Skip to navigation

Security Advisory Critical: JBoss Enterprise Application Platform 4.3.0.CP08 update

Advisory: RHSA-2010:0377-1
Type: Security Advisory
Severity: Critical
Issued on: 2010-04-26
Last updated on: 2010-04-26
Affected Products: JBoss Enterprise Application Platform 4.3.0 EL4
CVEs (cve.mitre.org): CVE-2010-0738
CVE-2010-1428
CVE-2010-1429

Details

Updated JBoss Enterprise Application Platform (JBEAP) 4.3 packages that fix
three security issues and multiple bugs are now available for Red Hat
Enterprise Linux 4 as JBEAP 4.3.0.CP08.

The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

JBoss Enterprise Application Platform is the market leading platform for
innovative and scalable Java applications; integrating the JBoss
Application Server, with JBoss Hibernate and JBoss Seam into a complete,
simple enterprise solution.

This release of JBEAP for Red Hat Enterprise Linux 4 serves as a
replacement to JBEAP 4.3.0.CP07.

These updated packages include multiple bug fixes which are detailed in the
Release Notes. The Release Notes will be available shortly from the link
in the References section.

The following security issues are also fixed with this release:

The JMX Console configuration only specified an authentication requirement
for requests that used the GET and POST HTTP "verbs". A remote attacker
could create an HTTP request that does not specify GET or POST, causing it
to be executed by the default GET handler without authentication. This
release contains a JMX Console with an updated configuration that no longer
specifies the HTTP verbs. This means that the authentication requirement is
applied to all requests. (CVE-2010-0738)

For the CVE-2010-0738 issue, if an immediate upgrade is not possible or the
server deployment has been customized, a manual fix can be applied. Refer
to the "Security" subsection of the "Issues fixed in this release" section
(JBPAPP-3952) of the JBEAP Release Notes, linked to in the References, for
details. Contact Red Hat JBoss Support for advice before making the changes
noted in the Release Notes.

Red Hat would like to thank Stefano Di Paola and Giorgio Fedon of Minded
Security for responsibly reporting the CVE-2010-0738 issue.

Unauthenticated access to the JBoss Application Server Web Console
(/web-console) is blocked by default. However, it was found that this block
was incomplete, and only blocked GET and POST HTTP verbs. A remote attacker
could use this flaw to gain access to sensitive information. This release
contains a Web Console with an updated configuration that now blocks all
unauthenticated access to it by default. (CVE-2010-1428)

The RHSA-2008:0826 update fixed an issue (CVE-2008-3273) where
unauthenticated users were able to access the status servlet; however, a
bug fix included in the RHSA-2009:0347 update re-introduced the issue. A
remote attacker could use this flaw to acquire details about deployed web
contexts. (CVE-2010-1429)

Warning: Before applying this update, please backup the JBEAP
"server/[configuration]/deploy/" directory, and any other customized
configuration files.

All users of JBEAP 4.3 on Red Hat Enterprise Linux 4 are advised to upgrade
to these updated packages.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

JBoss Enterprise Application Platform 4.3.0 EL4

SRPMS:
hibernate3-3.2.4-1.SP1_CP10.0jpp.ep1.1.el4.src.rpm
File outdated by:  RHBA-2011:1297
    MD5: 8d5c7233f3fcf67097fce3acc537a914
SHA-256: 8831bf598994aa7d6db2642502a01678ad50df1cfcd0e6ee1ee99fda0fe54ca3
hibernate3-annotations-3.3.1-1.12.GA_CP03.ep1.el4.src.rpm
File outdated by:  RHBA-2011:1297
    MD5: 16e1338f881aaff7d799de46cdb1dba7
SHA-256: 5be4f98fd1b27c5b17e1529df41c2a94e97ac62a33b3eeaf90b3e7a7e363f33d
hsqldb-1.8.0.8-3.patch03.1jpp.ep1.3.el4.src.rpm     MD5: e0ea22c7f780aabf134335d75a72f64e
SHA-256: 891ae4d846f53a3ea5c14ead5b376f2bb24bcacebf387dc32940468a1c8b4eb7
jacorb-2.3.0-1jpp.ep1.10.el4.src.rpm     MD5: ecf2850fe30604a81c56ffc60dd857dc
SHA-256: 1ff0b54d0eca69a790a8d095b93e5000392047d8136d04b1671b799c0480bf0d
jakarta-commons-httpclient-3.0.1-1.patch01.1jpp.ep1.4.el4.src.rpm     MD5: 29c433af8837aca5e0c8962227347113
SHA-256: 5d9d9bbb155341ade32028cadd5c38be54890db7f865e4651a2089ac20d78cde
jboss-aop-1.5.5-3.CP05.2.ep1.el4.src.rpm     MD5: a74ee17c45c56bdc038580d80b803055
SHA-256: 9d704e7eb35ecd723a6e6e527c8f8c7d265d75b5093aa8b24c53949e6476c842
jboss-cache-1.4.1-6.SP14.1.ep1.el4.src.rpm
File outdated by:  RHBA-2011:1297
    MD5: 94c94e52aa21af8eb612dd9e71cbfa86
SHA-256: f5ac993c4b9ab8878b30766ed12b4c88c4f0522d26a0a0df2493ea61560c3ae7
jboss-messaging-1.4.0-3.SP3_CP10.2.ep1.el4.src.rpm
File outdated by:  RHBA-2011:1297
    MD5: a7cd7bc36188fc02b8358e036c17645f
SHA-256: 3045b8cf009852cb8ac36f5e0b5efb019dd6970de3a8c6c8aaece74b1bc3d70e
jboss-remoting-2.2.3-3.SP2.ep1.el4.src.rpm
File outdated by:  RHBA-2011:1297
    MD5: 5baf97042c806020c36270e5354baf0f
SHA-256: 2296e724f90cb9a819c8fbb04e31bf0fb29b81d9d9e6ee7ec48b087effb8153a
jboss-seam-1.2.1-3.JBPAPP_4_3_0_GA.ep1.20.el4.src.rpm
File outdated by:  RHBA-2011:1297
    MD5: c14ec73fb4e0c43ca58e08cb064e363a
SHA-256: 6907d2022cdd9a7f63c23ddd3934629c08b61038df2b2782fb8830018eeef9b1
jboss-seam2-2.0.2.FP-1.ep1.23.el4.src.rpm
File outdated by:  RHBA-2013:1099
    MD5: bc228295f5355234f44c9a9a0c6126fe
SHA-256: 5000cb0ad121fbc757dbabeb0712c3e67fbdbc26c4a67908c7d77f98f7542033
jbossas-4.3.0-7.GA_CP08.5.ep1.el4.src.rpm
File outdated by:  RHSA-2013:0249
    MD5: f5a2222a702ea17ff4fc52061f6e198e
SHA-256: c62e5744e24f02936ad27d75b02a6e44b2bbb06e877a813efff764c1a6a2d7d6
jbossts-4.2.3-1.SP5_CP09.1jpp.ep1.1.el4.src.rpm
File outdated by:  RHSA-2010:0937
    MD5: 1354ca33d6c57da410ad4547cd1e1525
SHA-256: 4dc58b8bb8b65f601807be82779947a1552a23058aca2627b0713c6a761d3bae
jbossweb-2.0.0-6.CP13.0jpp.ep1.1.el4.src.rpm
File outdated by:  RHBA-2011:1297
    MD5: 5fc002a889da79e8a88b8d077d145854
SHA-256: 20dce8c8617584c4076fb9116ead6350407de5d96d5a24115ef32503dac11d12
jbossws-2.0.1-5.SP2_CP08.1.ep1.el4.src.rpm
File outdated by:  RHBA-2011:1297
    MD5: 1babc23a71f222fe1dbd657d5fcafc88
SHA-256: 7acb4eebd6125a7b092e73429797d092ea2f4b05a93aefd8a2e21c0931b8d83b
rh-eap-docs-4.3.0-7.GA_CP08.ep1.6.el4.src.rpm
File outdated by:  RHBA-2011:1297
    MD5: 9e2914d780de4c79b50cf1f0a7d89713
SHA-256: 3e9331734168add423c3f66930a61f46ed0c9f97f009dc1093e2000b68221603
 
IA-32:
hibernate3-3.2.4-1.SP1_CP10.0jpp.ep1.1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: d619d137c60417af411c979970a39960
SHA-256: 469ee34c4baaf967b92c11b10b50fd288bcdaeab1a19c07c27ca8fd2f0edf0d6
hibernate3-annotations-3.3.1-1.12.GA_CP03.ep1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: efd5cfd87c87d99b9d3295ffee994aae
SHA-256: 3122cc7a50c3a67b1386e4348d67b7140da307a5816b77639c0dad573920f95e
hibernate3-annotations-javadoc-3.3.1-1.12.GA_CP03.ep1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: 5f663349f2c0320f9e5422bc01cd7d82
SHA-256: 7193e28bbca3a404e2064980804bced3d8c26c75cf71fa26bfdd6a0ba90b34ac
hibernate3-javadoc-3.2.4-1.SP1_CP10.0jpp.ep1.1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: 2ed15509f012980b4fde76e701bed246
SHA-256: 7611e6c43e4a4a632014dd8a094595e686980a57b60a4593e8397c4f612d2b8a
hsqldb-1.8.0.8-3.patch03.1jpp.ep1.3.el4.noarch.rpm     MD5: e92bb9e7a2193d77d80812c92e87a3aa
SHA-256: 7606ce93974144e061bfc24669be76d4aa6f806d7585618607f361fb90ef0655
jacorb-2.3.0-1jpp.ep1.10.el4.noarch.rpm     MD5: 3bae43c54ae34c103e6dfab3c4a3a752
SHA-256: ef604d6872e227c0bfc12b62be6eb6d25dbcd81c82415fd7827346e95e282239
jakarta-commons-httpclient-3.0.1-1.patch01.1jpp.ep1.4.el4.noarch.rpm     MD5: 3c3e8f539c470195cabeb7bdb615d616
SHA-256: 0e1ca89a7648aaca296be02e21f9d590acc775b4db469f42ba7fad0bd2ff6b64
jboss-aop-1.5.5-3.CP05.2.ep1.el4.noarch.rpm     MD5: a0137e91d65fb65d5643069d5373de62
SHA-256: f3d9927798200412ea5fb4c2426834a2621a3cbb793131c06af4fb2f767aa982
jboss-cache-1.4.1-6.SP14.1.ep1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: 50e473081892987037b8563303c40183
SHA-256: 0f416820c69c36ac1c0fd6d5455dc87e90a987a21296c497acf7ba238e5d1627
jboss-messaging-1.4.0-3.SP3_CP10.2.ep1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: 40eb92f303d681416fa122bb9ad434aa
SHA-256: e776131019fbf14e9065982107e72c0fc775f6dc31753e1d51d2dd30e2fb119e
jboss-remoting-2.2.3-3.SP2.ep1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: af083cec60992ae4721dd1a91c133ac9
SHA-256: 8fbdec08b272d3218212d639fc30d5be827341e4468ca3c9319d61809318d3c7
jboss-seam-1.2.1-3.JBPAPP_4_3_0_GA.ep1.20.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: 634d19401f9283d54df79ddb03833ad1
SHA-256: d81146fa95e755703322704595ca2f75e3288ef8be79f32e767b84183b82b6f9
jboss-seam-docs-1.2.1-3.JBPAPP_4_3_0_GA.ep1.20.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: 79f61578acb6a94e4739dfc67aad070d
SHA-256: fc21205261f10e74675df7b9e219a5f36ebb96959c7833ba6bfbb5cb1d717404
jboss-seam2-2.0.2.FP-1.ep1.23.el4.noarch.rpm
File outdated by:  RHBA-2013:1099
    MD5: cf2ce910afaf56acc7e543dc9e6910fa
SHA-256: 9944915af83066b9dea2dc84e1dd92ffb7ca2cb22a230bba5a13514a560ab38f
jboss-seam2-docs-2.0.2.FP-1.ep1.23.el4.noarch.rpm
File outdated by:  RHBA-2013:1099
    MD5: b232250831ba2cadf3d64c61bbc90303
SHA-256: 6d92d978e82563af98c174cc76bee8468c2678a065d908a0003d1d2c515354c8
jbossas-4.3.0-7.GA_CP08.5.ep1.el4.noarch.rpm
File outdated by:  RHSA-2013:0249
    MD5: 48bb70699cd68e85b8a0eefe4431e52c
SHA-256: afb708d12e967b4618983025055b9be05ad93114997188fbc0d905da10db1ee8
jbossas-4.3.0.GA_CP08-bin-4.3.0-7.GA_CP08.5.ep1.el4.noarch.rpm     MD5: 3d11e93ed08f6b3b8e974d5981a7f972
SHA-256: c9ee1991246508f4c2614cbdfc75a49e9338388a452125f3bb9f943785b5a004
jbossas-client-4.3.0-7.GA_CP08.5.ep1.el4.noarch.rpm
File outdated by:  RHSA-2013:0249
    MD5: a521f3bdd14bcb10cef74cd0c2cf7aa7
SHA-256: 51ff7f2d3ec34413a6742e217eb5406ac44f27a78628d16d008b1f1d18ce59b1
jbossts-4.2.3-1.SP5_CP09.1jpp.ep1.1.el4.noarch.rpm
File outdated by:  RHSA-2010:0937
    MD5: e49e1a3a0949577e9190366034ef651b
SHA-256: d8ada47f3e72e7c36a1893fb2cb7c848d36df30e1222b3b9e86f1ccb17a8663e
jbossweb-2.0.0-6.CP13.0jpp.ep1.1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: df6ce869df4e2ba1ea31bac72f238689
SHA-256: 03449dbd0a6017779658f5bbd2a5e0e4eba202dea081d1b32783c465593fb61b
jbossws-2.0.1-5.SP2_CP08.1.ep1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: 498cf25808b35729aefc5375d3caef7c
SHA-256: 8d3b500bfb8b63f8b5fd7092d6d45b38550c09119acb5912f978774c62bedb9c
rh-eap-docs-4.3.0-7.GA_CP08.ep1.6.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: 8ede4692c4b49ed2e228de7c53fe8ae0
SHA-256: 77edf49532542cad3c5d4acad11e8e5ae85a0e38e35c2b67b3cbeeb149d7226d
rh-eap-docs-examples-4.3.0-7.GA_CP08.ep1.6.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: b153d27b44ff735a5e48d76ec5f27773
SHA-256: 0788212e496c5812e4415e82c5b8665a50ce4595593483bb54cd11d5dc032920
 
x86_64:
hibernate3-3.2.4-1.SP1_CP10.0jpp.ep1.1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: d619d137c60417af411c979970a39960
SHA-256: 469ee34c4baaf967b92c11b10b50fd288bcdaeab1a19c07c27ca8fd2f0edf0d6
hibernate3-annotations-3.3.1-1.12.GA_CP03.ep1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: efd5cfd87c87d99b9d3295ffee994aae
SHA-256: 3122cc7a50c3a67b1386e4348d67b7140da307a5816b77639c0dad573920f95e
hibernate3-annotations-javadoc-3.3.1-1.12.GA_CP03.ep1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: 5f663349f2c0320f9e5422bc01cd7d82
SHA-256: 7193e28bbca3a404e2064980804bced3d8c26c75cf71fa26bfdd6a0ba90b34ac
hibernate3-javadoc-3.2.4-1.SP1_CP10.0jpp.ep1.1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: 2ed15509f012980b4fde76e701bed246
SHA-256: 7611e6c43e4a4a632014dd8a094595e686980a57b60a4593e8397c4f612d2b8a
hsqldb-1.8.0.8-3.patch03.1jpp.ep1.3.el4.noarch.rpm     MD5: e92bb9e7a2193d77d80812c92e87a3aa
SHA-256: 7606ce93974144e061bfc24669be76d4aa6f806d7585618607f361fb90ef0655
jacorb-2.3.0-1jpp.ep1.10.el4.noarch.rpm     MD5: 3bae43c54ae34c103e6dfab3c4a3a752
SHA-256: ef604d6872e227c0bfc12b62be6eb6d25dbcd81c82415fd7827346e95e282239
jakarta-commons-httpclient-3.0.1-1.patch01.1jpp.ep1.4.el4.noarch.rpm     MD5: 3c3e8f539c470195cabeb7bdb615d616
SHA-256: 0e1ca89a7648aaca296be02e21f9d590acc775b4db469f42ba7fad0bd2ff6b64
jboss-aop-1.5.5-3.CP05.2.ep1.el4.noarch.rpm     MD5: a0137e91d65fb65d5643069d5373de62
SHA-256: f3d9927798200412ea5fb4c2426834a2621a3cbb793131c06af4fb2f767aa982
jboss-cache-1.4.1-6.SP14.1.ep1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: 50e473081892987037b8563303c40183
SHA-256: 0f416820c69c36ac1c0fd6d5455dc87e90a987a21296c497acf7ba238e5d1627
jboss-messaging-1.4.0-3.SP3_CP10.2.ep1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: 40eb92f303d681416fa122bb9ad434aa
SHA-256: e776131019fbf14e9065982107e72c0fc775f6dc31753e1d51d2dd30e2fb119e
jboss-remoting-2.2.3-3.SP2.ep1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: af083cec60992ae4721dd1a91c133ac9
SHA-256: 8fbdec08b272d3218212d639fc30d5be827341e4468ca3c9319d61809318d3c7
jboss-seam-1.2.1-3.JBPAPP_4_3_0_GA.ep1.20.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: 634d19401f9283d54df79ddb03833ad1
SHA-256: d81146fa95e755703322704595ca2f75e3288ef8be79f32e767b84183b82b6f9
jboss-seam-docs-1.2.1-3.JBPAPP_4_3_0_GA.ep1.20.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: 79f61578acb6a94e4739dfc67aad070d
SHA-256: fc21205261f10e74675df7b9e219a5f36ebb96959c7833ba6bfbb5cb1d717404
jboss-seam2-2.0.2.FP-1.ep1.23.el4.noarch.rpm
File outdated by:  RHBA-2013:1099
    MD5: cf2ce910afaf56acc7e543dc9e6910fa
SHA-256: 9944915af83066b9dea2dc84e1dd92ffb7ca2cb22a230bba5a13514a560ab38f
jboss-seam2-docs-2.0.2.FP-1.ep1.23.el4.noarch.rpm
File outdated by:  RHBA-2013:1099
    MD5: b232250831ba2cadf3d64c61bbc90303
SHA-256: 6d92d978e82563af98c174cc76bee8468c2678a065d908a0003d1d2c515354c8
jbossas-4.3.0-7.GA_CP08.5.ep1.el4.noarch.rpm
File outdated by:  RHSA-2013:0249
    MD5: 48bb70699cd68e85b8a0eefe4431e52c
SHA-256: afb708d12e967b4618983025055b9be05ad93114997188fbc0d905da10db1ee8
jbossas-4.3.0.GA_CP08-bin-4.3.0-7.GA_CP08.5.ep1.el4.noarch.rpm     MD5: 3d11e93ed08f6b3b8e974d5981a7f972
SHA-256: c9ee1991246508f4c2614cbdfc75a49e9338388a452125f3bb9f943785b5a004
jbossas-client-4.3.0-7.GA_CP08.5.ep1.el4.noarch.rpm
File outdated by:  RHSA-2013:0249
    MD5: a521f3bdd14bcb10cef74cd0c2cf7aa7
SHA-256: 51ff7f2d3ec34413a6742e217eb5406ac44f27a78628d16d008b1f1d18ce59b1
jbossts-4.2.3-1.SP5_CP09.1jpp.ep1.1.el4.noarch.rpm
File outdated by:  RHSA-2010:0937
    MD5: e49e1a3a0949577e9190366034ef651b
SHA-256: d8ada47f3e72e7c36a1893fb2cb7c848d36df30e1222b3b9e86f1ccb17a8663e
jbossweb-2.0.0-6.CP13.0jpp.ep1.1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: df6ce869df4e2ba1ea31bac72f238689
SHA-256: 03449dbd0a6017779658f5bbd2a5e0e4eba202dea081d1b32783c465593fb61b
jbossws-2.0.1-5.SP2_CP08.1.ep1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: 498cf25808b35729aefc5375d3caef7c
SHA-256: 8d3b500bfb8b63f8b5fd7092d6d45b38550c09119acb5912f978774c62bedb9c
rh-eap-docs-4.3.0-7.GA_CP08.ep1.6.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: 8ede4692c4b49ed2e228de7c53fe8ae0
SHA-256: 77edf49532542cad3c5d4acad11e8e5ae85a0e38e35c2b67b3cbeeb149d7226d
rh-eap-docs-examples-4.3.0-7.GA_CP08.ep1.6.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: b153d27b44ff735a5e48d76ec5f27773
SHA-256: 0788212e496c5812e4415e82c5b8665a50ce4595593483bb54cd11d5dc032920
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

571828 - Tracker bug for the EAP 4.3.0.cp08 release.
574105 - CVE-2010-0738 JBoss EAP jmx authentication bypass with crafted HTTP request
585899 - CVE-2010-1428 JBoss Application Server Web Console Authentication bypass
585900 - CVE-2010-1429 JBossEAP status servlet info leak


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/