Skip to navigation

Security Advisory Moderate: JBoss Enterprise Application Platform 4.2.0.CP08 update

Advisory: RHSA-2009:1650-1
Type: Security Advisory
Severity: Moderate
Issued on: 2009-12-09
Last updated on: 2009-12-09
Affected Products: JBoss Enterprise Application Platform 4.2.0 EL5
CVEs (cve.mitre.org): CVE-2009-0217
CVE-2009-1380
CVE-2009-2405
CVE-2009-2625
CVE-2009-3554

Details

Updated JBoss Enterprise Application Platform (JBEAP) 4.2 packages that fix
multiple security issues, several bugs, and add enhancements are now
available for Red Hat Enterprise Linux 5 as JBEAP 4.2.0.CP08.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

JBoss Enterprise Application Platform is the market leading platform for
innovative and scalable Java applications; integrating the JBoss
Application Server, with JBoss Hibernate and JBoss Seam into a complete,
simple enterprise solution.

This release of JBEAP for Red Hat Enterprise Linux 5 serves as a
replacement to JBEAP 4.2.0.CP07.

These updated packages include bug fixes and enhancements which are
detailed in the Release Notes, available shortly from:
http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/

The following security issues are also fixed with this release:

A missing check for the recommended minimum length of the truncated form of
HMAC-based XML signatures was found in xml-security. An attacker could use
this flaw to create a specially-crafted XML file that forges an XML
signature, allowing the attacker to bypass authentication that is based on
the XML Signature specification. (CVE-2009-0217)

Swatej Kumar discovered cross-site scripting (XSS) flaws in the JBoss
Application Server Web Console. An attacker could use these flaws to
present misleading data to an authenticated user, or execute arbitrary
scripting code in the context of the authenticated user's browser session.
(CVE-2009-2405)

A flaw was found in the way the Apache Xerces2 Java Parser processed the
SYSTEM identifier in DTDs. A remote attacker could provide a
specially-crafted XML file, which once parsed by an application using the
Apache Xerces2 Java Parser, would lead to a denial of service (application
hang due to excessive CPU use). (CVE-2009-2625)

An information leak flaw was found in the twiddle command line client. The
JMX password was logged in plain text to "twiddle.log". (CVE-2009-3554)

An XSS flaw was found in the JMX Console. An attacker could use this flaw
to present misleading data to an authenticated user, or execute arbitrary
scripting code in the context of the authenticated user's browser session.
(CVE-2009-1380)

Warning: Before applying this update, please backup the JBEAP
"server/[configuration]/deploy/" directory, and any other customized
configuration files.

All users of JBEAP 4.2 on Red Hat Enterprise Linux 5 are advised to upgrade
to these updated packages.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

JBoss Enterprise Application Platform 4.2.0 EL5

SRPMS:
glassfish-jsf-1.2_13-2.1.ep1.el5.src.rpm     MD5: a2de0335ba5f2d6f9e55857cf84b08e8
hibernate3-annotations-3.3.1-1.11GA_CP02.ep1.el5.src.rpm
File outdated by:  RHSA-2010:0378
    MD5: a9b5ea4884ff0ff707399cd20898b850
hibernate3-entitymanager-3.3.2-2.5.1.ep1.el5.src.rpm     MD5: 537c526179cbdb696ce1a375d3817d6e
jacorb-2.3.0-1jpp.ep1.9.1.el5.src.rpm
File outdated by:  RHSA-2010:0378
    MD5: fe16bbfba0977c41e1c21717acbcb954
jboss-aop-1.5.5-3.CP04.2.ep1.el5.src.rpm
File outdated by:  RHSA-2010:0378
    MD5: 37934d544e9c898b765e351b0dde5002
jboss-seam-1.2.1-1.ep1.14.el5.src.rpm
File outdated by:  RHSA-2010:0378
    MD5: 6e69ed3dcc3641e2e70948c8f4c06e50
jbossas-4.2.0-5.GA_CP08.5.2.ep1.el5.src.rpm
File outdated by:  RHSA-2011:1309
    MD5: b3829963b1dc62d5ebb2f155a92b62a0
jbossweb-2.0.0-6.CP12.0jpp.ep1.2.el5.src.rpm
File outdated by:  RHSA-2011:0210
    MD5: 6c72417b1272d06e1fe6fe9d6fde0a40
jcommon-1.0.16-1.1.ep1.el5.src.rpm     MD5: 767a3d680cf118c795a254ebfea96f20
quartz-1.5.2-1jpp.patch01.ep1.4.1.el5.src.rpm     MD5: cecf42cc21388157a36b65d2d1a6c76c
rh-eap-docs-4.2.0-6.GA_CP08.ep1.3.el5.src.rpm
File outdated by:  RHSA-2010:0378
    MD5: f2ffc669d232c19393ec0311e8d6f254
 
IA-32:
glassfish-jsf-1.2_13-2.1.ep1.el5.noarch.rpm     MD5: 04f584603789b515975f0b8ba2aeb639
hibernate3-3.2.4-1.SP1_CP09.0jpp.ep1.2.4.el5.noarch.rpm
File outdated by:  RHSA-2010:0378
    MD5: c6c7de12fa17f38e4d02d586693e6f2e
hibernate3-annotations-3.3.1-1.11GA_CP02.ep1.el5.noarch.rpm
File outdated by:  RHSA-2010:0378
    MD5: 97461b31e6e5c0cd9df88511f9aa30ef
hibernate3-annotations-javadoc-3.3.1-1.11GA_CP02.ep1.el5.noarch.rpm
File outdated by:  RHSA-2010:0378
    MD5: 5db528dffaa70a07f9c26bc52a027b5c
hibernate3-entitymanager-3.3.2-2.5.1.ep1.el5.noarch.rpm     MD5: 1115ed9d9b0f36d66c61eab92b23dee5
hibernate3-entitymanager-javadoc-3.3.2-2.5.1.ep1.el5.noarch.rpm     MD5: 2d6bf5fb363d24781d93df5f278d5fba
hibernate3-javadoc-3.2.4-1.SP1_CP09.0jpp.ep1.2.4.el5.noarch.rpm
File outdated by:  RHSA-2010:0378
    MD5: adf8eca16bfeff5da029f3b2d5c31adb
jacorb-2.3.0-1jpp.ep1.9.1.el5.noarch.rpm
File outdated by:  RHSA-2010:0378
    MD5: 87218adad538d5298b454d416db733ff
jboss-aop-1.5.5-3.CP04.2.ep1.el5.noarch.rpm
File outdated by:  RHSA-2010:0378
    MD5: 24682e81b7bfe51984ccb0a004e0637c
jboss-common-1.2.1-0jpp.ep1.3.el5.1.noarch.rpm     MD5: f125e70a9b5b33b63e2c05d70b24c9c3
jboss-remoting-2.2.3-3.SP1.ep1.el5.noarch.rpm
File outdated by:  RHSA-2010:0378
    MD5: b2b736c389d01c5380a73f7279cd330f
jboss-seam-1.2.1-1.ep1.14.el5.noarch.rpm
File outdated by:  RHSA-2010:0378
    MD5: 57b7e57984c885511b7ea4a55a3ef454
jboss-seam-docs-1.2.1-1.ep1.14.el5.noarch.rpm
File outdated by:  RHSA-2010:0378
    MD5: 0d06e1d236bcdf71f746b5e913ed610b
jbossas-4.2.0-5.GA_CP08.5.2.ep1.el5.noarch.rpm
File outdated by:  RHSA-2011:1309
    MD5: 093a081937cff3ae3fdef21662d75808
jbossas-4.2.0.GA_CP08-bin-4.2.0-5.GA_CP08.5.2.ep1.el5.noarch.rpm     MD5: 105e519aff94be820771941ea42d1c02
jbossas-client-4.2.0-5.GA_CP08.5.2.ep1.el5.noarch.rpm
File outdated by:  RHSA-2011:1309
    MD5: 50e5ff24da3a38f06a104439dfe95407
jbossts-4.2.3-1.SP5_CP08.1jpp.ep1.1.el5.noarch.rpm
File outdated by:  RHSA-2010:0378
    MD5: 39c732c8ff5378cc06d12bbec16f2f85
jbossweb-2.0.0-6.CP12.0jpp.ep1.2.el5.noarch.rpm
File outdated by:  RHSA-2011:0210
    MD5: b12da99748d2b135daf982624899a52e
jcommon-1.0.16-1.1.ep1.el5.noarch.rpm     MD5: ec9d9c370371f671186d349a0c838b78
jfreechart-1.0.13-2.3.1.ep1.el5.noarch.rpm     MD5: 6866a0a793ccca145f77181ec68bcb82
jgroups-2.4.7-1.ep1.el5.noarch.rpm     MD5: 28eca9d89579574707c6c6b3ead360db
quartz-1.5.2-1jpp.patch01.ep1.4.1.el5.noarch.rpm     MD5: 9d6223040d629f853fe9575d324fa455
rh-eap-docs-4.2.0-6.GA_CP08.ep1.3.el5.noarch.rpm
File outdated by:  RHSA-2010:0378
    MD5: 37776bee14e0e4a0bd86a908d0712e1b
rh-eap-docs-examples-4.2.0-6.GA_CP08.ep1.3.el5.noarch.rpm
File outdated by:  RHSA-2010:0378
    MD5: 92c9a7ae1a4f8e9602f6854fda85c791
xml-security-1.3.0-1.3.patch01.ep1.2.1.el5.noarch.rpm     MD5: a8a2d078bee6a7fff7c07a79d693a6f0
 
x86_64:
glassfish-jsf-1.2_13-2.1.ep1.el5.noarch.rpm     MD5: 04f584603789b515975f0b8ba2aeb639
hibernate3-3.2.4-1.SP1_CP09.0jpp.ep1.2.4.el5.noarch.rpm
File outdated by:  RHSA-2010:0378
    MD5: c6c7de12fa17f38e4d02d586693e6f2e
hibernate3-annotations-3.3.1-1.11GA_CP02.ep1.el5.noarch.rpm
File outdated by:  RHSA-2010:0378
    MD5: 97461b31e6e5c0cd9df88511f9aa30ef
hibernate3-annotations-javadoc-3.3.1-1.11GA_CP02.ep1.el5.noarch.rpm
File outdated by:  RHSA-2010:0378
    MD5: 5db528dffaa70a07f9c26bc52a027b5c
hibernate3-entitymanager-3.3.2-2.5.1.ep1.el5.noarch.rpm     MD5: 1115ed9d9b0f36d66c61eab92b23dee5
hibernate3-entitymanager-javadoc-3.3.2-2.5.1.ep1.el5.noarch.rpm     MD5: 2d6bf5fb363d24781d93df5f278d5fba
hibernate3-javadoc-3.2.4-1.SP1_CP09.0jpp.ep1.2.4.el5.noarch.rpm
File outdated by:  RHSA-2010:0378
    MD5: adf8eca16bfeff5da029f3b2d5c31adb
jacorb-2.3.0-1jpp.ep1.9.1.el5.noarch.rpm
File outdated by:  RHSA-2010:0378
    MD5: 87218adad538d5298b454d416db733ff
jboss-aop-1.5.5-3.CP04.2.ep1.el5.noarch.rpm
File outdated by:  RHSA-2010:0378
    MD5: 24682e81b7bfe51984ccb0a004e0637c
jboss-common-1.2.1-0jpp.ep1.3.el5.1.noarch.rpm     MD5: f125e70a9b5b33b63e2c05d70b24c9c3
jboss-remoting-2.2.3-3.SP1.ep1.el5.noarch.rpm
File outdated by:  RHSA-2010:0378
    MD5: b2b736c389d01c5380a73f7279cd330f
jboss-seam-1.2.1-1.ep1.14.el5.noarch.rpm
File outdated by:  RHSA-2010:0378
    MD5: 57b7e57984c885511b7ea4a55a3ef454
jboss-seam-docs-1.2.1-1.ep1.14.el5.noarch.rpm
File outdated by:  RHSA-2010:0378
    MD5: 0d06e1d236bcdf71f746b5e913ed610b
jbossas-4.2.0-5.GA_CP08.5.2.ep1.el5.noarch.rpm
File outdated by:  RHSA-2011:1309
    MD5: 093a081937cff3ae3fdef21662d75808
jbossas-4.2.0.GA_CP08-bin-4.2.0-5.GA_CP08.5.2.ep1.el5.noarch.rpm     MD5: 105e519aff94be820771941ea42d1c02
jbossas-client-4.2.0-5.GA_CP08.5.2.ep1.el5.noarch.rpm
File outdated by:  RHSA-2011:1309
    MD5: 50e5ff24da3a38f06a104439dfe95407
jbossts-4.2.3-1.SP5_CP08.1jpp.ep1.1.el5.noarch.rpm
File outdated by:  RHSA-2010:0378
    MD5: 39c732c8ff5378cc06d12bbec16f2f85
jbossweb-2.0.0-6.CP12.0jpp.ep1.2.el5.noarch.rpm
File outdated by:  RHSA-2011:0210
    MD5: b12da99748d2b135daf982624899a52e
jcommon-1.0.16-1.1.ep1.el5.noarch.rpm     MD5: ec9d9c370371f671186d349a0c838b78
jfreechart-1.0.13-2.3.1.ep1.el5.noarch.rpm     MD5: 6866a0a793ccca145f77181ec68bcb82
jgroups-2.4.7-1.ep1.el5.noarch.rpm     MD5: 28eca9d89579574707c6c6b3ead360db
quartz-1.5.2-1jpp.patch01.ep1.4.1.el5.noarch.rpm     MD5: 9d6223040d629f853fe9575d324fa455
rh-eap-docs-4.2.0-6.GA_CP08.ep1.3.el5.noarch.rpm
File outdated by:  RHSA-2010:0378
    MD5: 37776bee14e0e4a0bd86a908d0712e1b
rh-eap-docs-examples-4.2.0-6.GA_CP08.ep1.3.el5.noarch.rpm
File outdated by:  RHSA-2010:0378
    MD5: 92c9a7ae1a4f8e9602f6854fda85c791
xml-security-1.3.0-1.3.patch01.ep1.2.1.el5.noarch.rpm     MD5: a8a2d078bee6a7fff7c07a79d693a6f0
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

510023 - CVE-2009-2405 JBoss Application Server Web Console XSS
511224 - CVE-2009-1380 jbossas JMX-Console cross-site-scripting in filter parameter
511915 - CVE-2009-0217 xmlsec1, mono, xml-security-c, xml-security-1.3.0-1jpp.ep1.*: XMLDsig HMAC-based signatures spoofing and authentication bypass
512921 - CVE-2009-2625 OpenJDK: XML parsing Denial-Of-Service (6845701)
532111 - Tracker bug for the EAP 4.2.0.cp08 release for RHEL-5.
539495 - CVE-2009-3554 JBoss EAP Twiddle logs the JMX password


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/