Skip to navigation

Security Advisory Moderate: mod_cluster security update

Advisory: RHSA-2012:1166-1
Type: Security Advisory
Severity: Moderate
Issued on: 2012-08-13
Last updated on: 2012-08-13
Affected Products: JBoss Enterprise Web Server v1 EL5
JBoss Enterprise Web Server v1 EL6
CVEs (cve.mitre.org): CVE-2012-1154

Details

Updated mod_cluster packages that fix one security issue are now available
for JBoss Enterprise Web Server 1.0.2 for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

mod_cluster is an Apache HTTP Server (httpd) based load balancer that
forwards requests from httpd to application server nodes. It can use the
AJP, HTTP, or HTTPS protocols for communication with application server
nodes.

The RHSA-2012:0035 update for JBoss Enterprise Web Server 1.0.2 introduced
a regression, causing mod_cluster to register and expose the root context
of a server by default, even when "ROOT" was in the "excludedContexts" list
in the mod_cluster configuration. If an application was deployed on the
root context, a remote attacker could use this flaw to bypass intended
access restrictions and gain access to that application. (CVE-2012-1154)

Warning: Before applying the update, back up your existing JBoss Enterprise
Web Server installation (including all applications and configuration
files).

Users of JBoss Enterprise Web Server 1.0.2 on Red Hat Enterprise Linux 5
and 6 should upgrade to these updated packages, which resolve this issue.
Apache Tomcat must be restarted for this update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

JBoss Enterprise Web Server v1 EL5

SRPMS:
mod_cluster-1.0.10-4.1.GA_CP02_patch01.ep5.el5.src.rpm     MD5: 3b4050503555a1152d1f5e732e0d6824
SHA-256: e8fe77d7a774488c45decb55a9a1328c605bbd06e588fbb6534904dfd88a074d
 
IA-32:
mod_cluster-demo-1.0.10-4.1.GA_CP02_patch01.ep5.el5.noarch.rpm     MD5: 5e7448c40f5fe932eb5262bad123fc9a
SHA-256: 1fc28f3c1cbf66f7fc4019800e3b11f46bb3d0b9c5aac542e8636da0fdeecea3
mod_cluster-jbossas-1.0.10-4.1.GA_CP02_patch01.ep5.el5.noarch.rpm     MD5: 930042e40dc9d50a128acb3d37a7f68c
SHA-256: 2923f7c7d738b1f0bea8aea62cbfbed88040032578bc49074847ee587fd5b5b0
mod_cluster-jbossweb2-1.0.10-4.1.GA_CP02_patch01.ep5.el5.noarch.rpm     MD5: e8f43b215cadcba1e34db17d400a4b8e
SHA-256: f19a0182637582985a0d56bb5537f0e80ab35798c9c52f11ca308028b803ae69
mod_cluster-tomcat6-1.0.10-4.1.GA_CP02_patch01.ep5.el5.noarch.rpm     MD5: 97598f4db4261e3e311f2ec1568a1696
SHA-256: 6f137688a7ce510496a481d5cad25ab46084ab51c1cc6ced61fbded66c236c5e
 
x86_64:
mod_cluster-demo-1.0.10-4.1.GA_CP02_patch01.ep5.el5.noarch.rpm     MD5: 5e7448c40f5fe932eb5262bad123fc9a
SHA-256: 1fc28f3c1cbf66f7fc4019800e3b11f46bb3d0b9c5aac542e8636da0fdeecea3
mod_cluster-jbossas-1.0.10-4.1.GA_CP02_patch01.ep5.el5.noarch.rpm     MD5: 930042e40dc9d50a128acb3d37a7f68c
SHA-256: 2923f7c7d738b1f0bea8aea62cbfbed88040032578bc49074847ee587fd5b5b0
mod_cluster-jbossweb2-1.0.10-4.1.GA_CP02_patch01.ep5.el5.noarch.rpm     MD5: e8f43b215cadcba1e34db17d400a4b8e
SHA-256: f19a0182637582985a0d56bb5537f0e80ab35798c9c52f11ca308028b803ae69
mod_cluster-tomcat6-1.0.10-4.1.GA_CP02_patch01.ep5.el5.noarch.rpm     MD5: 97598f4db4261e3e311f2ec1568a1696
SHA-256: 6f137688a7ce510496a481d5cad25ab46084ab51c1cc6ced61fbded66c236c5e
 
JBoss Enterprise Web Server v1 EL6

SRPMS:
mod_cluster-1.0.10-4.1.GA_CP02_patch01.ep5.el6.src.rpm     MD5: c5dae638aa2dbe73c0ea4ccd7491a0c7
SHA-256: 6c1ac971516de4710e1574d4d66c00861126a6663df57f735328da801fb77ac8
 
IA-32:
mod_cluster-demo-1.0.10-4.1.GA_CP02_patch01.ep5.el6.noarch.rpm     MD5: ea6925023d8a1f4ba79543bd2b5a118d
SHA-256: fe14e972b0c7be23a5bcb6e690e6e47c5f552463b6786e3dbfa44a4cd12544f0
mod_cluster-jbossas-1.0.10-4.1.GA_CP02_patch01.ep5.el6.noarch.rpm     MD5: 4c0536607e3cb8025ce4d3a4759a9976
SHA-256: e891e9b20d7eee5a24328c451e2fb7857851f8e006a811e8ed580e1c9ec15a4e
mod_cluster-jbossweb2-1.0.10-4.1.GA_CP02_patch01.ep5.el6.noarch.rpm     MD5: 5b4c3f45c04ea4500e269c46f524a696
SHA-256: 7000fe8b0bae8a053195db4c8975bb8836ef9f754053c1e39a6a86ee86dd3fcc
mod_cluster-tomcat6-1.0.10-4.1.GA_CP02_patch01.ep5.el6.noarch.rpm     MD5: 1ce77be3bc42cd1cef06f1b31750aedd
SHA-256: 1c7d305ac79b5597ad61197f32a7c7d97f8725a76d8f747ebda3728b49eff79d
 
x86_64:
mod_cluster-demo-1.0.10-4.1.GA_CP02_patch01.ep5.el6.noarch.rpm     MD5: ea6925023d8a1f4ba79543bd2b5a118d
SHA-256: fe14e972b0c7be23a5bcb6e690e6e47c5f552463b6786e3dbfa44a4cd12544f0
mod_cluster-jbossas-1.0.10-4.1.GA_CP02_patch01.ep5.el6.noarch.rpm     MD5: 4c0536607e3cb8025ce4d3a4759a9976
SHA-256: e891e9b20d7eee5a24328c451e2fb7857851f8e006a811e8ed580e1c9ec15a4e
mod_cluster-jbossweb2-1.0.10-4.1.GA_CP02_patch01.ep5.el6.noarch.rpm     MD5: 5b4c3f45c04ea4500e269c46f524a696
SHA-256: 7000fe8b0bae8a053195db4c8975bb8836ef9f754053c1e39a6a86ee86dd3fcc
mod_cluster-tomcat6-1.0.10-4.1.GA_CP02_patch01.ep5.el6.noarch.rpm     MD5: 1ce77be3bc42cd1cef06f1b31750aedd
SHA-256: 1c7d305ac79b5597ad61197f32a7c7d97f8725a76d8f747ebda3728b49eff79d
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

802200 - CVE-2012-1154 mod_cluster registers and exposes the root context of a server by default, despite ROOT being in the excluded-contexts list


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/