Skip to navigation

Security Advisory Moderate: JBoss Enterprise Application Platform 4.3.0CP04 update

Advisory: RHSA-2009:0347-4
Type: Security Advisory
Severity: Moderate
Issued on: 2009-03-06
Last updated on: 2009-03-06
Affected Products: JBoss Enterprise Application Platform 4.3.0 EL4
CVEs (cve.mitre.org): CVE-2009-0027

Details

Updated JBoss Enterprise Application Platform (JBoss EAP) 4.3 packages that
fix various issues are now available for Red Hat Enterprise Linux 4 as
JBEAP 4.3.0.CP04.

This update has been rated as having moderate security impact by the Red Hat
Security Response Team.

JBoss Enterprise Application Platform (JBoss EAP) is the market-leading
platform for innovative and scalable Java applications. JBoss EAP
integrates the JBoss Application Server with JBoss Hibernate and JBoss Seam
into a complete, simple enterprise solution.

This release of JBoss EAP for Red Hat Enterprise Linux 4 serves as a
replacement for JBEAP 4.3.0.CP03.

These updated packages include bug fixes and enhancements which are
detailed in the release notes. The link to the release notes is available
in the References section of this errata.

The following security issue is also fixed with this release:

The request handler in JBossWS did not correctly verify the resource path
when serving WSDL files for custom web service endpoints. This allowed
remote attackers to read arbitrary XML files with the permissions of the
EAP process. (CVE-2009-0027)

Warning: before applying this update, please back up the JBoss EAP
"server/[configuration]/deploy/" directory, and any other customized
configuration files.

All users of JBoss EAP 4.3 on Red Hat Enterprise Linux 4 are advised to
upgrade to these updated packages, which resolve these issues.


Solution

Before applying this update, make sure that all previously-released errata
relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use the Red
Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

JBoss Enterprise Application Platform 4.3.0 EL4
SRPMS:
glassfish-jaxb-2.1.4-1.6.ep1.el4.src.rpm
File outdated by:  RHSA-2010:0937		     MD5: 13e101cc3e94fa4f44ae489fd665b778
hibernate3-3.2.4-1.SP1_CP07.0jpp.ep1.14.el4.src.rpm
File outdated by:  RHBA-2011:1297		     MD5: da1aeee4bf320cbcbb1cdcd5d171db9d
jacorb-2.3.0-1jpp.ep1.7.el4.src.rpm
File outdated by:  RHSA-2010:0377		     MD5: 8670fe5035ada902134b90e85fdfcc32
jakarta-commons-beanutils-1.8.0-3.ep5.el4.src.rpm     MD5: c60d00b1fa569956408b9678e733bcaf
jakarta-commons-logging-jboss-1.1-4.ep1.el4.src.rpm
File outdated by:  RHBA-2011:1297		     MD5: 5c538218382b64349e9edb4a411af0ed
jboss-cache-1.4.1-6.SP11.1.ep1.el4.src.rpm
File outdated by:  RHBA-2011:1297		     MD5: d6dab77650bdbadc01960e9bc3a583b4
jboss-jaxr-1.2.0-SP2.0jpp.ep1.3.el4.src.rpm     MD5: 18406ffea20d5942ec4fcf2fea94923a
jboss-messaging-1.4.0-2.SP3_CP07.1.ep1.el4.src.rpm
File outdated by:  RHBA-2011:1297		     MD5: cd0dc61d7221f985cfcb0e58ef73b143
jboss-remoting-2.2.2-3.SP11.0jpp.ep1.1.el4.src.rpm
File outdated by:  RHBA-2011:1297		     MD5: a7b52cddbb71b9acec949207dd9a11a5
jboss-seam-1.2.1-3.JBPAPP_4_3_0_GA.ep1.14.el4.src.rpm
File outdated by:  RHBA-2011:1297		     MD5: cba7115463dff2699bd4f3d2a1d8cab8
jbossas-4.3.0-3.GA_CP04.3.ep1.el4.src.rpm
File outdated by:  RHSA-2013:0249		     MD5: aee479bad2f7215a2ce07786a1a19911
jbossts-4.2.3-1.SP5_CP04.1jpp.ep1.1.el4.src.rpm
File outdated by:  RHSA-2010:0937		     MD5: 32fddc998927170671cdba4859fc92da
jbossweb-2.0.0-6.CP09.0jpp.ep1.1.el4.src.rpm
File outdated by:  RHBA-2011:1297		     MD5: efd2673fcc1c642d88b53a1f6e21eca0
jbossws-2.0.1-3.SP2_CP05.4.ep1.el4.src.rpm
File outdated by:  RHBA-2011:1297		     MD5: 342ba4dd8e8e210cbb76269af5eb96d0
jbossws-common-1.0.0-2.GA_CP03.1.ep1.el4.src.rpm
File outdated by:  RHSA-2011:1306		     MD5: 6a829e9c328381b93ce627907aa4057a
tanukiwrapper-3.2.1-2jpp.ep1.2.el4.src.rpm     MD5: 9eb660786f53eded1ff60ecbfbb9cfe7
ws-commons-policy-1.0-2jpp.ep1.7.el4.src.rpm     MD5: acf4513e611665c87ebe586023cd094d
ws-scout0-0.7-0.rc2.4.el4.src.rpm     MD5: aacdf21918e189fd41232f5be2b9ec3f
xalan-j2-2.7.0-2jpp.ep1.5.el4.src.rpm
File outdated by:  RHSA-2010:0937		     MD5: 794376f10260ddaf854f1073c1de4e3d
 
IA-32:
glassfish-jaxb-2.1.4-1.6.ep1.el4.noarch.rpm
File outdated by:  RHSA-2010:0937		     MD5: d0edf0c33738f822d8d048a68a9e974b
glassfish-jaxb-javadoc-2.1.4-1.6.ep1.el4.noarch.rpm
File outdated by:  RHSA-2009:1636		     MD5: 974589e1e18b709f5bc67cb6b9084007
glassfish-jsf-1.2_10-0jpp.ep1.5.ep5.el4.noarch.rpm
File outdated by:  RHSA-2009:1636		     MD5: 62ed7e4e9301e7119a47d4c4ee50b7f4
hibernate3-3.2.4-1.SP1_CP07.0jpp.ep1.14.el4.noarch.rpm
File outdated by:  RHBA-2011:1297		     MD5: cca11e569d843e7cdbb4c781ca716958
hibernate3-javadoc-3.2.4-1.SP1_CP07.0jpp.ep1.14.el4.noarch.rpm
File outdated by:  RHBA-2011:1297		     MD5: 21cbf6e8bca5ba1fa24a872fcf528b4c
jacorb-2.3.0-1jpp.ep1.7.el4.noarch.rpm
File outdated by:  RHSA-2010:0377		     MD5: 34c2c78ef5e6588e423b3c9ae0754c25
jakarta-commons-beanutils-1.8.0-3.ep5.el4.noarch.rpm     MD5: fc091b705a784a661051c8b83e3fec9a
jakarta-commons-fileupload-1.1.1-3jpp.ep1.2.el4.noarch.rpm     MD5: bbc285a415be51a7b108da31a09fdb5d
jakarta-commons-io-1.1-0.20051005.2jpp_1rh.noarch.rpm     MD5: 5d7f358651ee31279e672a46139e1130
jakarta-commons-logging-jboss-1.1-4.ep1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297		     MD5: 6bb6f7e0ac62cd6f3e5c3d4955f9b2c0
jboss-cache-1.4.1-6.SP11.1.ep1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297		     MD5: 9065bd55198fa70b12f67777eeb89d3c
jboss-jaxr-1.2.0-SP2.0jpp.ep1.3.el4.noarch.rpm     MD5: e36b5843f3b2f4441e3dd4afc09881c5
jboss-messaging-1.4.0-2.SP3_CP07.1.ep1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297		     MD5: f47b7d6f5d48554cbe90915bdc2aad93
jboss-remoting-2.2.2-3.SP11.0jpp.ep1.1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297		     MD5: c140d7690c94e1dc6094422458effda9
jboss-seam-1.2.1-3.JBPAPP_4_3_0_GA.ep1.14.el4.noarch.rpm
File outdated by:  RHBA-2011:1297		     MD5: add7198f8e53f3cf15c6a72263ca5e13
jboss-seam-docs-1.2.1-3.JBPAPP_4_3_0_GA.ep1.14.el4.noarch.rpm
File outdated by:  RHBA-2011:1297		     MD5: e625054d90f4b6b5a86cb2ff6b3c9ef1
jboss-vfs-1.0.0-1.ep1.el4.noarch.rpm     MD5: e6fbe4b1d856676edc2f1c7ee8bd76af
jbossas-4.3.0-3.GA_CP04.3.ep1.el4.noarch.rpm
File outdated by:  RHSA-2013:0249		     MD5: aef59acc62e9782eb07ac9ca9c008e8e
jbossas-4.3.0.GA_CP04-bin-4.3.0-3.GA_CP04.3.ep1.el4.noarch.rpm     MD5: c2728af0adb88d84d41ee114905bf4d3
jbossas-client-4.3.0-3.GA_CP04.3.ep1.el4.noarch.rpm
File outdated by:  RHSA-2013:0249		     MD5: 2663d52b6f9e0dc86b76a35c83e773b7
jbossts-4.2.3-1.SP5_CP04.1jpp.ep1.1.el4.noarch.rpm
File outdated by:  RHSA-2010:0937		     MD5: 6225ecd6f73d1a5a25768358c06d4076
jbossweb-2.0.0-6.CP09.0jpp.ep1.1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297		     MD5: 8726f935dcab0a836e4fa4559c222e77
jbossws-2.0.1-3.SP2_CP05.4.ep1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297		     MD5: cf98ee28943f07738867bbe7661fcb6c
jbossws-common-1.0.0-2.GA_CP03.1.ep1.el4.noarch.rpm
File outdated by:  RHSA-2011:1306		     MD5: aab73d8f11180f7635238e818163a4e4
jbossws-framework-2.0.1-1.GA_CP03.2.ep1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297		     MD5: 857065e8f621823690286ddc3492dbe9
jgroups-2.4.5-2.ep1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297		     MD5: 8c49064d4eb0bb5e5ca73d378a6a8a76
rh-eap-docs-4.3.0-4.GA_CP04.ep1.3.el4.noarch.rpm
File outdated by:  RHBA-2011:1297		     MD5: 810b8d5306734eeb03aff6404db58ac4
rh-eap-docs-examples-4.3.0-4.GA_CP04.ep1.3.el4.noarch.rpm
File outdated by:  RHBA-2011:1297		     MD5: 783a23e53ef95384e2a187535f15379b
tanukiwrapper-3.2.1-2jpp.ep1.2.el4.i386.rpm     MD5: 1fa13cc42662327447cdb595ffbe11a4
ws-commons-policy-1.0-2jpp.ep1.7.el4.noarch.rpm     MD5: 60ee9c992c9222e881e1a399e42b22cb
ws-scout0-0.7-0.rc2.4.el4.noarch.rpm     MD5: a5fa504dba9bbf051000fb3a9267d9a6
xalan-j2-2.7.0-2jpp.ep1.5.el4.noarch.rpm
File outdated by:  RHSA-2010:0937		     MD5: d3ab56060c5c5f4222be37635fb8fb2f
 
x86_64:
glassfish-jaxb-2.1.4-1.6.ep1.el4.noarch.rpm
File outdated by:  RHSA-2010:0937		     MD5: d0edf0c33738f822d8d048a68a9e974b
glassfish-jaxb-javadoc-2.1.4-1.6.ep1.el4.noarch.rpm
File outdated by:  RHSA-2009:1636		     MD5: 974589e1e18b709f5bc67cb6b9084007
glassfish-jsf-1.2_10-0jpp.ep1.5.ep5.el4.noarch.rpm
File outdated by:  RHSA-2009:1636		     MD5: 62ed7e4e9301e7119a47d4c4ee50b7f4
hibernate3-3.2.4-1.SP1_CP07.0jpp.ep1.14.el4.noarch.rpm
File outdated by:  RHBA-2011:1297		     MD5: cca11e569d843e7cdbb4c781ca716958
hibernate3-javadoc-3.2.4-1.SP1_CP07.0jpp.ep1.14.el4.noarch.rpm
File outdated by:  RHBA-2011:1297		     MD5: 21cbf6e8bca5ba1fa24a872fcf528b4c
jacorb-2.3.0-1jpp.ep1.7.el4.noarch.rpm
File outdated by:  RHSA-2010:0377		     MD5: 34c2c78ef5e6588e423b3c9ae0754c25
jakarta-commons-beanutils-1.8.0-3.ep5.el4.noarch.rpm     MD5: fc091b705a784a661051c8b83e3fec9a
jakarta-commons-fileupload-1.1.1-3jpp.ep1.2.el4.noarch.rpm     MD5: bbc285a415be51a7b108da31a09fdb5d
jakarta-commons-io-1.1-0.20051005.2jpp_1rh.noarch.rpm     MD5: 5d7f358651ee31279e672a46139e1130
jakarta-commons-logging-jboss-1.1-4.ep1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297		     MD5: 6bb6f7e0ac62cd6f3e5c3d4955f9b2c0
jboss-cache-1.4.1-6.SP11.1.ep1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297		     MD5: 9065bd55198fa70b12f67777eeb89d3c
jboss-jaxr-1.2.0-SP2.0jpp.ep1.3.el4.noarch.rpm     MD5: e36b5843f3b2f4441e3dd4afc09881c5
jboss-messaging-1.4.0-2.SP3_CP07.1.ep1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297		     MD5: f47b7d6f5d48554cbe90915bdc2aad93
jboss-remoting-2.2.2-3.SP11.0jpp.ep1.1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297		     MD5: c140d7690c94e1dc6094422458effda9
jboss-seam-1.2.1-3.JBPAPP_4_3_0_GA.ep1.14.el4.noarch.rpm
File outdated by:  RHBA-2011:1297		     MD5: add7198f8e53f3cf15c6a72263ca5e13
jboss-seam-docs-1.2.1-3.JBPAPP_4_3_0_GA.ep1.14.el4.noarch.rpm
File outdated by:  RHBA-2011:1297		     MD5: e625054d90f4b6b5a86cb2ff6b3c9ef1
jboss-vfs-1.0.0-1.ep1.el4.noarch.rpm     MD5: e6fbe4b1d856676edc2f1c7ee8bd76af
jbossas-4.3.0-3.GA_CP04.3.ep1.el4.noarch.rpm
File outdated by:  RHSA-2013:0249		     MD5: aef59acc62e9782eb07ac9ca9c008e8e
jbossas-4.3.0.GA_CP04-bin-4.3.0-3.GA_CP04.3.ep1.el4.noarch.rpm     MD5: c2728af0adb88d84d41ee114905bf4d3
jbossas-client-4.3.0-3.GA_CP04.3.ep1.el4.noarch.rpm
File outdated by:  RHSA-2013:0249		     MD5: 2663d52b6f9e0dc86b76a35c83e773b7
jbossts-4.2.3-1.SP5_CP04.1jpp.ep1.1.el4.noarch.rpm
File outdated by:  RHSA-2010:0937		     MD5: 6225ecd6f73d1a5a25768358c06d4076
jbossweb-2.0.0-6.CP09.0jpp.ep1.1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297		     MD5: 8726f935dcab0a836e4fa4559c222e77
jbossws-2.0.1-3.SP2_CP05.4.ep1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297		     MD5: cf98ee28943f07738867bbe7661fcb6c
jbossws-common-1.0.0-2.GA_CP03.1.ep1.el4.noarch.rpm
File outdated by:  RHSA-2011:1306		     MD5: aab73d8f11180f7635238e818163a4e4
jbossws-framework-2.0.1-1.GA_CP03.2.ep1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297		     MD5: 857065e8f621823690286ddc3492dbe9
jgroups-2.4.5-2.ep1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297		     MD5: 8c49064d4eb0bb5e5ca73d378a6a8a76
rh-eap-docs-4.3.0-4.GA_CP04.ep1.3.el4.noarch.rpm
File outdated by:  RHBA-2011:1297		     MD5: 810b8d5306734eeb03aff6404db58ac4
rh-eap-docs-examples-4.3.0-4.GA_CP04.ep1.3.el4.noarch.rpm
File outdated by:  RHBA-2011:1297		     MD5: 783a23e53ef95384e2a187535f15379b
tanukiwrapper-3.2.1-2jpp.ep1.2.el4.x86_64.rpm     MD5: c9bd00292c7d386f2942c591524fcf0d
ws-commons-policy-1.0-2jpp.ep1.7.el4.noarch.rpm     MD5: 60ee9c992c9222e881e1a399e42b22cb
ws-scout0-0.7-0.rc2.4.el4.noarch.rpm     MD5: a5fa504dba9bbf051000fb3a9267d9a6
xalan-j2-2.7.0-2jpp.ep1.5.el4.noarch.rpm
File outdated by:  RHSA-2010:0937		     MD5: d3ab56060c5c5f4222be37635fb8fb2f
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

474622 - Tracker bug for the EAP 4.3.0.cp04 release.
479668 - CVE-2009-0027 JBoss EAP unprivileged local xml file access


References

https://www.redhat.com/security/data/cve/CVE-2009-0027.html
http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.3.0.cp04/html-single/readme/index.html

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/