Skip to navigation

Security Advisory Important: jbossas and jboss-naming security update

Advisory: RHSA-2012:1026-1
Type: Security Advisory
Severity: Important
Issued on: 2012-06-20
Last updated on: 2012-06-20
Affected Products: JBoss Enterprise Application Platform 5 EL4
JBoss Enterprise Application Platform 5 EL5
JBoss Enterprise Application Platform 5 EL6
CVEs (cve.mitre.org): CVE-2011-4605
CVE-2012-1167

Details

Updated jbossas and jboss-naming packages that fix two security issues are
now available for JBoss Enterprise Application Platform 5.1.2 for Red Hat
Enterprise Linux 4, 5, and 6.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

JBoss Application Server is the base package for JBoss Enterprise
Application Platform, providing the core server components. The Java Naming
and Directory Interface (JNDI) Java API allows Java software clients to
locate objects or services in an application server. The Java Authorization
Contract for Containers (Java ACC) specification defines Permission classes
and the binding of container access decisions to operations on instances of
these permission classes. JaccAuthorizationRealm performs authorization
based on Java ACC permissions and a Policy implementation.

It was found that the JBoss JNDI service allowed unauthenticated, remote
write access by default. The JNDI and HA-JNDI services, and the
HAJNDIFactory invoker servlet were all affected. A remote attacker able to
access the JNDI service (port 1099), HA-JNDI service (port 1100), or the
HAJNDIFactory invoker servlet on a JBoss server could use this flaw to add,
delete, and modify items in the JNDI tree. This could have various,
application-specific impacts. (CVE-2011-4605)

When a JBoss server is configured to use JaccAuthorizationRealm, the
WebPermissionMapping class creates permissions that are not checked and can
permit access to users without checking their roles. If the
ignoreBaseDecision property is set to true on JBossWebRealm, the web
authorization process is handled exclusively by JBossAuthorizationEngine,
without any input from JBoss Web. This allows any valid user to access an
application, without needing to be assigned the role specified in the
application's web.xml "security-constraint" tag. (CVE-2012-1167)

Red Hat would like to thank Christian Schlüter (VIADA) for reporting
CVE-2011-4605.

Warning: Before applying this update, back up your JBoss Enterprise
Application Platform's "server/[PROFILE]/deploy/" directory, along with all
other customized configuration files.

Users of JBoss Enterprise Application Platform 5.1.2 on Red Hat Enterprise
Linux 4, 5, and 6 should upgrade to these updated packages, which correct
these issues. The JBoss server process must be restarted for this update to
take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

JBoss Enterprise Application Platform 5 EL4

SRPMS:
jboss-naming-5.0.3-4.CP01_patch_01.1.ep5.el4.src.rpm
File outdated by:  RHSA-2013:0193
    MD5: 03e64ec85b88c92da72b84f905af4b07
SHA-256: 4b4f8984f3d0a0c2b3ff5d30e011a6ce041101b29d1ab00eccc27c37e9c3dbff
jbossas-5.1.2-10.ep5.el4.src.rpm
File outdated by:  RHSA-2013:0193
    MD5: 12af771c8000b92da75a1db1952254b6
SHA-256: 3de0e827ba08755cdc0cc870225225f9d752ed069ea9b1280b904d218971c870
 
IA-32:
jboss-naming-5.0.3-4.CP01_patch_01.1.ep5.el4.noarch.rpm
File outdated by:  RHSA-2013:0193
    MD5: 1dc78179d3dea1e2547525b66cd4ee4a
SHA-256: 373846db9431d0978014617b447640bd4ed1b5e8d5faffb343139e2dac7257d0
jbossas-5.1.2-10.ep5.el4.noarch.rpm
File outdated by:  RHSA-2013:0193
    MD5: 9ac5a0e3eab3e679cec1518301e9e01f
SHA-256: 1c79fd32470811deb8a742b7319605884bdb57b8dbd7a7f69a1f4a0ea7cd32c6
jbossas-client-5.1.2-10.ep5.el4.noarch.rpm
File outdated by:  RHSA-2013:0193
    MD5: de6f8dcdb29de0e65d6fbbcd39ebecd2
SHA-256: 7175db4f4113eed2bdc54092e07a1e092c80112f9d49a5176dc6e9911a782c16
jbossas-messaging-5.1.2-10.ep5.el4.noarch.rpm
File outdated by:  RHSA-2013:0193
    MD5: 936735a8ea2ddf39a59c986ca200eb65
SHA-256: 46fe960c9826f3b024b3e7ae41b65426bcbf30a6bcc803bba89137311f3771f2
jbossas-ws-native-5.1.2-10.ep5.el4.noarch.rpm
File outdated by:  RHSA-2013:0193
    MD5: 1271ff726c9fd0296cbf987cadff77c6
SHA-256: ce6e51d60375fdb07a48f569af4a8a042d69cd07502918ef35aa21a9d700d55f
 
x86_64:
jboss-naming-5.0.3-4.CP01_patch_01.1.ep5.el4.noarch.rpm
File outdated by:  RHSA-2013:0193
    MD5: 1dc78179d3dea1e2547525b66cd4ee4a
SHA-256: 373846db9431d0978014617b447640bd4ed1b5e8d5faffb343139e2dac7257d0
jbossas-5.1.2-10.ep5.el4.noarch.rpm
File outdated by:  RHSA-2013:0193
    MD5: 9ac5a0e3eab3e679cec1518301e9e01f
SHA-256: 1c79fd32470811deb8a742b7319605884bdb57b8dbd7a7f69a1f4a0ea7cd32c6
jbossas-client-5.1.2-10.ep5.el4.noarch.rpm
File outdated by:  RHSA-2013:0193
    MD5: de6f8dcdb29de0e65d6fbbcd39ebecd2
SHA-256: 7175db4f4113eed2bdc54092e07a1e092c80112f9d49a5176dc6e9911a782c16
jbossas-messaging-5.1.2-10.ep5.el4.noarch.rpm
File outdated by:  RHSA-2013:0193
    MD5: 936735a8ea2ddf39a59c986ca200eb65
SHA-256: 46fe960c9826f3b024b3e7ae41b65426bcbf30a6bcc803bba89137311f3771f2
jbossas-ws-native-5.1.2-10.ep5.el4.noarch.rpm
File outdated by:  RHSA-2013:0193
    MD5: 1271ff726c9fd0296cbf987cadff77c6
SHA-256: ce6e51d60375fdb07a48f569af4a8a042d69cd07502918ef35aa21a9d700d55f
 
JBoss Enterprise Application Platform 5 EL5

SRPMS:
jboss-naming-5.0.3-4.CP01_patch_01.1.ep5.el5.src.rpm
File outdated by:  RHSA-2013:0192
    MD5: 0299c9771aaa3edb83d16aa48dc57f7f
SHA-256: 6db84c069c08c82cc03776ba0bdbd6a24cd8f35ab3178e5506fc1572bb61c283
jbossas-5.1.2-10.ep5.el5.src.rpm
File outdated by:  RHSA-2013:0192
    MD5: cf490405a8b1ec5cd922a6a247de6e66
SHA-256: 7232f107f5d834e621e8e93c5d2742ba23a7a52e819b61b0b6dd35ee9d8f4719
 
IA-32:
jboss-naming-5.0.3-4.CP01_patch_01.1.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0192
    MD5: bf2e4f30625e2911f99db1c96e0b1b46
SHA-256: 4627dc38fe22a2976dd8b3af5b03518cfa6bcb249f3550fdcb333a7e8bd19603
jbossas-5.1.2-10.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0192
    MD5: d4fc0996825d69d980bb9f3ba65981f2
SHA-256: c4519dee255caa47e8871a8febab80ae4b48cd93cf03c15a056eb5a66739bf6d
jbossas-client-5.1.2-10.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0192
    MD5: 28e9fda6df1652864402697457c873fe
SHA-256: 2a319fb329d877f300aca1ee7e01a51e3b13eac1afdc6b9b9e78a15165f6aac0
jbossas-messaging-5.1.2-10.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0192
    MD5: 255c7e9835c839ee22302396518eb1cd
SHA-256: 8904e9ebeb6d88e036fd491bb23d5aeb46b9ce5565ccd86c41a1f153227e52cd
jbossas-ws-native-5.1.2-10.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0192
    MD5: cfa16af2879d7cdbf91f575a0528316f
SHA-256: 19c66537112daf33ed92a90ab0062ef71f1348ecb37435cac327662007322a54
 
x86_64:
jboss-naming-5.0.3-4.CP01_patch_01.1.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0192
    MD5: bf2e4f30625e2911f99db1c96e0b1b46
SHA-256: 4627dc38fe22a2976dd8b3af5b03518cfa6bcb249f3550fdcb333a7e8bd19603
jbossas-5.1.2-10.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0192
    MD5: d4fc0996825d69d980bb9f3ba65981f2
SHA-256: c4519dee255caa47e8871a8febab80ae4b48cd93cf03c15a056eb5a66739bf6d
jbossas-client-5.1.2-10.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0192
    MD5: 28e9fda6df1652864402697457c873fe
SHA-256: 2a319fb329d877f300aca1ee7e01a51e3b13eac1afdc6b9b9e78a15165f6aac0
jbossas-messaging-5.1.2-10.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0192
    MD5: 255c7e9835c839ee22302396518eb1cd
SHA-256: 8904e9ebeb6d88e036fd491bb23d5aeb46b9ce5565ccd86c41a1f153227e52cd
jbossas-ws-native-5.1.2-10.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0192
    MD5: cfa16af2879d7cdbf91f575a0528316f
SHA-256: 19c66537112daf33ed92a90ab0062ef71f1348ecb37435cac327662007322a54
 
JBoss Enterprise Application Platform 5 EL6

SRPMS:
jboss-naming-5.0.3-4.CP01_patch_01.2.ep5.el6.src.rpm
File outdated by:  RHSA-2013:0191
    MD5: eb1c62bc0192dccfa2e086796dad01ff
SHA-256: e34a81c334bc7f30159839125c07af6a5896d07080c5ef44c60f7821e7856634
jbossas-5.1.2-10.ep5.el6.src.rpm
File outdated by:  RHSA-2013:0191
    MD5: e0fe9acba4cfeccd3dd8bb73acc6c277
SHA-256: 1e7a63d247387f2f08127281e4015400ce64230763a470894ec57798947a715d
 
IA-32:
jboss-naming-5.0.3-4.CP01_patch_01.2.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0191
    MD5: 993144422d05408196f5ab8a9abd44db
SHA-256: 92a2244201f18ce16b4dfaccd9657f37b1a8ece7815233fea9e523d29179c89d
jbossas-5.1.2-10.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0191
    MD5: 045f0004ba9288c1d1567caedfc48db8
SHA-256: 606028195bb4a8902d84f86fb223f222bb07dae75194427c85cdd77bbfbb97fa
jbossas-client-5.1.2-10.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0191
    MD5: 8369a047229872389f5b022973af12f3
SHA-256: 96fe0609648ae646c24516922c192a18c6c40a8e8f0ea5f84074dbf38e2f6bb3
jbossas-messaging-5.1.2-10.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0191
    MD5: 6e705d26de7613db8678618292822d56
SHA-256: 9c41e3e4efca2c13268217ec668199ae4933fbc0f1579060f396b727d4dce455
jbossas-ws-native-5.1.2-10.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0191
    MD5: 7fbc2aede12617d17f44b6d008f98b72
SHA-256: 96e2438a18cf17ca8e79d37e02eaca4c84b115f5028ca53630af9905c4ef3fdc
 
x86_64:
jboss-naming-5.0.3-4.CP01_patch_01.2.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0191
    MD5: 993144422d05408196f5ab8a9abd44db
SHA-256: 92a2244201f18ce16b4dfaccd9657f37b1a8ece7815233fea9e523d29179c89d
jbossas-5.1.2-10.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0191
    MD5: 045f0004ba9288c1d1567caedfc48db8
SHA-256: 606028195bb4a8902d84f86fb223f222bb07dae75194427c85cdd77bbfbb97fa
jbossas-client-5.1.2-10.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0191
    MD5: 8369a047229872389f5b022973af12f3
SHA-256: 96fe0609648ae646c24516922c192a18c6c40a8e8f0ea5f84074dbf38e2f6bb3
jbossas-messaging-5.1.2-10.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0191
    MD5: 6e705d26de7613db8678618292822d56
SHA-256: 9c41e3e4efca2c13268217ec668199ae4933fbc0f1579060f396b727d4dce455
jbossas-ws-native-5.1.2-10.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0191
    MD5: 7fbc2aede12617d17f44b6d008f98b72
SHA-256: 96e2438a18cf17ca8e79d37e02eaca4c84b115f5028ca53630af9905c4ef3fdc
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

766469 - CVE-2011-4605 JNDI: unauthenticated remote write access is permitted by default
802622 - CVE-2012-1167 JBoss: authentication bypass when running under JACC with ignoreBaseDecision on JBossWebRealm


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/