Skip to navigation

Security Advisory Moderate: JBoss Enterprise Application Platform 4.2.0CP06 update

Advisory: RHSA-2009:0346-5
Type: Security Advisory
Severity: Moderate
Issued on: 2009-03-06
Last updated on: 2009-03-06
Affected Products: JBoss Enterprise Application Platform 4.2.0 EL4
CVEs (cve.mitre.org): CVE-2009-0027

Details

Updated JBoss Enterprise Application Platform (JBoss EAP) 4.2 packages that
fix various issues are now available for Red Hat Enterprise Linux 4 as
JBEAP 4.2.0.CP06.

This update has been rated as having moderate security impact by the Red Hat
Security Response Team.

JBoss Enterprise Application Platform (JBoss EAP) is the market-leading
platform for innovative and scalable Java applications. JBoss EAP
integrates the JBoss Application Server with JBoss Hibernate and JBoss Seam
into a complete, simple enterprise solution.

This release of JBoss EAP for Red Hat Enterprise Linux 4 serves as a
replacement to JBEAP 4.2.0.CP05.

These updated packages include bug fixes and enhancements which are
detailed in the release notes. The link to the release notes is available
below in the References section.

The following security issue is also fixed with this release:

The request handler in JBossWS did not correctly verify the resource path
when serving WSDL files for custom web service endpoints. This allowed
remote attackers to read arbitrary XML files with the permissions of the
EAP processs. (CVE-2009-0027)

Warning: before applying this update, please backup the JBoss EAP
"server/[configuration]/deploy/" directory, and any other customized
configuration files.

All users of JBoss EAP 4.2 on Red Hat Enterprise Linux 4 are advised to
upgrade to these updated packages, which resolve these issues.


Solution

Before applying this update, make sure that all previously-released errata
relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use the Red
Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

JBoss Enterprise Application Platform 4.2.0 EL4

SRPMS:
hibernate3-3.2.4-1.SP1_CP07.0jpp.ep1.14.el4.src.rpm
File outdated by:  RHSA-2010:0376
    MD5: da1aeee4bf320cbcbb1cdcd5d171db9d
jacorb-2.3.0-1jpp.ep1.7.el4.src.rpm
File outdated by:  RHSA-2010:0376
    MD5: 8670fe5035ada902134b90e85fdfcc32
jakarta-commons-beanutils-1.8.0-3.ep5.el4.src.rpm     MD5: c60d00b1fa569956408b9678e733bcaf
jakarta-commons-logging-jboss-1.1-4.ep1.el4.src.rpm
File outdated by:  RHSA-2009:1637
    MD5: 5c538218382b64349e9edb4a411af0ed
jboss-cache-1.4.1-6.SP11.1.ep1.el4.src.rpm
File outdated by:  RHSA-2010:0376
    MD5: d6dab77650bdbadc01960e9bc3a583b4
jboss-jaxr-1.2.0-SP2.0jpp.ep1.3.el4.src.rpm     MD5: 18406ffea20d5942ec4fcf2fea94923a
jboss-remoting-2.2.2-3.SP11.0jpp.ep1.1.el4.src.rpm
File outdated by:  RHSA-2010:0376
    MD5: a7b52cddbb71b9acec949207dd9a11a5
jboss-seam-1.2.1-1.ep1.18.el4.src.rpm
File outdated by:  RHSA-2010:0376
    MD5: fb26a64b88cb8f712f4c65bfdf085c7c
jbossas-4.2.0-4.GA_CP06.3.ep1.el4.src.rpm
File outdated by:  RHSA-2011:1309
    MD5: 4e3b815e882d4dc017c5ddaaa8d79d69
jbossts-4.2.3-1.SP5_CP04.1jpp.ep1.1.el4.src.rpm
File outdated by:  RHSA-2010:0376
    MD5: 32fddc998927170671cdba4859fc92da
jbossweb-2.0.0-6.CP09.0jpp.ep1.1.el4.src.rpm
File outdated by:  RHSA-2011:0210
    MD5: efd2673fcc1c642d88b53a1f6e21eca0
rh-eap-docs-4.2.0-5.GA_CP06.ep1.3.el4.src.rpm
File outdated by:  RHSA-2010:0376
    MD5: f4f4d836c7df6c4e7ed291125fb0de63
tanukiwrapper-3.2.1-2jpp.ep1.2.el4.src.rpm     MD5: 9eb660786f53eded1ff60ecbfbb9cfe7
ws-commons-policy-1.0-2jpp.ep1.7.el4.src.rpm     MD5: acf4513e611665c87ebe586023cd094d
ws-scout0-0.7-0.rc2.4.el4.src.rpm     MD5: aacdf21918e189fd41232f5be2b9ec3f
xalan-j2-2.7.0-2jpp.ep1.5.el4.src.rpm     MD5: 794376f10260ddaf854f1073c1de4e3d
 
IA-32:
glassfish-jsf-1.2_10-0jpp.ep1.5.ep5.el4.noarch.rpm
File outdated by:  RHSA-2009:1637
    MD5: 62ed7e4e9301e7119a47d4c4ee50b7f4
hibernate3-3.2.4-1.SP1_CP07.0jpp.ep1.14.el4.noarch.rpm
File outdated by:  RHSA-2010:0376
    MD5: cca11e569d843e7cdbb4c781ca716958
hibernate3-javadoc-3.2.4-1.SP1_CP07.0jpp.ep1.14.el4.noarch.rpm
File outdated by:  RHSA-2010:0376
    MD5: 21cbf6e8bca5ba1fa24a872fcf528b4c
jacorb-2.3.0-1jpp.ep1.7.el4.noarch.rpm
File outdated by:  RHSA-2010:0376
    MD5: 34c2c78ef5e6588e423b3c9ae0754c25
jakarta-commons-beanutils-1.8.0-3.ep5.el4.noarch.rpm     MD5: fc091b705a784a661051c8b83e3fec9a
jakarta-commons-fileupload-1.1.1-3jpp.ep1.2.el4.noarch.rpm     MD5: bbc285a415be51a7b108da31a09fdb5d
jakarta-commons-io-1.1-0.20051005.2jpp_1rh.noarch.rpm     MD5: 5d7f358651ee31279e672a46139e1130
jakarta-commons-logging-jboss-1.1-4.ep1.el4.noarch.rpm
File outdated by:  RHSA-2009:1637
    MD5: 6bb6f7e0ac62cd6f3e5c3d4955f9b2c0
jboss-cache-1.4.1-6.SP11.1.ep1.el4.noarch.rpm
File outdated by:  RHSA-2010:0376
    MD5: 9065bd55198fa70b12f67777eeb89d3c
jboss-jaxr-1.2.0-SP2.0jpp.ep1.3.el4.noarch.rpm     MD5: e36b5843f3b2f4441e3dd4afc09881c5
jboss-remoting-2.2.2-3.SP11.0jpp.ep1.1.el4.noarch.rpm
File outdated by:  RHSA-2010:0376
    MD5: c140d7690c94e1dc6094422458effda9
jboss-seam-1.2.1-1.ep1.18.el4.noarch.rpm
File outdated by:  RHSA-2010:0376
    MD5: 81006fb8b89577f4cd794e96311cf709
jboss-seam-docs-1.2.1-1.ep1.18.el4.noarch.rpm
File outdated by:  RHSA-2010:0376
    MD5: d65f5a2020c3960aa602baf910fc077d
jboss-vfs-1.0.0-1.ep1.el4.noarch.rpm     MD5: e6fbe4b1d856676edc2f1c7ee8bd76af
jbossas-4.2.0-4.GA_CP06.3.ep1.el4.noarch.rpm
File outdated by:  RHSA-2011:1309
    MD5: 48f25d808d5b10feab48266a1edd0b8f
jbossas-4.2.0.GA_CP06-bin-4.2.0-4.GA_CP06.3.ep1.el4.noarch.rpm     MD5: b2295b0f8de957728f86826ef7475596
jbossas-client-4.2.0-4.GA_CP06.3.ep1.el4.noarch.rpm
File outdated by:  RHSA-2011:1309
    MD5: bd4052444488a9e9f8717c4897effd34
jbossts-4.2.3-1.SP5_CP04.1jpp.ep1.1.el4.noarch.rpm
File outdated by:  RHSA-2010:0376
    MD5: 6225ecd6f73d1a5a25768358c06d4076
jbossweb-2.0.0-6.CP09.0jpp.ep1.1.el4.noarch.rpm
File outdated by:  RHSA-2011:0210
    MD5: 8726f935dcab0a836e4fa4559c222e77
jgroups-2.4.5-2.ep1.el4.noarch.rpm
File outdated by:  RHSA-2009:1637
    MD5: 8c49064d4eb0bb5e5ca73d378a6a8a76
rh-eap-docs-4.2.0-5.GA_CP06.ep1.3.el4.noarch.rpm
File outdated by:  RHSA-2010:0376
    MD5: 2d7f43f31b103585b9fa531fa26d3693
rh-eap-docs-examples-4.2.0-5.GA_CP06.ep1.3.el4.noarch.rpm
File outdated by:  RHSA-2010:0376
    MD5: 9ad8b0953440e43f91959f25da0dcb63
tanukiwrapper-3.2.1-2jpp.ep1.2.el4.i386.rpm     MD5: 1fa13cc42662327447cdb595ffbe11a4
ws-commons-policy-1.0-2jpp.ep1.7.el4.noarch.rpm     MD5: 60ee9c992c9222e881e1a399e42b22cb
ws-scout0-0.7-0.rc2.4.el4.noarch.rpm     MD5: a5fa504dba9bbf051000fb3a9267d9a6
xalan-j2-2.7.0-2jpp.ep1.5.el4.noarch.rpm     MD5: d3ab56060c5c5f4222be37635fb8fb2f
 
x86_64:
glassfish-jsf-1.2_10-0jpp.ep1.5.ep5.el4.noarch.rpm
File outdated by:  RHSA-2009:1637
    MD5: 62ed7e4e9301e7119a47d4c4ee50b7f4
hibernate3-3.2.4-1.SP1_CP07.0jpp.ep1.14.el4.noarch.rpm
File outdated by:  RHSA-2010:0376
    MD5: cca11e569d843e7cdbb4c781ca716958
hibernate3-javadoc-3.2.4-1.SP1_CP07.0jpp.ep1.14.el4.noarch.rpm
File outdated by:  RHSA-2010:0376
    MD5: 21cbf6e8bca5ba1fa24a872fcf528b4c
jacorb-2.3.0-1jpp.ep1.7.el4.noarch.rpm
File outdated by:  RHSA-2010:0376
    MD5: 34c2c78ef5e6588e423b3c9ae0754c25
jakarta-commons-beanutils-1.8.0-3.ep5.el4.noarch.rpm     MD5: fc091b705a784a661051c8b83e3fec9a
jakarta-commons-fileupload-1.1.1-3jpp.ep1.2.el4.noarch.rpm     MD5: bbc285a415be51a7b108da31a09fdb5d
jakarta-commons-io-1.1-0.20051005.2jpp_1rh.noarch.rpm     MD5: 5d7f358651ee31279e672a46139e1130
jakarta-commons-logging-jboss-1.1-4.ep1.el4.noarch.rpm
File outdated by:  RHSA-2009:1637
    MD5: 6bb6f7e0ac62cd6f3e5c3d4955f9b2c0
jboss-cache-1.4.1-6.SP11.1.ep1.el4.noarch.rpm
File outdated by:  RHSA-2010:0376
    MD5: 9065bd55198fa70b12f67777eeb89d3c
jboss-jaxr-1.2.0-SP2.0jpp.ep1.3.el4.noarch.rpm     MD5: e36b5843f3b2f4441e3dd4afc09881c5
jboss-remoting-2.2.2-3.SP11.0jpp.ep1.1.el4.noarch.rpm
File outdated by:  RHSA-2010:0376
    MD5: c140d7690c94e1dc6094422458effda9
jboss-seam-1.2.1-1.ep1.18.el4.noarch.rpm
File outdated by:  RHSA-2010:0376
    MD5: 81006fb8b89577f4cd794e96311cf709
jboss-seam-docs-1.2.1-1.ep1.18.el4.noarch.rpm
File outdated by:  RHSA-2010:0376
    MD5: d65f5a2020c3960aa602baf910fc077d
jboss-vfs-1.0.0-1.ep1.el4.noarch.rpm     MD5: e6fbe4b1d856676edc2f1c7ee8bd76af
jbossas-4.2.0-4.GA_CP06.3.ep1.el4.noarch.rpm
File outdated by:  RHSA-2011:1309
    MD5: 48f25d808d5b10feab48266a1edd0b8f
jbossas-4.2.0.GA_CP06-bin-4.2.0-4.GA_CP06.3.ep1.el4.noarch.rpm     MD5: b2295b0f8de957728f86826ef7475596
jbossas-client-4.2.0-4.GA_CP06.3.ep1.el4.noarch.rpm
File outdated by:  RHSA-2011:1309
    MD5: bd4052444488a9e9f8717c4897effd34
jbossts-4.2.3-1.SP5_CP04.1jpp.ep1.1.el4.noarch.rpm
File outdated by:  RHSA-2010:0376
    MD5: 6225ecd6f73d1a5a25768358c06d4076
jbossweb-2.0.0-6.CP09.0jpp.ep1.1.el4.noarch.rpm
File outdated by:  RHSA-2011:0210
    MD5: 8726f935dcab0a836e4fa4559c222e77
jgroups-2.4.5-2.ep1.el4.noarch.rpm
File outdated by:  RHSA-2009:1637
    MD5: 8c49064d4eb0bb5e5ca73d378a6a8a76
rh-eap-docs-4.2.0-5.GA_CP06.ep1.3.el4.noarch.rpm
File outdated by:  RHSA-2010:0376
    MD5: 2d7f43f31b103585b9fa531fa26d3693
rh-eap-docs-examples-4.2.0-5.GA_CP06.ep1.3.el4.noarch.rpm
File outdated by:  RHSA-2010:0376
    MD5: 9ad8b0953440e43f91959f25da0dcb63
tanukiwrapper-3.2.1-2jpp.ep1.2.el4.x86_64.rpm     MD5: c9bd00292c7d386f2942c591524fcf0d
ws-commons-policy-1.0-2jpp.ep1.7.el4.noarch.rpm     MD5: 60ee9c992c9222e881e1a399e42b22cb
ws-scout0-0.7-0.rc2.4.el4.noarch.rpm     MD5: a5fa504dba9bbf051000fb3a9267d9a6
xalan-j2-2.7.0-2jpp.ep1.5.el4.noarch.rpm     MD5: d3ab56060c5c5f4222be37635fb8fb2f
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

474619 - Tracker bug for the EAP 4.2.0.cp06 release.
479668 - CVE-2009-0027 JBoss EAP unprivileged local xml file access


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/