Security Advisory Important: JBoss Enterprise Application Platform 4.3.0.CP05 update

Advisory: RHSA-2009:1145-1
Type: Security Advisory
Severity: Important
Issued on: 2009-07-06
Last updated on: 2009-07-06
Affected Products: JBoss Enterprise Application Platform 4.3.0 EL5
OVAL: N/A
CVEs (cve.mitre.org): CVE-2008-5515
CVE-2009-0580
CVE-2009-0783

Details

Updated JBoss Enterprise Application Platform (JBEAP) 4.3 packages that fix
various issues are now available for Red Hat Enterprise Linux 5 as JBEAP
4.3.0.CP05.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

JBoss Enterprise Application Platform is the market leading platform for
innovative and scalable Java applications; integrating the JBoss
Application Server, with JBoss Hibernate and JBoss Seam into a complete,
simple enterprise solution.

This release of JBEAP for Red Hat Enterprise Linux 5 serves as a
replacement to JBEAP 4.3.0.CP04.

These updated packages include bug fixes and enhancements which are
detailed in the release notes. The link to the release notes is available
below in the References section of this errata.

The following security issues are also fixed with this release:

It was discovered that request dispatchers did not properly normalize user
requests that have trailing query strings, allowing remote attackers to
send specially-crafted requests that would cause an information leak.
(CVE-2008-5515)

It was discovered that the error checking methods of certain authentication
classes did not have sufficient error checking, allowing remote attackers
to enumerate (via brute force methods) usernames registered with
applications deployed on JBossWeb when FORM-based authentication was used.
(CVE-2009-0580)

It was discovered that web applications containing their own XML parsers
could replace the XML parser JBossWeb uses to parse configuration files. A
malicious web application running on a JBossWeb instance could read or,
potentially, modify the configuration and XML-based data of other web
applications deployed on the same JBossWeb instance. (CVE-2009-0783)

Warning: before applying this update, please back up the JBEAP
"server/[configuration]/deploy/" directory, and any other customized
configuration files.

All users of JBEAP 4.3 on Red Hat Enterprise Linux 5 are advised to upgrade
to these updated packages.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

JBoss Enterprise Application Platform 4.3.0 EL5
SRPMS:
glassfish-jaxb-2.1.4-1.11.1.ep1.el5.src.rpm     9c14be6393a92d12a2e005bb770ec777
hibernate3-3.2.4-1.SP1_CP08.0jpp.ep1.2.3.el5.src.rpm     2db32ec8fe348ae977475fb7acd2bf9b
hibernate3-annotations-3.3.1-1.10.1GA_CP01.ep1.el5.src.rpm     db303628654f02f1d7c69a89a8221fd0
hibernate3-commons-annotations-3.0.0-1jpp.ep1.5.2.el5.src.rpm     c67f091d75ead5d53885a29a301d36c8
hibernate3-entitymanager-3.3.2-2.4.1.ep1.el5.src.rpm     d8b65da1ed6aebd9e5166bb8b2fbbbb2
hibernate3-validator-3.0.0-1jpp.ep1.8.3.el5.src.rpm     231a9429efc02acd31ad512a7a0081c0
jakarta-slide-webdavclient-2.1-9.2.el5.src.rpm     b891ec6df2a335267d371f3f6b907761
jboss-cache-1.4.1-6.SP13.1.ep1.el5.src.rpm     3cff62da578ebb7d469794e7a61a32bd
jboss-messaging-1.4.0-2.SP3_CP08.1.ep1.el5.src.rpm
File outdated by:  RHBA-2009:1183		     79b615d373e1b223fd96e91563e8f0f6
jboss-remoting-2.2.3-2.ep1.el5.src.rpm     338f03e82d750c30ed384d12ebba6448
jboss-seam-1.2.1-3.JBPAPP_4_3_0_GA.ep1.11.el5.1.src.rpm     492be6e016e36c541d1dec56f1bb1650
jbossas-4.3.0-4.GA_CP05.6.1.ep1.el5.src.rpm
File outdated by:  RHBA-2009:1183		     ec25a03cd6a944f3cdbdfe806d393968
jbossts-4.2.3-1.SP5_CP05.1jpp.ep1.1.el5.src.rpm     7a1e74256d2ee042fe01913fa82670a0
jbossweb-2.0.0-6.CP11.0jpp.ep1.1.el5.src.rpm     1b963ed8de011ec6cd7bf55bf0b2830f
jbossws-2.0.1-3.SP2_CP06.3.1.ep1.el5.src.rpm     258ffbd83d19c0ae4418a1bba40e7805
jbossws-common-1.0.0-2.GA_CP04.1.ep1.el5.src.rpm     544523b1c28c4174e68f47f335528698
jbossws-framework-2.0.1-1.GA_CP04.2.ep1.el5.src.rpm     185552999f80c55c56284e34cf027322
jbossws-spi-1.0.0-1.GA_CP02.1.ep1.el5.src.rpm     5a18539124de183e1593225a60e14773
jgroups-2.4.6-1.ep1.el5.src.rpm     aedd23b65c68f5d1c5cc5ac57492fe84
rh-eap-docs-4.3.0-5.GA_CP05.ep1.2.1.el5.src.rpm
File outdated by:  RHBA-2009:1183		     9012631f65eab2c727dd5140041d81a2
 
IA-32:
glassfish-jaxb-2.1.4-1.11.1.ep1.el5.noarch.rpm     0791ac0b91838a7865aac201dcf6f3e5
glassfish-jaxb-javadoc-2.1.4-1.11.1.ep1.el5.noarch.rpm     5427e0d2fc41bec055311b4422cf7c56
hibernate3-3.2.4-1.SP1_CP08.0jpp.ep1.2.3.el5.noarch.rpm     08bd1505a68d028114c7a19348cb144b
hibernate3-annotations-3.3.1-1.10.1GA_CP01.ep1.el5.noarch.rpm     39c1a09408de769739a0a39edfed7704
hibernate3-annotations-javadoc-3.3.1-1.10.1GA_CP01.ep1.el5.noarch.rpm     ecc77cb88515df007a17359c69c4d22f
hibernate3-commons-annotations-3.0.0-1jpp.ep1.5.2.el5.noarch.rpm     7efd544a74755a92ec97f8b351c1975f
hibernate3-commons-annotations-javadoc-3.0.0-1jpp.ep1.5.2.el5.noarch.rpm     d0581ec09abe6ec9daf110ea4f1b324d
hibernate3-entitymanager-3.3.2-2.4.1.ep1.el5.noarch.rpm     ccee1a285ec5fcfd2c3f612d64e6b59f
hibernate3-entitymanager-javadoc-3.3.2-2.4.1.ep1.el5.noarch.rpm     8963fa39eb15973f86de82d0d13b3e87
hibernate3-javadoc-3.2.4-1.SP1_CP08.0jpp.ep1.2.3.el5.noarch.rpm     a8f92cca743b653a62f558030fb1172d
hibernate3-validator-3.0.0-1jpp.ep1.8.3.el5.noarch.rpm     76027c716a0160b18a864f4f27ffc5fe
hibernate3-validator-javadoc-3.0.0-1jpp.ep1.8.3.el5.noarch.rpm     0a0a3ce31ddc7561161c44ae1eb7c9cb
jakarta-slide-webdavclient-2.1-9.2.el5.noarch.rpm     6143dd31e31fce76c6fe207edea2dce4
jboss-cache-1.4.1-6.SP13.1.ep1.el5.noarch.rpm     04afb2386a722fcd6197eef4bcd97ead
jboss-messaging-1.4.0-2.SP3_CP08.1.ep1.el5.noarch.rpm
File outdated by:  RHBA-2009:1183		     52782661419fa9636e61c08669790a42
jboss-remoting-2.2.3-2.ep1.el5.noarch.rpm     21bdbbd5fdd76244581747ff1f1ada40
jboss-seam-1.2.1-3.JBPAPP_4_3_0_GA.ep1.11.el5.1.noarch.rpm     7dad19317bfbe242b480f286300c0aaa
jboss-seam-docs-1.2.1-3.JBPAPP_4_3_0_GA.ep1.11.el5.1.noarch.rpm     42343cc973ccb6e14c028ba641299bad
jbossas-4.3.0-4.GA_CP05.6.1.ep1.el5.noarch.rpm
File outdated by:  RHBA-2009:1183		     9a698f1e662c1d96816388314e2ad61c
jbossas-4.3.0.GA_CP05-bin-4.3.0-4.GA_CP05.6.1.ep1.el5.noarch.rpm     6d8f0e2aa9a1f3657284512d643cc8f7
jbossas-client-4.3.0-4.GA_CP05.6.1.ep1.el5.noarch.rpm
File outdated by:  RHBA-2009:1183		     88e6d8346752c3e4fd1ac2040aa860b5
jbossts-4.2.3-1.SP5_CP05.1jpp.ep1.1.el5.noarch.rpm     f9c106c9d6e21e99a66947c372108291
jbossweb-2.0.0-6.CP11.0jpp.ep1.1.el5.noarch.rpm     486dc8e3f435af844df62534208b1459
jbossws-2.0.1-3.SP2_CP06.3.1.ep1.el5.noarch.rpm     a0986646c23a6b92e102987a24e57d94
jbossws-common-1.0.0-2.GA_CP04.1.ep1.el5.noarch.rpm     735e4d4b35c6ae836fec68256d22ea9e
jbossws-framework-2.0.1-1.GA_CP04.2.ep1.el5.noarch.rpm     bf383631c74aea6ae2d935206b5cdcc0
jbossws-native42-2.0.1-3.SP2_CP06.3.1.ep1.el5.noarch.rpm     41081d793a8b8d5fa43091df92a8d4a1
jbossws-spi-1.0.0-1.GA_CP02.1.ep1.el5.noarch.rpm     c0cf0bd916adeb2b1d86724c86075e17
jgroups-2.4.6-1.ep1.el5.noarch.rpm     6c0e03e3d25427fb0019058473c4fa1e
rh-eap-docs-4.3.0-5.GA_CP05.ep1.2.1.el5.noarch.rpm
File outdated by:  RHBA-2009:1183		     80efcbc5e87c35793e8a6daaa0d2cea5
rh-eap-docs-examples-4.3.0-5.GA_CP05.ep1.2.1.el5.noarch.rpm
File outdated by:  RHBA-2009:1183		     0d5116576131d0ee160f701a1c67c5d6
 
x86_64:
glassfish-jaxb-2.1.4-1.11.1.ep1.el5.noarch.rpm     0791ac0b91838a7865aac201dcf6f3e5
glassfish-jaxb-javadoc-2.1.4-1.11.1.ep1.el5.noarch.rpm     5427e0d2fc41bec055311b4422cf7c56
hibernate3-3.2.4-1.SP1_CP08.0jpp.ep1.2.3.el5.noarch.rpm     08bd1505a68d028114c7a19348cb144b
hibernate3-annotations-3.3.1-1.10.1GA_CP01.ep1.el5.noarch.rpm     39c1a09408de769739a0a39edfed7704
hibernate3-annotations-javadoc-3.3.1-1.10.1GA_CP01.ep1.el5.noarch.rpm     ecc77cb88515df007a17359c69c4d22f
hibernate3-commons-annotations-3.0.0-1jpp.ep1.5.2.el5.noarch.rpm     7efd544a74755a92ec97f8b351c1975f
hibernate3-commons-annotations-javadoc-3.0.0-1jpp.ep1.5.2.el5.noarch.rpm     d0581ec09abe6ec9daf110ea4f1b324d
hibernate3-entitymanager-3.3.2-2.4.1.ep1.el5.noarch.rpm     ccee1a285ec5fcfd2c3f612d64e6b59f
hibernate3-entitymanager-javadoc-3.3.2-2.4.1.ep1.el5.noarch.rpm     8963fa39eb15973f86de82d0d13b3e87
hibernate3-javadoc-3.2.4-1.SP1_CP08.0jpp.ep1.2.3.el5.noarch.rpm     a8f92cca743b653a62f558030fb1172d
hibernate3-validator-3.0.0-1jpp.ep1.8.3.el5.noarch.rpm     76027c716a0160b18a864f4f27ffc5fe
hibernate3-validator-javadoc-3.0.0-1jpp.ep1.8.3.el5.noarch.rpm     0a0a3ce31ddc7561161c44ae1eb7c9cb
jakarta-slide-webdavclient-2.1-9.2.el5.noarch.rpm     6143dd31e31fce76c6fe207edea2dce4
jboss-cache-1.4.1-6.SP13.1.ep1.el5.noarch.rpm     04afb2386a722fcd6197eef4bcd97ead
jboss-messaging-1.4.0-2.SP3_CP08.1.ep1.el5.noarch.rpm
File outdated by:  RHBA-2009:1183		     52782661419fa9636e61c08669790a42
jboss-remoting-2.2.3-2.ep1.el5.noarch.rpm     21bdbbd5fdd76244581747ff1f1ada40
jboss-seam-1.2.1-3.JBPAPP_4_3_0_GA.ep1.11.el5.1.noarch.rpm     7dad19317bfbe242b480f286300c0aaa
jboss-seam-docs-1.2.1-3.JBPAPP_4_3_0_GA.ep1.11.el5.1.noarch.rpm     42343cc973ccb6e14c028ba641299bad
jbossas-4.3.0-4.GA_CP05.6.1.ep1.el5.noarch.rpm
File outdated by:  RHBA-2009:1183		     9a698f1e662c1d96816388314e2ad61c
jbossas-4.3.0.GA_CP05-bin-4.3.0-4.GA_CP05.6.1.ep1.el5.noarch.rpm     6d8f0e2aa9a1f3657284512d643cc8f7
jbossas-client-4.3.0-4.GA_CP05.6.1.ep1.el5.noarch.rpm
File outdated by:  RHBA-2009:1183		     88e6d8346752c3e4fd1ac2040aa860b5
jbossts-4.2.3-1.SP5_CP05.1jpp.ep1.1.el5.noarch.rpm     f9c106c9d6e21e99a66947c372108291
jbossweb-2.0.0-6.CP11.0jpp.ep1.1.el5.noarch.rpm     486dc8e3f435af844df62534208b1459
jbossws-2.0.1-3.SP2_CP06.3.1.ep1.el5.noarch.rpm     a0986646c23a6b92e102987a24e57d94
jbossws-common-1.0.0-2.GA_CP04.1.ep1.el5.noarch.rpm     735e4d4b35c6ae836fec68256d22ea9e
jbossws-framework-2.0.1-1.GA_CP04.2.ep1.el5.noarch.rpm     bf383631c74aea6ae2d935206b5cdcc0
jbossws-native42-2.0.1-3.SP2_CP06.3.1.ep1.el5.noarch.rpm     41081d793a8b8d5fa43091df92a8d4a1
jbossws-spi-1.0.0-1.GA_CP02.1.ep1.el5.noarch.rpm     c0cf0bd916adeb2b1d86724c86075e17
jgroups-2.4.6-1.ep1.el5.noarch.rpm     6c0e03e3d25427fb0019058473c4fa1e
rh-eap-docs-4.3.0-5.GA_CP05.ep1.2.1.el5.noarch.rpm
File outdated by:  RHBA-2009:1183		     80efcbc5e87c35793e8a6daaa0d2cea5
rh-eap-docs-examples-4.3.0-5.GA_CP05.ep1.2.1.el5.noarch.rpm
File outdated by:  RHBA-2009:1183		     0d5116576131d0ee160f701a1c67c5d6
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

499602 - Tracker bug for the EAP 4.3.0.cp05 release for RHEL-5.
503978 - CVE-2009-0580 tomcat6 Information disclosure in authentication classes
504153 - CVE-2009-0783 tomcat XML parser information disclosure
504753 - CVE-2008-5515 tomcat request dispatcher information disclosure vulnerability


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5515
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783
http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.3.0.cp05/html-single/Release_Notes/index.html
http://www.redhat.com/security/updates/classification/#important

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/