Skip to navigation

Security Advisory Moderate: Red Hat JBoss Fuse/A-MQ 6.0.0 patch 3

Advisory: RHSA-2013:1286-1
Type: Security Advisory
Severity: Moderate
Issued on: 2013-09-26
Last updated on: 2013-09-26
Affected Products:
CVEs (cve.mitre.org): CVE-2013-4372

Details

Red Hat JBoss Fuse/A-MQ 6.0.0 patch 3, which fixes multiple security issues
and various bugs, is now available from the Red Hat Customer Portal.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

Red Hat JBoss Fuse 6.0.0, based on Apache ServiceMix, provides an
integration platform. Red Hat JBoss A-MQ 6.0.0, based on Apache ActiveMQ,
is a standards compliant messaging system that is tailored for use in
mission critical applications.

Red Hat JBoss Fuse/A-MQ 6.0.0 patch 3 is an update to Red Hat JBoss Fuse
6.0.0 and Red Hat JBoss A-MQ 6.0.0, including bug fixes. Refer to the
readme file included with the patch files for information about these
fixes.

The following security issues are also resolved with this update:

Multiple stored cross-site scripting (XSS) flaws were found in the Fuse
Management Console. A remote attacker could use these flaws to perform an
XSS attack against other users of the Fuse Management Console.
(CVE-2013-4372)

All users of Red Hat JBoss Fuse 6.0.0 and Red Hat JBoss A-MQ 6.0.0 as
provided from the Red Hat Customer Portal are advised to apply this patch.


Solution

The References section of this erratum contains a download link (you must
log in to download the update).

Updated packages


Bugs fixed (see bugzilla for more information)

1011736 - CVE-2013-4372 Fuse Management Console: Stored cross-site scripting (XSS)


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/