Security Advisory Important: JBoss Enterprise Application Platform 4.2.0.CP07 update

Advisory: RHSA-2009:1143-1
Type: Security Advisory
Severity: Important
Issued on: 2009-07-06
Last updated on: 2009-07-06
Affected Products: JBoss Enterprise Application Platform 4.2.0 EL5
OVAL: N/A
CVEs (cve.mitre.org): CVE-2008-5515
CVE-2009-0580
CVE-2009-0783

Details

Updated JBoss Enterprise Application Platform (JBEAP) 4.2 packages that fix
various issues are now available for Red Hat Enterprise Linux 5 as JBEAP
4.2.0.CP07.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

JBoss Enterprise Application Platform is the market leading platform for
innovative and scalable Java applications; integrating the JBoss
Application Server, with JBoss Hibernate and JBoss Seam into a complete,
simple enterprise solution.

This release of JBEAP for Red Hat Enterprise Linux 5 serves as a
replacement to JBEAP 4.2.0.CP06.

These updated packages include bug fixes and enhancements which are
detailed in the release notes. The link to the release notes is available
below in the References section of this errata.

The following security issues are also fixed with this release:

It was discovered that request dispatchers did not properly normalize user
requests that have trailing query strings, allowing remote attackers to
send specially-crafted requests that would cause an information leak.
(CVE-2008-5515)

It was discovered that the error checking methods of certain authentication
classes did not have sufficient error checking, allowing remote attackers
to enumerate (via brute force methods) usernames registered with
applications deployed on JBossWeb when FORM-based authentication was used.
(CVE-2009-0580)

It was discovered that web applications containing their own XML parsers
could replace the XML parser JBossWeb uses to parse configuration files. A
malicious web application running on a JBossWeb instance could read or,
potentially, modify the configuration and XML-based data of other web
applications deployed on the same JBossWeb instance. (CVE-2009-0783)

Warning: before applying this update, please back up the JBEAP
"server/[configuration]/deploy/" directory, and any other customized
configuration files.

All users of JBEAP 4.2 on Red Hat Enterprise Linux 5 are advised to upgrade
to these updated packages.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

JBoss Enterprise Application Platform 4.2.0 EL5
SRPMS:
hibernate3-3.2.4-1.SP1_CP08.0jpp.ep1.2.3.el5.src.rpm     2db32ec8fe348ae977475fb7acd2bf9b
hibernate3-annotations-3.3.1-1.10.1GA_CP01.ep1.el5.src.rpm     db303628654f02f1d7c69a89a8221fd0
hibernate3-commons-annotations-3.0.0-1jpp.ep1.5.2.el5.src.rpm     c67f091d75ead5d53885a29a301d36c8
hibernate3-entitymanager-3.3.2-2.4.1.ep1.el5.src.rpm     d8b65da1ed6aebd9e5166bb8b2fbbbb2
hibernate3-validator-3.0.0-1jpp.ep1.8.3.el5.src.rpm     231a9429efc02acd31ad512a7a0081c0
jakarta-slide-webdavclient-2.1-9.2.el5.src.rpm     b891ec6df2a335267d371f3f6b907761
jboss-cache-1.4.1-6.SP13.1.ep1.el5.src.rpm     3cff62da578ebb7d469794e7a61a32bd
jboss-remoting-2.2.3-2.ep1.el5.src.rpm     338f03e82d750c30ed384d12ebba6448
jboss-seam-1.2.1-1.ep1.13.el5.src.rpm     0a3343891b2d80e935f17fb169e808e5
jbossas-4.2.0-4.GA_CP07.5.1.ep1.el5.src.rpm     414c8db04f95c15af2befd18143b25a4
jbossts-4.2.3-1.SP5_CP05.1jpp.ep1.1.el5.src.rpm     7a1e74256d2ee042fe01913fa82670a0
jbossweb-2.0.0-6.CP11.0jpp.ep1.1.el5.src.rpm     1b963ed8de011ec6cd7bf55bf0b2830f
jgroups-2.4.6-1.ep1.el5.src.rpm     aedd23b65c68f5d1c5cc5ac57492fe84
rh-eap-docs-4.2.0-5.GA_CP07.ep1.1.1.el5.src.rpm     8bbe2ed56b462085e5e1bd240533984a
 
IA-32:
hibernate3-3.2.4-1.SP1_CP08.0jpp.ep1.2.3.el5.noarch.rpm     08bd1505a68d028114c7a19348cb144b
hibernate3-annotations-3.3.1-1.10.1GA_CP01.ep1.el5.noarch.rpm     39c1a09408de769739a0a39edfed7704
hibernate3-annotations-javadoc-3.3.1-1.10.1GA_CP01.ep1.el5.noarch.rpm     ecc77cb88515df007a17359c69c4d22f
hibernate3-commons-annotations-3.0.0-1jpp.ep1.5.2.el5.noarch.rpm     7efd544a74755a92ec97f8b351c1975f
hibernate3-commons-annotations-javadoc-3.0.0-1jpp.ep1.5.2.el5.noarch.rpm     d0581ec09abe6ec9daf110ea4f1b324d
hibernate3-entitymanager-3.3.2-2.4.1.ep1.el5.noarch.rpm     ccee1a285ec5fcfd2c3f612d64e6b59f
hibernate3-entitymanager-javadoc-3.3.2-2.4.1.ep1.el5.noarch.rpm     8963fa39eb15973f86de82d0d13b3e87
hibernate3-javadoc-3.2.4-1.SP1_CP08.0jpp.ep1.2.3.el5.noarch.rpm     a8f92cca743b653a62f558030fb1172d
hibernate3-validator-3.0.0-1jpp.ep1.8.3.el5.noarch.rpm     76027c716a0160b18a864f4f27ffc5fe
hibernate3-validator-javadoc-3.0.0-1jpp.ep1.8.3.el5.noarch.rpm     0a0a3ce31ddc7561161c44ae1eb7c9cb
jakarta-slide-webdavclient-2.1-9.2.el5.noarch.rpm     6143dd31e31fce76c6fe207edea2dce4
jboss-cache-1.4.1-6.SP13.1.ep1.el5.noarch.rpm     04afb2386a722fcd6197eef4bcd97ead
jboss-remoting-2.2.3-2.ep1.el5.noarch.rpm     21bdbbd5fdd76244581747ff1f1ada40
jboss-seam-1.2.1-1.ep1.13.el5.noarch.rpm     461c98c11e7902d0e550ff18d00fc25c
jboss-seam-docs-1.2.1-1.ep1.13.el5.noarch.rpm     6e109546e04da1b8b4f32c42f07df882
jbossas-4.2.0-4.GA_CP07.5.1.ep1.el5.noarch.rpm     63bafc512290f2b4dda1771f373ec8d3
jbossas-4.2.0.GA_CP07-bin-4.2.0-4.GA_CP07.5.1.ep1.el5.noarch.rpm     1d5dc0627d5de2ad6dc906f5ee38ab76
jbossas-client-4.2.0-4.GA_CP07.5.1.ep1.el5.noarch.rpm     a486cdffc146cb97eea05a40b0a7a4f9
jbossts-4.2.3-1.SP5_CP05.1jpp.ep1.1.el5.noarch.rpm     f9c106c9d6e21e99a66947c372108291
jbossweb-2.0.0-6.CP11.0jpp.ep1.1.el5.noarch.rpm     486dc8e3f435af844df62534208b1459
jgroups-2.4.6-1.ep1.el5.noarch.rpm     6c0e03e3d25427fb0019058473c4fa1e
rh-eap-docs-4.2.0-5.GA_CP07.ep1.1.1.el5.noarch.rpm     1d7f702fa828108aefed3cba3305cccc
rh-eap-docs-examples-4.2.0-5.GA_CP07.ep1.1.1.el5.noarch.rpm     a4edf4cf891103acdde21e09e90a2b9c
 
x86_64:
hibernate3-3.2.4-1.SP1_CP08.0jpp.ep1.2.3.el5.noarch.rpm     08bd1505a68d028114c7a19348cb144b
hibernate3-annotations-3.3.1-1.10.1GA_CP01.ep1.el5.noarch.rpm     39c1a09408de769739a0a39edfed7704
hibernate3-annotations-javadoc-3.3.1-1.10.1GA_CP01.ep1.el5.noarch.rpm     ecc77cb88515df007a17359c69c4d22f
hibernate3-commons-annotations-3.0.0-1jpp.ep1.5.2.el5.noarch.rpm     7efd544a74755a92ec97f8b351c1975f
hibernate3-commons-annotations-javadoc-3.0.0-1jpp.ep1.5.2.el5.noarch.rpm     d0581ec09abe6ec9daf110ea4f1b324d
hibernate3-entitymanager-3.3.2-2.4.1.ep1.el5.noarch.rpm     ccee1a285ec5fcfd2c3f612d64e6b59f
hibernate3-entitymanager-javadoc-3.3.2-2.4.1.ep1.el5.noarch.rpm     8963fa39eb15973f86de82d0d13b3e87
hibernate3-javadoc-3.2.4-1.SP1_CP08.0jpp.ep1.2.3.el5.noarch.rpm     a8f92cca743b653a62f558030fb1172d
hibernate3-validator-3.0.0-1jpp.ep1.8.3.el5.noarch.rpm     76027c716a0160b18a864f4f27ffc5fe
hibernate3-validator-javadoc-3.0.0-1jpp.ep1.8.3.el5.noarch.rpm     0a0a3ce31ddc7561161c44ae1eb7c9cb
jakarta-slide-webdavclient-2.1-9.2.el5.noarch.rpm     6143dd31e31fce76c6fe207edea2dce4
jboss-cache-1.4.1-6.SP13.1.ep1.el5.noarch.rpm     04afb2386a722fcd6197eef4bcd97ead
jboss-remoting-2.2.3-2.ep1.el5.noarch.rpm     21bdbbd5fdd76244581747ff1f1ada40
jboss-seam-1.2.1-1.ep1.13.el5.noarch.rpm     461c98c11e7902d0e550ff18d00fc25c
jboss-seam-docs-1.2.1-1.ep1.13.el5.noarch.rpm     6e109546e04da1b8b4f32c42f07df882
jbossas-4.2.0-4.GA_CP07.5.1.ep1.el5.noarch.rpm     63bafc512290f2b4dda1771f373ec8d3
jbossas-4.2.0.GA_CP07-bin-4.2.0-4.GA_CP07.5.1.ep1.el5.noarch.rpm     1d5dc0627d5de2ad6dc906f5ee38ab76
jbossas-client-4.2.0-4.GA_CP07.5.1.ep1.el5.noarch.rpm     a486cdffc146cb97eea05a40b0a7a4f9
jbossts-4.2.3-1.SP5_CP05.1jpp.ep1.1.el5.noarch.rpm     f9c106c9d6e21e99a66947c372108291
jbossweb-2.0.0-6.CP11.0jpp.ep1.1.el5.noarch.rpm     486dc8e3f435af844df62534208b1459
jgroups-2.4.6-1.ep1.el5.noarch.rpm     6c0e03e3d25427fb0019058473c4fa1e
rh-eap-docs-4.2.0-5.GA_CP07.ep1.1.1.el5.noarch.rpm     1d7f702fa828108aefed3cba3305cccc
rh-eap-docs-examples-4.2.0-5.GA_CP07.ep1.1.1.el5.noarch.rpm     a4edf4cf891103acdde21e09e90a2b9c
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

499600 - Tracker bug for the EAP 4.2.0.cp07 release for RHEL-5.
503978 - CVE-2009-0580 tomcat6 Information disclosure in authentication classes
504153 - CVE-2009-0783 tomcat XML parser information disclosure
504753 - CVE-2008-5515 tomcat request dispatcher information disclosure vulnerability


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5515
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783
http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.2.0.cp07/html-single/Release_Notes/index.html
http://www.redhat.com/security/updates/classification/#important

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/