Moderate: Red Hat JBoss Enterprise Application Platform 6.3 openssl security update
|Last updated on:||2014-09-24|
An update for the OpenSSL packages for Red Hat JBoss Enterprise Application
Platform 6.3 that fixes multiple security issues is now available from the
Red Hat Customer Portal.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Red Hat JBoss Enterprise Application Platform 6 is a platform for Java
applications based on JBoss Application Server 7.
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL),
Transport Layer Security (TLS), and Datagram Transport Layer Security
(DTLS) protocols, as well as a full-strength, general purpose cryptography
It was discovered that the OBJ_obj2txt() function could fail to properly
NUL-terminate its output. This could possibly cause an application using
OpenSSL functions to format fields of X.509 certificates to disclose
portions of its memory. (CVE-2014-3508)
Two flaws were discovered in the way OpenSSL handled DTLS packets. A remote
attacker could use these flaws to cause a DTLS server or client using
OpenSSL to crash or use excessive amounts of memory. (CVE-2014-3505,
A NULL pointer dereference flaw was found in the way OpenSSL performed a
handshake when using the anonymous Diffie-Hellman (DH) key exchange. A
malicious server could cause a DTLS client using OpenSSL to crash if that
client had anonymous DH cipher suites enabled. (CVE-2014-3510)
All users of Red Hat JBoss Enterprise Application Platform 6.3.0 as
provided from the Red Hat Customer Portal are advised to apply this update.
The JBoss server process must be restarted for the update to take effect.
log in to download the update). Before applying this update, back up your
existing Red Hat JBoss Enterprise Application Platform installation and
Bugs fixed (see bugzilla for more information)
1127490 - CVE-2014-3508 openssl: information leak in pretty printing functions
1127499 - CVE-2014-3505 openssl: DTLS packet processing double free
1127500 - CVE-2014-3506 openssl: DTLS memory exhaustion
1127503 - CVE-2014-3510 openssl: DTLS anonymous (EC)DH denial of service
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: