Skip to navigation

Security Advisory Moderate: jbossweb security update

Advisory: RHSA-2013:0629-1
Type: Security Advisory
Severity: Moderate
Issued on: 2013-03-11
Last updated on: 2013-03-11
Affected Products: JBoss Enterprise Application Platform 5 EL4
JBoss Enterprise Application Platform 5 EL5
JBoss Enterprise Application Platform 5 EL6
CVEs (cve.mitre.org): CVE-2012-5885
CVE-2012-5886
CVE-2012-5887

Details

Updated jbossweb packages for JBoss Enterprise Application Platform 5.2.0
which fix multiple security issues are now available for Red Hat
Enterprise Linux 4, 5, and 6.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

JBoss Web is the web container, based on Apache Tomcat, in JBoss Enterprise
Application Platform. It provides a single deployment platform for the
JavaServer Pages (JSP) and Java Servlet technologies.

Multiple weaknesses were found in the JBoss Web DIGEST authentication
implementation, effectively reducing the security normally provided by
DIGEST authentication. A remote attacker could use these flaws to perform
replay attacks in some circumstances. (CVE-2012-5885, CVE-2012-5886,
CVE-2012-5887)

Warning: Before applying this update, back up your existing JBoss
Enterprise Application Platform installation (including all applications
and configuration files).

All users of JBoss Enterprise Application Platform 5.2.0 on Red Hat
Enterprise Linux 4, 5, and 6 are advised to upgrade to these updated
packages. The JBoss server process must be restarted for the update to take
effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

JBoss Enterprise Application Platform 5 EL4
SRPMS:
jbossweb-2.1.13-3_patch_02.ep5.el4.src.rpm     MD5: 30292f1c69022000a663608c0381a9e8
SHA-256: 32e0a00a5c81b936e3042b22a3c23eeaf1d95d9c1dcac26bb23b381ca0b14950
 
IA-32:
jbossweb-2.1.13-3_patch_02.ep5.el4.noarch.rpm     MD5: 2cad6bcea3a5944c45bb77c2093d9a7e
SHA-256: d761a2d9eed4fa0431d8a1b2dd5b49e19819081e18cb839251d1439c6ed722e1
jbossweb-el-1.0-api-2.1.13-3_patch_02.ep5.el4.noarch.rpm     MD5: c1b81dbb97d41bc1d41eb0379468987f
SHA-256: 79db4702521d35f745e6c0455a00d771be401a14f6b4d5dee1102d9d773d0e6c
jbossweb-jsp-2.1-api-2.1.13-3_patch_02.ep5.el4.noarch.rpm     MD5: 037eb9a849fd066e1f8997ab1ee4e78d
SHA-256: 6e06cbd740312b6e160743acb2d5c5c30cb6ff62c9eea184d7aa4160065e1fa0
jbossweb-lib-2.1.13-3_patch_02.ep5.el4.noarch.rpm     MD5: 625dbdb5fe89edbefe90afb19141ff44
SHA-256: 5683956671ceecb84541ca029bf202c5f5358a99e82ff4432c23e731885475ae
jbossweb-servlet-2.5-api-2.1.13-3_patch_02.ep5.el4.noarch.rpm     MD5: fabf8a6a517a20a7a5ff6ac5e6aa1864
SHA-256: c1675db4fdcd8a57b391321252dedddb07fa4cd1db9118c30699aa622aaac5d0
 
x86_64:
jbossweb-2.1.13-3_patch_02.ep5.el4.noarch.rpm     MD5: 2cad6bcea3a5944c45bb77c2093d9a7e
SHA-256: d761a2d9eed4fa0431d8a1b2dd5b49e19819081e18cb839251d1439c6ed722e1
jbossweb-el-1.0-api-2.1.13-3_patch_02.ep5.el4.noarch.rpm     MD5: c1b81dbb97d41bc1d41eb0379468987f
SHA-256: 79db4702521d35f745e6c0455a00d771be401a14f6b4d5dee1102d9d773d0e6c
jbossweb-jsp-2.1-api-2.1.13-3_patch_02.ep5.el4.noarch.rpm     MD5: 037eb9a849fd066e1f8997ab1ee4e78d
SHA-256: 6e06cbd740312b6e160743acb2d5c5c30cb6ff62c9eea184d7aa4160065e1fa0
jbossweb-lib-2.1.13-3_patch_02.ep5.el4.noarch.rpm     MD5: 625dbdb5fe89edbefe90afb19141ff44
SHA-256: 5683956671ceecb84541ca029bf202c5f5358a99e82ff4432c23e731885475ae
jbossweb-servlet-2.5-api-2.1.13-3_patch_02.ep5.el4.noarch.rpm     MD5: fabf8a6a517a20a7a5ff6ac5e6aa1864
SHA-256: c1675db4fdcd8a57b391321252dedddb07fa4cd1db9118c30699aa622aaac5d0
 
JBoss Enterprise Application Platform 5 EL5
SRPMS:
jbossweb-2.1.13-3_patch_02.ep5.el5.src.rpm     MD5: 504ccf9cbe0b502852993ce21a4ebfd0
SHA-256: e6727002fccf1cbbc8bc0803a1921ba2349125764338c93a48a53783c649e658
 
IA-32:
jbossweb-2.1.13-3_patch_02.ep5.el5.noarch.rpm     MD5: 50f6ea10265b29e21d83be73ac62ede5
SHA-256: b140365bf2eb85e16b44c35a8bec7c251dea1ce50ee627e1f802e2d4c8846211
jbossweb-el-1.0-api-2.1.13-3_patch_02.ep5.el5.noarch.rpm     MD5: 21dfd5fb9ef13176bd662ce16febce89
SHA-256: 29754bd5823888b9537632a156140cad35a843efc393bdb4c54d85f7d3a1e066
jbossweb-jsp-2.1-api-2.1.13-3_patch_02.ep5.el5.noarch.rpm     MD5: 4ba34099555f8e45e9fa34dc7173dda2
SHA-256: 7e8de223aaa2c688ceee242200e0713f3afaf8dc5ca19ff189c264d8566a850f
jbossweb-lib-2.1.13-3_patch_02.ep5.el5.noarch.rpm     MD5: 6b8e1984e3573842efbc8eb5410a747f
SHA-256: 7cb37de387696e60286baf4e270442ab389ced140c80739912e0b60d33833cbe
jbossweb-servlet-2.5-api-2.1.13-3_patch_02.ep5.el5.noarch.rpm     MD5: 0daafda31e4c69dff50db828948b7efa
SHA-256: bc5c1cebcab27fe9e91b0748636195abbe544a43bb076b74ac16d6ec706d9f7a
 
x86_64:
jbossweb-2.1.13-3_patch_02.ep5.el5.noarch.rpm     MD5: 50f6ea10265b29e21d83be73ac62ede5
SHA-256: b140365bf2eb85e16b44c35a8bec7c251dea1ce50ee627e1f802e2d4c8846211
jbossweb-el-1.0-api-2.1.13-3_patch_02.ep5.el5.noarch.rpm     MD5: 21dfd5fb9ef13176bd662ce16febce89
SHA-256: 29754bd5823888b9537632a156140cad35a843efc393bdb4c54d85f7d3a1e066
jbossweb-jsp-2.1-api-2.1.13-3_patch_02.ep5.el5.noarch.rpm     MD5: 4ba34099555f8e45e9fa34dc7173dda2
SHA-256: 7e8de223aaa2c688ceee242200e0713f3afaf8dc5ca19ff189c264d8566a850f
jbossweb-lib-2.1.13-3_patch_02.ep5.el5.noarch.rpm     MD5: 6b8e1984e3573842efbc8eb5410a747f
SHA-256: 7cb37de387696e60286baf4e270442ab389ced140c80739912e0b60d33833cbe
jbossweb-servlet-2.5-api-2.1.13-3_patch_02.ep5.el5.noarch.rpm     MD5: 0daafda31e4c69dff50db828948b7efa
SHA-256: bc5c1cebcab27fe9e91b0748636195abbe544a43bb076b74ac16d6ec706d9f7a
 
JBoss Enterprise Application Platform 5 EL6
SRPMS:
jbossweb-2.1.13-4_patch_02.ep5.el6.src.rpm     MD5: 4cb13f58ab2336ee8532c6e804707fa5
SHA-256: a78eb015b053713079bee0a8696d519e6cb1ecaf464f3a1543ea3492b585d332
 
IA-32:
jbossweb-2.1.13-4_patch_02.ep5.el6.noarch.rpm     MD5: 6e3eedba587226fc09b3af4f438995fc
SHA-256: 4c9e252c3c151d11d171baade95ce3b132846a54ca6f217381d7d498a3887988
jbossweb-el-1.0-api-2.1.13-4_patch_02.ep5.el6.noarch.rpm     MD5: 9aa6b01ec101fdc873288ec846c58874
SHA-256: 0f4c0d7904ac9812064b928c4fa85542327ea7c507b0023159053aa8f64a1034
jbossweb-jsp-2.1-api-2.1.13-4_patch_02.ep5.el6.noarch.rpm     MD5: 3eac1bbc8b13d446c03974d7159da5fd
SHA-256: 640bf8d464c9552dffedc77206bae47cc3f9c04ce7f19278624e08a02084dc7e
jbossweb-lib-2.1.13-4_patch_02.ep5.el6.noarch.rpm     MD5: 0c5a5462ae8fb03ff63b9e9b13e99560
SHA-256: 07960bd6a4446cc2a4403f8c390254ad7b0f1cdc190dfcaa3f81d496833dcf12
jbossweb-servlet-2.5-api-2.1.13-4_patch_02.ep5.el6.noarch.rpm     MD5: 537f645e1a1946a784affd46b1268f9f
SHA-256: cb1953ccca41374ffbb6ef5bdd16ba4a262943e851abdfe343704b6ce96532fc
 
x86_64:
jbossweb-2.1.13-4_patch_02.ep5.el6.noarch.rpm     MD5: 6e3eedba587226fc09b3af4f438995fc
SHA-256: 4c9e252c3c151d11d171baade95ce3b132846a54ca6f217381d7d498a3887988
jbossweb-el-1.0-api-2.1.13-4_patch_02.ep5.el6.noarch.rpm     MD5: 9aa6b01ec101fdc873288ec846c58874
SHA-256: 0f4c0d7904ac9812064b928c4fa85542327ea7c507b0023159053aa8f64a1034
jbossweb-jsp-2.1-api-2.1.13-4_patch_02.ep5.el6.noarch.rpm     MD5: 3eac1bbc8b13d446c03974d7159da5fd
SHA-256: 640bf8d464c9552dffedc77206bae47cc3f9c04ce7f19278624e08a02084dc7e
jbossweb-lib-2.1.13-4_patch_02.ep5.el6.noarch.rpm     MD5: 0c5a5462ae8fb03ff63b9e9b13e99560
SHA-256: 07960bd6a4446cc2a4403f8c390254ad7b0f1cdc190dfcaa3f81d496833dcf12
jbossweb-servlet-2.5-api-2.1.13-4_patch_02.ep5.el6.noarch.rpm     MD5: 537f645e1a1946a784affd46b1268f9f
SHA-256: cb1953ccca41374ffbb6ef5bdd16ba4a262943e851abdfe343704b6ce96532fc
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

873664 - CVE-2012-5885 CVE-2012-5886 CVE-2012-5887 tomcat: three DIGEST authentication implementation issues


References

https://www.redhat.com/security/data/cve/CVE-2012-5885.html
https://www.redhat.com/security/data/cve/CVE-2012-5886.html
https://www.redhat.com/security/data/cve/CVE-2012-5887.html
https://access.redhat.com/security/updates/classification/#moderate

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/