-docs-4.3.0-2.GA_CP01.ep1.4.el5.noarch.rpm
File outdated by:  RHSA-2009:0349		     8e11043c118fd9be5781dd1feb40fa96
 
x86_64:
asm-1.5.3-1jpp.ep1.2.el5.noarch.rpm     d787c43e4bce216b275f8c71ab891961
cglib-2.1.3-2jpp.ep1.6.el5.noarch.rpm     403c91c1047e222c1cb16f36da017e9a
concurrent-1.3.4-8jpp.ep1.6.el5.1.noarch.rpm     fe545180815317bf224f14110ef6c7e6
glassfish-jaf-1.1.0-0jpp.ep1.11.el5.1.noarch.rpm
File outdated by:  RHSA-2008:0832		     743733c669f6efda6e9426d16627f676
glassfish-javamail-1.4.0-0jpp.ep1.9.el5.noarch.rpm
File outdated by:  RHSA-2008:0832		     ae6038fffe54a0c276279db9781f3f2c
glassfish-jsf-1.2_08-0jpp.ep1.2.el5.noarch.rpm
File outdated by:  RHSA-2009:0349		     c37cb2a4430a682d0e0f191586303c91
hibernate3-annotations-3.2.1-1.patch02.1jpp.ep1.3.el5.1.noarch.rpm
File outdated by:  RHBA-2008:0930		     d0191f66c956b18f25518315dca72f97
hibernate3-annotations-javadoc-3.2.1-1.patch02.1jpp.ep1.3.el5.1.noarch.r
File outdated by:  RHBA-2008:0930		     58f4fb76f60ef0b02bd7825caa64bf73
hibernate3-entitymanager-3.2.1-1jpp.ep1.7.el5.noarch.rpm
File outdated by:  RHBA-2008:0930		     7a0a47e75345fe4306a5bfc7f82d1179
hibernate3-entitymanager-javadoc-3.2.1-1jpp.ep1.7.el5.noarch.rpm
File outdated by:  RHBA-2008:0930		     fbd1128319fbe54a1d7d71f27456e0af
hibernate3-javadoc-3.2.4-1.SP1_CP03.0jpp.ep1.1.el5.noarch.rpm
File outdated by:  RHSA-2009:0349		     10e4eeecf50844b2a02378382f22ffbc
jboss-aop-1.5.5-1.CP01.0jpp.ep1.1.el5.noarch.rpm
File outdated by:  RHBA-2008:0930		     cc5490755f79618e7dd9439d89773efb
jboss-cache-1.4.1-4.SP9.1jpp.ep1.1.el5.noarch.rpm
File outdated by:  RHSA-2009:0349		     5a4143ea9360ba9955d813b0dc28406e
jboss-messaging-1.4.0-1.SP3_CP02.0jpp.ep1.6.el5.noarch.rpm
File outdated by:  RHSA-2009:0349		     160cf55c075474c2ce53c9ef0aa905bc
jboss-remoting-2.2.2-3.SP7.0jpp.ep1.3.el5.noarch.rpm
File outdated by:  RHSA-2009:0349		     50d17afc31b9cc3c383cc10c25c606c7
jboss-seam-1.2.1-3.JBPAPP_4_3_0_GA.ep1.5.el5.1.noarch.rpm
File outdated by:  RHSA-2009:0349		     e1ee24bd21f046b135c08a14e0fcc073
jboss-seam-docs-1.2.1-3.JBPAPP_4_3_0_GA.ep1.5.el5.1.noarch.rpm
File outdated by:  RHSA-2009:0349		     122f1677e1a91c3e3b5dc1d7d4df463f
jbossas-4.3.0-2.GA_CP01.ep1.6.el5.1.noarch.rpm
File outdated by:  RHSA-2009:0349		     83c7d2358be6a7de8c83f142a743c86e
jbossts-4.2.3-1.SP5_CP01.1jpp.ep1.1.el5.noarch.rpm
File outdated by:  RHSA-2009:0349		     fa271bee571393b7515f4dbc12f56beb
jbossws-2.0.1-2.SP2_CP01.0jpp.ep1.2.el5.noarch.rpm
File outdated by:  RHSA-2009:0349		     6a21d4d3f00781591c7e8fbb9c2b7e55
jbossws-native42-2.0.1-2.SP2_CP01.0jpp.ep1.2.el5.noarch.rpm     f8ad194d6e630ebe4efbd21a830729a3
jbossxb-1.0.0-2.SP1.0jpp.ep1.2.el5.1.noarch.rpm
File outdated by:  RHSA-2008:0832		     f1919486974d8af039dc376c40e4d28c
jcommon-1.0.12-1jpp.ep1.3.el5.noarch.rpm     dec511ca8b55cf97dfec1043afbbdf46
jfreechart-1.0.9-1jpp.ep1.3.el5.1.noarch.rpm     e3019ba8e1922bba8f6f087a71a0cf8e
jgroups-2.4.2-1.GA_CP01.0jpp.ep1.1.el5.noarch.rpm
File outdated by:  RHSA-2009:0349		     b40ec6ffcfc43924e0c3dfba20f3dd59
rh-eap-docs-4.3.0-2.GA_CP01.ep1.4.el5.noarch.rpm
File outdated by:  RHSA-2009:0349		     8e11043c118fd9be5781dd1feb40fa96
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

437082 - CVE-2008-1285 Cross-site scripting (XSS) vulnerability in Sun Java Server Faces
457757 - CVE-2008-3273 JBossEAP status servlet info leak


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1285
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3273
http://redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.3.0.cp01/html-single/readme/
http://www.redhat.com/security/updates/classification/#moderate

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/