Skip to navigation

Security Advisory Critical: JBoss Enterprise Application Platform 4.2.0.CP09 update

Advisory: RHSA-2010:0376-1
Type: Security Advisory
Severity: Critical
Issued on: 2010-04-26
Last updated on: 2010-04-26
Affected Products: JBoss Enterprise Application Platform 4.2.0 EL4
CVEs (cve.mitre.org): CVE-2010-0738
CVE-2010-1428
CVE-2010-1429

Details

Updated JBoss Enterprise Application Platform (JBEAP) 4.2 packages that fix
three security issues and multiple bugs are now available for Red Hat
Enterprise Linux 4 as JBEAP 4.2.0.CP09.

The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

JBoss Enterprise Application Platform is the market leading platform for
innovative and scalable Java applications; integrating the JBoss
Application Server, with JBoss Hibernate and JBoss Seam into a complete,
simple enterprise solution.

This release of JBEAP for Red Hat Enterprise Linux 4 serves as a
replacement to JBEAP 4.2.0.CP08.

These updated packages include multiple bug fixes which are detailed in the
Release Notes. The Release Notes will be available shortly from the link
in the References section.

The following security issues are also fixed with this release:

The JMX Console configuration only specified an authentication requirement
for requests that used the GET and POST HTTP "verbs". A remote attacker
could create an HTTP request that does not specify GET or POST, causing it
to be executed by the default GET handler without authentication. This
release contains a JMX Console with an updated configuration that no longer
specifies the HTTP verbs. This means that the authentication requirement is
applied to all requests. (CVE-2010-0738)

For the CVE-2010-0738 issue, if an immediate upgrade is not possible or the
server deployment has been customized, a manual fix can be applied. Refer
to the "Security" subsection of the "Issues fixed in this release" section
(JBPAPP-3952) of the JBEAP Release Notes, linked to in the References, for
details. Contact Red Hat JBoss Support for advice before making the changes
noted in the Release Notes.

Red Hat would like to thank Stefano Di Paola and Giorgio Fedon of Minded
Security for responsibly reporting the CVE-2010-0738 issue.

Unauthenticated access to the JBoss Application Server Web Console
(/web-console) is blocked by default. However, it was found that this block
was incomplete, and only blocked GET and POST HTTP verbs. A remote attacker
could use this flaw to gain access to sensitive information. This release
contains a Web Console with an updated configuration that now blocks all
unauthenticated access to it by default. (CVE-2010-1428)

The RHSA-2008:0825 update fixed an issue (CVE-2008-3273) where
unauthenticated users were able to access the status servlet; however, a
bug fix included in the RHSA-2009:0346 update re-introduced the issue. A
remote attacker could use this flaw to acquire details about deployed web
contexts. (CVE-2010-1429)

Warning: Before applying this update, please backup the JBEAP
"server/[configuration]/deploy/" directory, and any other customized
configuration files.

All users of JBEAP 4.2 on Red Hat Enterprise Linux 4 are advised to upgrade
to these updated packages.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

JBoss Enterprise Application Platform 4.2.0 EL4

SRPMS:
hibernate3-3.2.4-1.SP1_CP10.0jpp.ep1.1.el4.src.rpm     MD5: 8d5c7233f3fcf67097fce3acc537a914
SHA-256: 8831bf598994aa7d6db2642502a01678ad50df1cfcd0e6ee1ee99fda0fe54ca3
hibernate3-annotations-3.3.1-1.12.GA_CP03.ep1.el4.src.rpm     MD5: 16e1338f881aaff7d799de46cdb1dba7
SHA-256: 5be4f98fd1b27c5b17e1529df41c2a94e97ac62a33b3eeaf90b3e7a7e363f33d
hsqldb-1.8.0.8-3.patch03.1jpp.ep1.3.el4.src.rpm     MD5: e0ea22c7f780aabf134335d75a72f64e
SHA-256: 891ae4d846f53a3ea5c14ead5b376f2bb24bcacebf387dc32940468a1c8b4eb7
jacorb-2.3.0-1jpp.ep1.10.el4.src.rpm     MD5: ecf2850fe30604a81c56ffc60dd857dc
SHA-256: 1ff0b54d0eca69a790a8d095b93e5000392047d8136d04b1671b799c0480bf0d
jakarta-commons-httpclient-3.0.1-1.patch01.1jpp.ep1.4.el4.src.rpm     MD5: 29c433af8837aca5e0c8962227347113
SHA-256: 5d9d9bbb155341ade32028cadd5c38be54890db7f865e4651a2089ac20d78cde
jboss-aop-1.5.5-3.CP05.2.ep1.el4.src.rpm     MD5: a74ee17c45c56bdc038580d80b803055
SHA-256: 9d704e7eb35ecd723a6e6e527c8f8c7d265d75b5093aa8b24c53949e6476c842
jboss-cache-1.4.1-6.SP14.1.ep1.el4.src.rpm     MD5: 94c94e52aa21af8eb612dd9e71cbfa86
SHA-256: f5ac993c4b9ab8878b30766ed12b4c88c4f0522d26a0a0df2493ea61560c3ae7
jboss-remoting-2.2.3-3.SP2.ep1.el4.src.rpm     MD5: 5baf97042c806020c36270e5354baf0f
SHA-256: 2296e724f90cb9a819c8fbb04e31bf0fb29b81d9d9e6ee7ec48b087effb8153a
jboss-seam-1.2.1-1.ep1.24.el4.src.rpm     MD5: 508c21e86c39f6e12dffc9a69709a4c2
SHA-256: 88df83057f943f9020723ccad213a485f4e359e8fa7881d30ef365506bdceb3f
jbossas-4.2.0-6.GA_CP09.6.ep1.el4.src.rpm
File outdated by:  RHSA-2011:1309
    MD5: bd6e5836c50bf5428f51181e79499698
SHA-256: 0b3cab0a98a1f7ad6f624adc371f2c2b8dbe19154a3fee582580e3df6dfa4edb
jbossts-4.2.3-1.SP5_CP09.1jpp.ep1.1.el4.src.rpm     MD5: 1354ca33d6c57da410ad4547cd1e1525
SHA-256: 4dc58b8bb8b65f601807be82779947a1552a23058aca2627b0713c6a761d3bae
jbossweb-2.0.0-6.CP13.0jpp.ep1.1.el4.src.rpm
File outdated by:  RHSA-2011:0210
    MD5: 5fc002a889da79e8a88b8d077d145854
SHA-256: 20dce8c8617584c4076fb9116ead6350407de5d96d5a24115ef32503dac11d12
rh-eap-docs-4.2.0-7.GA_CP09.ep1.5.el4.src.rpm     MD5: 8694b800bfdffc91bfd923ac2c784668
SHA-256: 17a9f636bd3a2eda1477cd0192dc3b3d1ec9dce1495d44c2728a1b3b4c95f833
 
IA-32:
hibernate3-3.2.4-1.SP1_CP10.0jpp.ep1.1.el4.noarch.rpm     MD5: d619d137c60417af411c979970a39960
SHA-256: 469ee34c4baaf967b92c11b10b50fd288bcdaeab1a19c07c27ca8fd2f0edf0d6
hibernate3-annotations-3.3.1-1.12.GA_CP03.ep1.el4.noarch.rpm     MD5: efd5cfd87c87d99b9d3295ffee994aae
SHA-256: 3122cc7a50c3a67b1386e4348d67b7140da307a5816b77639c0dad573920f95e
hibernate3-annotations-javadoc-3.3.1-1.12.GA_CP03.ep1.el4.noarch.rpm     MD5: 5f663349f2c0320f9e5422bc01cd7d82
SHA-256: 7193e28bbca3a404e2064980804bced3d8c26c75cf71fa26bfdd6a0ba90b34ac
hibernate3-javadoc-3.2.4-1.SP1_CP10.0jpp.ep1.1.el4.noarch.rpm     MD5: 2ed15509f012980b4fde76e701bed246
SHA-256: 7611e6c43e4a4a632014dd8a094595e686980a57b60a4593e8397c4f612d2b8a
hsqldb-1.8.0.8-3.patch03.1jpp.ep1.3.el4.noarch.rpm     MD5: e92bb9e7a2193d77d80812c92e87a3aa
SHA-256: 7606ce93974144e061bfc24669be76d4aa6f806d7585618607f361fb90ef0655
jacorb-2.3.0-1jpp.ep1.10.el4.noarch.rpm     MD5: 3bae43c54ae34c103e6dfab3c4a3a752
SHA-256: ef604d6872e227c0bfc12b62be6eb6d25dbcd81c82415fd7827346e95e282239
jakarta-commons-httpclient-3.0.1-1.patch01.1jpp.ep1.4.el4.noarch.rpm     MD5: 3c3e8f539c470195cabeb7bdb615d616
SHA-256: 0e1ca89a7648aaca296be02e21f9d590acc775b4db469f42ba7fad0bd2ff6b64
jboss-aop-1.5.5-3.CP05.2.ep1.el4.noarch.rpm     MD5: a0137e91d65fb65d5643069d5373de62
SHA-256: f3d9927798200412ea5fb4c2426834a2621a3cbb793131c06af4fb2f767aa982
jboss-cache-1.4.1-6.SP14.1.ep1.el4.noarch.rpm     MD5: 50e473081892987037b8563303c40183
SHA-256: 0f416820c69c36ac1c0fd6d5455dc87e90a987a21296c497acf7ba238e5d1627
jboss-remoting-2.2.3-3.SP2.ep1.el4.noarch.rpm     MD5: af083cec60992ae4721dd1a91c133ac9
SHA-256: 8fbdec08b272d3218212d639fc30d5be827341e4468ca3c9319d61809318d3c7
jboss-seam-1.2.1-1.ep1.24.el4.noarch.rpm     MD5: 2e08c7bc650b2d9b67c0abb77973b6df
SHA-256: 105cfb0336b1055b17331acb38f0d556b5f2f98688ddf6ca12a9964f7670708b
jboss-seam-docs-1.2.1-1.ep1.24.el4.noarch.rpm     MD5: 2b5f272df5523924d43234502c6ac6b1
SHA-256: c7b2cd6209452cdd633b4d33304a283f630f2c1c9f2aae3146c4ff162f66bc45
jbossas-4.2.0-6.GA_CP09.6.ep1.el4.noarch.rpm
File outdated by:  RHSA-2011:1309
    MD5: 3837e5f570f236ffe8c9ec8f0875319b
SHA-256: ddeac4d45cfca14061687b940e94c46b881e914629ff9094706c002ea5ef9be6
jbossas-4.2.0.GA_CP09-bin-4.2.0-6.GA_CP09.6.ep1.el4.noarch.rpm
File outdated by:  RHSA-2011:1309
    MD5: f1c9c5f3323623babecf1bbff741e1e4
SHA-256: ec48224f0e2b89a0ad729d55b6fe2dd1a505ef000443e8121d94292baf7b2d69
jbossas-client-4.2.0-6.GA_CP09.6.ep1.el4.noarch.rpm
File outdated by:  RHSA-2011:1309
    MD5: 7a5837466e65ff715a861e5463d586be
SHA-256: f0b6a940fc2b3dd73d5dd623fb7379a7fe9f19094f92592b33635a61aeb18580
jbossts-4.2.3-1.SP5_CP09.1jpp.ep1.1.el4.noarch.rpm     MD5: e49e1a3a0949577e9190366034ef651b
SHA-256: d8ada47f3e72e7c36a1893fb2cb7c848d36df30e1222b3b9e86f1ccb17a8663e
jbossweb-2.0.0-6.CP13.0jpp.ep1.1.el4.noarch.rpm
File outdated by:  RHSA-2011:0210
    MD5: df6ce869df4e2ba1ea31bac72f238689
SHA-256: 03449dbd0a6017779658f5bbd2a5e0e4eba202dea081d1b32783c465593fb61b
rh-eap-docs-4.2.0-7.GA_CP09.ep1.5.el4.noarch.rpm     MD5: 12f9349d7b2afe3e84846642787e972f
SHA-256: 9241d0f20aebbdfc1f8391adc271e80e1b36a5d53d21ea2dee24ff5164c53318
rh-eap-docs-examples-4.2.0-7.GA_CP09.ep1.5.el4.noarch.rpm     MD5: c3fd495294e310cb60887bafe0007b22
SHA-256: fe7ba1ff16ea920b8208d1b4502444e02368e926be7b1f35c7bb8d156f808bc9
 
x86_64:
hibernate3-3.2.4-1.SP1_CP10.0jpp.ep1.1.el4.noarch.rpm     MD5: d619d137c60417af411c979970a39960
SHA-256: 469ee34c4baaf967b92c11b10b50fd288bcdaeab1a19c07c27ca8fd2f0edf0d6
hibernate3-annotations-3.3.1-1.12.GA_CP03.ep1.el4.noarch.rpm     MD5: efd5cfd87c87d99b9d3295ffee994aae
SHA-256: 3122cc7a50c3a67b1386e4348d67b7140da307a5816b77639c0dad573920f95e
hibernate3-annotations-javadoc-3.3.1-1.12.GA_CP03.ep1.el4.noarch.rpm     MD5: 5f663349f2c0320f9e5422bc01cd7d82
SHA-256: 7193e28bbca3a404e2064980804bced3d8c26c75cf71fa26bfdd6a0ba90b34ac
hibernate3-javadoc-3.2.4-1.SP1_CP10.0jpp.ep1.1.el4.noarch.rpm     MD5: 2ed15509f012980b4fde76e701bed246
SHA-256: 7611e6c43e4a4a632014dd8a094595e686980a57b60a4593e8397c4f612d2b8a
hsqldb-1.8.0.8-3.patch03.1jpp.ep1.3.el4.noarch.rpm     MD5: e92bb9e7a2193d77d80812c92e87a3aa
SHA-256: 7606ce93974144e061bfc24669be76d4aa6f806d7585618607f361fb90ef0655
jacorb-2.3.0-1jpp.ep1.10.el4.noarch.rpm     MD5: 3bae43c54ae34c103e6dfab3c4a3a752
SHA-256: ef604d6872e227c0bfc12b62be6eb6d25dbcd81c82415fd7827346e95e282239
jakarta-commons-httpclient-3.0.1-1.patch01.1jpp.ep1.4.el4.noarch.rpm     MD5: 3c3e8f539c470195cabeb7bdb615d616
SHA-256: 0e1ca89a7648aaca296be02e21f9d590acc775b4db469f42ba7fad0bd2ff6b64
jboss-aop-1.5.5-3.CP05.2.ep1.el4.noarch.rpm     MD5: a0137e91d65fb65d5643069d5373de62
SHA-256: f3d9927798200412ea5fb4c2426834a2621a3cbb793131c06af4fb2f767aa982
jboss-cache-1.4.1-6.SP14.1.ep1.el4.noarch.rpm     MD5: 50e473081892987037b8563303c40183
SHA-256: 0f416820c69c36ac1c0fd6d5455dc87e90a987a21296c497acf7ba238e5d1627
jboss-remoting-2.2.3-3.SP2.ep1.el4.noarch.rpm     MD5: af083cec60992ae4721dd1a91c133ac9
SHA-256: 8fbdec08b272d3218212d639fc30d5be827341e4468ca3c9319d61809318d3c7
jboss-seam-1.2.1-1.ep1.24.el4.noarch.rpm     MD5: 2e08c7bc650b2d9b67c0abb77973b6df
SHA-256: 105cfb0336b1055b17331acb38f0d556b5f2f98688ddf6ca12a9964f7670708b
jboss-seam-docs-1.2.1-1.ep1.24.el4.noarch.rpm     MD5: 2b5f272df5523924d43234502c6ac6b1
SHA-256: c7b2cd6209452cdd633b4d33304a283f630f2c1c9f2aae3146c4ff162f66bc45
jbossas-4.2.0-6.GA_CP09.6.ep1.el4.noarch.rpm
File outdated by:  RHSA-2011:1309
    MD5: 3837e5f570f236ffe8c9ec8f0875319b
SHA-256: ddeac4d45cfca14061687b940e94c46b881e914629ff9094706c002ea5ef9be6
jbossas-4.2.0.GA_CP09-bin-4.2.0-6.GA_CP09.6.ep1.el4.noarch.rpm
File outdated by:  RHSA-2011:1309
    MD5: f1c9c5f3323623babecf1bbff741e1e4
SHA-256: ec48224f0e2b89a0ad729d55b6fe2dd1a505ef000443e8121d94292baf7b2d69
jbossas-client-4.2.0-6.GA_CP09.6.ep1.el4.noarch.rpm
File outdated by:  RHSA-2011:1309
    MD5: 7a5837466e65ff715a861e5463d586be
SHA-256: f0b6a940fc2b3dd73d5dd623fb7379a7fe9f19094f92592b33635a61aeb18580
jbossts-4.2.3-1.SP5_CP09.1jpp.ep1.1.el4.noarch.rpm     MD5: e49e1a3a0949577e9190366034ef651b
SHA-256: d8ada47f3e72e7c36a1893fb2cb7c848d36df30e1222b3b9e86f1ccb17a8663e
jbossweb-2.0.0-6.CP13.0jpp.ep1.1.el4.noarch.rpm
File outdated by:  RHSA-2011:0210
    MD5: df6ce869df4e2ba1ea31bac72f238689
SHA-256: 03449dbd0a6017779658f5bbd2a5e0e4eba202dea081d1b32783c465593fb61b
rh-eap-docs-4.2.0-7.GA_CP09.ep1.5.el4.noarch.rpm     MD5: 12f9349d7b2afe3e84846642787e972f
SHA-256: 9241d0f20aebbdfc1f8391adc271e80e1b36a5d53d21ea2dee24ff5164c53318
rh-eap-docs-examples-4.2.0-7.GA_CP09.ep1.5.el4.noarch.rpm     MD5: c3fd495294e310cb60887bafe0007b22
SHA-256: fe7ba1ff16ea920b8208d1b4502444e02368e926be7b1f35c7bb8d156f808bc9
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

571813 - Tracker bug for the EAP 4.2.0.cp09 release.
574105 - CVE-2010-0738 JBoss EAP jmx authentication bypass with crafted HTTP request
585899 - CVE-2010-1428 JBoss Application Server Web Console Authentication bypass
585900 - CVE-2010-1429 JBossEAP status servlet info leak


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/