Skip to navigation

Security Advisory Important: jbossas-web and jboss-naming security update

Advisory: RHSA-2012:1027-1
Type: Security Advisory
Severity: Important
Issued on: 2012-06-20
Last updated on: 2012-06-20
Affected Products: JBoss Enterprise Web Platform 5 EL4
JBoss Enterprise Web Platform 5 EL5
JBoss Enterprise Web Platform 5 EL6
CVEs (cve.mitre.org): CVE-2011-4605
CVE-2012-1167

Details

Updated jbossas-web and jboss-naming packages that fix two security issues
are now available for JBoss Enterprise Web Platform 5.1.2 for Red Hat
Enterprise Linux 4, 5, and 6.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

JBoss Application Server is the base package for JBoss Enterprise Web
Platform, providing the core server components. The Java Naming and
Directory Interface (JNDI) Java API allows Java software clients to locate
objects or services in an application server. The Java Authorization
Contract for Containers (Java ACC) specification defines Permission classes
and the binding of container access decisions to operations on instances of
these permission classes. JaccAuthorizationRealm performs authorization
based on Java ACC permissions and a Policy implementation.

It was found that the JBoss JNDI service allowed unauthenticated, remote
write access by default. The JNDI and HA-JNDI services, and the
HAJNDIFactory invoker servlet were all affected. A remote attacker able to
access the JNDI service (port 1099), HA-JNDI service (port 1100), or the
HAJNDIFactory invoker servlet on a JBoss server could use this flaw to add,
delete, and modify items in the JNDI tree. This could have various,
application-specific impacts. (CVE-2011-4605)

When a JBoss server is configured to use JaccAuthorizationRealm, the
WebPermissionMapping class creates permissions that are not checked and can
permit access to users without checking their roles. If the
ignoreBaseDecision property is set to true on JBossWebRealm, the web
authorization process is handled exclusively by JBossAuthorizationEngine,
without any input from JBoss Web. This allows any valid user to access an
application, without needing to be assigned the role specified in the
application's web.xml "security-constraint" tag. (CVE-2012-1167)

Red Hat would like to thank Christian Schlüter (VIADA) for reporting
CVE-2011-4605.

Warning: Before applying this update, back up your JBoss Enterprise Web
Platform's "server/[PROFILE]/deploy/" directory and any other customized
configuration files.

Users of JBoss Enterprise Web Platform 5.1.2 on Red Hat Enterprise Linux 4,
5, and 6 should upgrade to these updated packages, which correct these
issues. The JBoss server process must be restarted for this update to take
effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

JBoss Enterprise Web Platform 5 EL4

SRPMS:
jboss-naming-5.0.3-4.CP01_patch_01.1.ep5.el4.src.rpm
File outdated by:  RHSA-2013:0197
    MD5: 03e64ec85b88c92da72b84f905af4b07
SHA-256: 4b4f8984f3d0a0c2b3ff5d30e011a6ce041101b29d1ab00eccc27c37e9c3dbff
jbossas-web-5.1.2-10.ep5.el4.src.rpm
File outdated by:  RHSA-2013:0197
    MD5: e0ea08c73b75c6351da61544edae5916
SHA-256: a1953f6173c3ab8787e149a80cd0e468f7ac8e911928a59ad58108e609b11bad
 
IA-32:
jboss-naming-5.0.3-4.CP01_patch_01.1.ep5.el4.noarch.rpm
File outdated by:  RHSA-2013:0197
    MD5: 1dc78179d3dea1e2547525b66cd4ee4a
SHA-256: 373846db9431d0978014617b447640bd4ed1b5e8d5faffb343139e2dac7257d0
jbossas-web-5.1.2-10.ep5.el4.noarch.rpm
File outdated by:  RHSA-2013:0197
    MD5: 0413dae065a20681bcf395c86c1f618c
SHA-256: b8c7d5969dd2eebc3c54fd9fdf9e59abb4136af76aff3f7b2149b0c9bf29d5bf
jbossas-web-client-5.1.2-10.ep5.el4.noarch.rpm
File outdated by:  RHSA-2013:0197
    MD5: a25f74e8d3f6ed6b3205fe107503dd91
SHA-256: 6bbd4b6c6e8ee1d9d749e1fab612d30c8c3dd9753fec6555a58a88c8111651f5
jbossas-web-ws-native-5.1.2-10.ep5.el4.noarch.rpm
File outdated by:  RHSA-2013:0197
    MD5: 5c9ea4c8191ab7345e2df64995a33e03
SHA-256: 6b6826abacde1d22b5fb7c35a9c6def9987af7f5490af48309c9af835779f8e0
 
x86_64:
jboss-naming-5.0.3-4.CP01_patch_01.1.ep5.el4.noarch.rpm
File outdated by:  RHSA-2013:0197
    MD5: 1dc78179d3dea1e2547525b66cd4ee4a
SHA-256: 373846db9431d0978014617b447640bd4ed1b5e8d5faffb343139e2dac7257d0
jbossas-web-5.1.2-10.ep5.el4.noarch.rpm
File outdated by:  RHSA-2013:0197
    MD5: 0413dae065a20681bcf395c86c1f618c
SHA-256: b8c7d5969dd2eebc3c54fd9fdf9e59abb4136af76aff3f7b2149b0c9bf29d5bf
jbossas-web-client-5.1.2-10.ep5.el4.noarch.rpm
File outdated by:  RHSA-2013:0197
    MD5: a25f74e8d3f6ed6b3205fe107503dd91
SHA-256: 6bbd4b6c6e8ee1d9d749e1fab612d30c8c3dd9753fec6555a58a88c8111651f5
jbossas-web-ws-native-5.1.2-10.ep5.el4.noarch.rpm
File outdated by:  RHSA-2013:0197
    MD5: 5c9ea4c8191ab7345e2df64995a33e03
SHA-256: 6b6826abacde1d22b5fb7c35a9c6def9987af7f5490af48309c9af835779f8e0
 
JBoss Enterprise Web Platform 5 EL5

SRPMS:
jboss-naming-5.0.3-4.CP01_patch_01.1.ep5.el5.src.rpm
File outdated by:  RHSA-2013:0196
    MD5: 0299c9771aaa3edb83d16aa48dc57f7f
SHA-256: 6db84c069c08c82cc03776ba0bdbd6a24cd8f35ab3178e5506fc1572bb61c283
jbossas-web-5.1.2-10.ep5.el5.src.rpm
File outdated by:  RHSA-2013:0196
    MD5: 2fcafaa08b12fbb88ca9c074b1067c32
SHA-256: b8a2072eacb8ef3f17009145a8a0466ed50c860e53c6a03376faeba636f7b18c
 
IA-32:
jboss-naming-5.0.3-4.CP01_patch_01.1.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0196
    MD5: bf2e4f30625e2911f99db1c96e0b1b46
SHA-256: 4627dc38fe22a2976dd8b3af5b03518cfa6bcb249f3550fdcb333a7e8bd19603
jbossas-web-5.1.2-10.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0196
    MD5: b4307d68f5051fc9b532fcaef5e4d0f3
SHA-256: b2b06c9c153eaffce8f0956a45a7c2d47468a01899e179cd929538b0ae86d814
jbossas-web-client-5.1.2-10.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0196
    MD5: 325f33b526ebefc01dcd41ebfcff8924
SHA-256: 322c6b52f7ff6d01005ad879dcfc3b307c66cdcd2d5cb505955426bb25b46b5a
jbossas-web-ws-native-5.1.2-10.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0196
    MD5: 46ea0d12e4263dfcf1fe1043f71614fc
SHA-256: ab872d91208ea2ae9b6c8a7497c2f6e9e5ba84456a33d26b9463b8f3516ccb6d
 
x86_64:
jboss-naming-5.0.3-4.CP01_patch_01.1.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0196
    MD5: bf2e4f30625e2911f99db1c96e0b1b46
SHA-256: 4627dc38fe22a2976dd8b3af5b03518cfa6bcb249f3550fdcb333a7e8bd19603
jbossas-web-5.1.2-10.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0196
    MD5: b4307d68f5051fc9b532fcaef5e4d0f3
SHA-256: b2b06c9c153eaffce8f0956a45a7c2d47468a01899e179cd929538b0ae86d814
jbossas-web-client-5.1.2-10.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0196
    MD5: 325f33b526ebefc01dcd41ebfcff8924
SHA-256: 322c6b52f7ff6d01005ad879dcfc3b307c66cdcd2d5cb505955426bb25b46b5a
jbossas-web-ws-native-5.1.2-10.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0196
    MD5: 46ea0d12e4263dfcf1fe1043f71614fc
SHA-256: ab872d91208ea2ae9b6c8a7497c2f6e9e5ba84456a33d26b9463b8f3516ccb6d
 
JBoss Enterprise Web Platform 5 EL6

SRPMS:
jboss-naming-5.0.3-4.CP01_patch_01.2.ep5.el6.src.rpm
File outdated by:  RHSA-2013:0195
    MD5: eb1c62bc0192dccfa2e086796dad01ff
SHA-256: e34a81c334bc7f30159839125c07af6a5896d07080c5ef44c60f7821e7856634
jbossas-web-5.1.2-10.ep5.el6.src.rpm
File outdated by:  RHSA-2013:0195
    MD5: 323d3af53e9ee476f914fb70848ca661
SHA-256: d3aa6c8a75028a1dc631fda56d5dd7c1c8d45c47c23f2710e694fff522b7d773
 
IA-32:
jboss-naming-5.0.3-4.CP01_patch_01.2.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0195
    MD5: 993144422d05408196f5ab8a9abd44db
SHA-256: 92a2244201f18ce16b4dfaccd9657f37b1a8ece7815233fea9e523d29179c89d
jbossas-web-5.1.2-10.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0195
    MD5: cdb8c55b4f3dda770918b89990a0989a
SHA-256: 45333c390039f361e9cdf74874588e97f47543df00a7734db1ae3ae18130f1b2
jbossas-web-client-5.1.2-10.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0195
    MD5: b2b053ca48670379b2aa893bbce2b865
SHA-256: 98dd340fcf024ee8d16d750421160c1386d6105337a4185a3cd64e7ab18326c7
jbossas-web-ws-native-5.1.2-10.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0195
    MD5: 808703d3bcb20aa46efde036f21b36eb
SHA-256: 122140113cf6080de12f749fc20c1195b11e6dd5c7f0e0e631ef7c751c7f516a
 
x86_64:
jboss-naming-5.0.3-4.CP01_patch_01.2.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0195
    MD5: 993144422d05408196f5ab8a9abd44db
SHA-256: 92a2244201f18ce16b4dfaccd9657f37b1a8ece7815233fea9e523d29179c89d
jbossas-web-5.1.2-10.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0195
    MD5: cdb8c55b4f3dda770918b89990a0989a
SHA-256: 45333c390039f361e9cdf74874588e97f47543df00a7734db1ae3ae18130f1b2
jbossas-web-client-5.1.2-10.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0195
    MD5: b2b053ca48670379b2aa893bbce2b865
SHA-256: 98dd340fcf024ee8d16d750421160c1386d6105337a4185a3cd64e7ab18326c7
jbossas-web-ws-native-5.1.2-10.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0195
    MD5: 808703d3bcb20aa46efde036f21b36eb
SHA-256: 122140113cf6080de12f749fc20c1195b11e6dd5c7f0e0e631ef7c751c7f516a
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

766469 - CVE-2011-4605 JNDI: unauthenticated remote write access is permitted by default
802622 - CVE-2012-1167 JBoss: authentication bypass when running under JACC with ignoreBaseDecision on JBossWebRealm


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/