Skip to navigation

Security Advisory Low: jboss-remoting security update

Advisory: RHSA-2010:0964-1
Type: Security Advisory
Severity: Low
Issued on: 2010-12-08
Last updated on: 2010-12-08
Affected Products: JBoss Enterprise Application Platform 4.3.0 EL4
JBoss Enterprise Application Platform 4.3.0 EL5
CVEs (cve.mitre.org): CVE-2010-4265

Details

An updated jboss-remoting package that fixes one security issue is now
available for JBoss Enterprise Application Platform 4.3 for Red Hat
Enterprise Linux 4 and 5.

The Red Hat Security Response Team has rated this update as having low
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

JBoss Remoting is a framework for building distributed applications in
Java.

The JBoss Enterprise Application Platform 4.3.0.CP09 updates RHSA-2010:0937
and RHSA-2010:0938 did not, unlike the errata texts stated, provide a fix
for CVE-2010-3862. A remote attacker could use specially-crafted input to
cause the JBoss Remoting listeners to become unresponsive, resulting in a
denial of service condition for services communicating via JBoss Remoting
sockets. (CVE-2010-4265)

Red Hat would like to thank Ole Husgaard of eXerp.com for reporting this
issue.

Warning: Before applying this update, backup your existing JBoss Enterprise
Application Platform installation (including all applications and
configuration files).

Users of JBoss Enterprise Application Platform 4.3 on Red Hat Enterprise
Linux 4 and 5 should upgrade to this updated package, which contains a
backported patch to correct this issue. The JBoss server process must be
restarted for this update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

JBoss Enterprise Application Platform 4.3.0 EL4

SRPMS:
jboss-remoting-2.2.3-4.SP3.ep1.1.el4.src.rpm
File outdated by:  RHBA-2011:1297
    MD5: bc44fb10a48cc26f7947319db56e2c4e
SHA-256: 26492975ecee1fd64db7a567a6c18dc39005e4b01307a950cbc3282dc09b022e
 
IA-32:
jboss-remoting-2.2.3-4.SP3.ep1.1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: f07f5885e756e6921daf4324be9b592d
SHA-256: 5ff72a40aff1a615bb94e10ccff8e6c0b28fb23be80b86d029bdb6d6885cc273
 
x86_64:
jboss-remoting-2.2.3-4.SP3.ep1.1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: f07f5885e756e6921daf4324be9b592d
SHA-256: 5ff72a40aff1a615bb94e10ccff8e6c0b28fb23be80b86d029bdb6d6885cc273
 
JBoss Enterprise Application Platform 4.3.0 EL5

SRPMS:
jboss-remoting-2.2.3-4.SP3.ep1.1.el5.src.rpm
File outdated by:  RHBA-2011:1298
    MD5: 1990aa45bd31b13e0441a089e9200c59
SHA-256: cdd464467181b7ec423e05309bf15308337411cb05681ac518ae5b4d14184ce4
 
IA-32:
jboss-remoting-2.2.3-4.SP3.ep1.1.el5.noarch.rpm
File outdated by:  RHBA-2011:1298
    MD5: ffcf73fc6560ec57bea5dcb87d42799e
SHA-256: a596027e852894757b59aa0cc97e532a12e0db5f38338a9273246159462e934c
 
x86_64:
jboss-remoting-2.2.3-4.SP3.ep1.1.el5.noarch.rpm
File outdated by:  RHBA-2011:1298
    MD5: ffcf73fc6560ec57bea5dcb87d42799e
SHA-256: a596027e852894757b59aa0cc97e532a12e0db5f38338a9273246159462e934c
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

660623 - CVE-2010-4265 jboss-remoting: missing fix for CVE-2010-3862


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/