Skip to navigation

Security Advisory Critical: JBoss Enterprise Application Platform 4.2.0.CP09 update

Advisory: RHSA-2010:0378-1
Type: Security Advisory
Severity: Critical
Issued on: 2010-04-26
Last updated on: 2010-04-26
Affected Products: JBoss Enterprise Application Platform 4.2.0 EL5
CVEs (cve.mitre.org): CVE-2010-0738
CVE-2010-1428
CVE-2010-1429

Details

Updated JBoss Enterprise Application Platform (JBEAP) 4.2 packages that fix
three security issues and multiple bugs are now available for Red Hat
Enterprise Linux 5 as JBEAP 4.2.0.CP09.

The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

JBoss Enterprise Application Platform is the market leading platform for
innovative and scalable Java applications; integrating the JBoss
Application Server, with JBoss Hibernate and JBoss Seam into a complete,
simple enterprise solution.

This release of JBEAP for Red Hat Enterprise Linux 5 serves as a
replacement to JBEAP 4.2.0.CP08.

These updated packages include multiple bug fixes which are detailed in the
Release Notes. The Release Notes will be available shortly from the link
in the References section.

The following security issues are also fixed with this release:

The JMX Console configuration only specified an authentication requirement
for requests that used the GET and POST HTTP "verbs". A remote attacker
could create an HTTP request that does not specify GET or POST, causing it
to be executed by the default GET handler without authentication. This
release contains a JMX Console with an updated configuration that no longer
specifies the HTTP verbs. This means that the authentication requirement is
applied to all requests. (CVE-2010-0738)

For the CVE-2010-0738 issue, if an immediate upgrade is not possible or the
server deployment has been customized, a manual fix can be applied. Refer
to the "Security" subsection of the "Issues fixed in this release" section
(JBPAPP-3952) of the JBEAP Release Notes, linked to in the References, for
details. Contact Red Hat JBoss Support for advice before making the changes
noted in the Release Notes.

Red Hat would like to thank Stefano Di Paola and Giorgio Fedon of Minded
Security for responsibly reporting the CVE-2010-0738 issue.

Unauthenticated access to the JBoss Application Server Web Console
(/web-console) is blocked by default. However, it was found that this block
was incomplete, and only blocked GET and POST HTTP verbs. A remote attacker
could use this flaw to gain access to sensitive information. This release
contains a Web Console with an updated configuration that now blocks all
unauthenticated access to it by default. (CVE-2010-1428)

The RHSA-2008:0827 update fixed an issue (CVE-2008-3273) where
unauthenticated users were able to access the status servlet; however, a
bug fix included in the RHSA-2009:0348 update re-introduced the issue. A
remote attacker could use this flaw to acquire details about deployed web
contexts. (CVE-2010-1429)

Warning: Before applying this update, please backup the JBEAP
"server/[configuration]/deploy/" directory, and any other customized
configuration files.

All users of JBEAP 4.2 on Red Hat Enterprise Linux 5 are advised to upgrade
to these updated packages.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

JBoss Enterprise Application Platform 4.2.0 EL5

SRPMS:
hibernate3-3.2.4-1.SP1_CP10.0jpp.ep1.1.el5.src.rpm     MD5: 7f88424daa3fec5595d406bb9eea401c
SHA-256: 343440d8a599e6a2ebb608c695d6f2de4df2e4c907c528b5da28750b4277a385
hibernate3-annotations-3.3.1-1.12.GA_CP03.ep1.el5.src.rpm     MD5: cc02685d566f5537235244e7dffd5731
SHA-256: 589f21b516de16725ba5f3ad3a8934ea6efd5c6e7796557ba012e1ba87c531d3
jacorb-2.3.0-1jpp.ep1.10.1.el5.src.rpm     MD5: 4b5f7b89e349fa2cb8bbb7f7502c0486
SHA-256: 4c4e377317b1390feb4bc6351a6e7f25ceb4692da2fbbef6e3070d8b3202ba06
jboss-aop-1.5.5-3.CP05.2.ep1.1.el5.src.rpm     MD5: c4265e93177a1eaf4390059eab421162
SHA-256: aab90f656044cb2ae81e4f47eb8925a262e4ec7f752aa1d2a15e2b1b8e3a0839
jboss-cache-1.4.1-6.SP14.1.ep1.1.el5.src.rpm     MD5: ad128e107efe6cd9c830ca9b854af523
SHA-256: ee61a904421cf7088007606061d0ab3b85ee76bc9919ea2f742ef63c95345cd7
jboss-remoting-2.2.3-3.SP2.ep1.1.el5.src.rpm     MD5: 1bed3929a352fac3582189508e7d5c62
SHA-256: 8e93308b6b2c2dc18fb9e120d71f7147a566f056694db237947c1817e1dde4be
jboss-seam-1.2.1-1.ep1.24.el5.src.rpm     MD5: 676be2274651d190bf426df8a3b2dcc4
SHA-256: 6b5264796c9cb9a57c25b3cea48426e58eaa5fdfe6d8e473ec7a5fed43ae348d
jbossas-4.2.0-6.GA_CP09.6.ep1.el5.src.rpm
File outdated by:  RHSA-2011:1309
    MD5: 3ec47e7ea68bf8e70a35b7a2098e5cc1
SHA-256: 5c8db8a10a1371c184f78b8cc7fa8a7a2d896d20e032f345789fbed2ec611e8c
jbossts-4.2.3-1.SP5_CP09.1jpp.ep1.1.1.el5.src.rpm     MD5: 5d81a19ab43cf0a75b32795c47290b5b
SHA-256: b38420fb4a7ce6f7261d6590d085ce65253149ab15f40bdc35d5056109566fd6
jbossweb-2.0.0-6.CP13.0jpp.ep1.1.1.el5.src.rpm
File outdated by:  RHSA-2011:0210
    MD5: 319ff92cb2c42c9f8cfaaa74e3500157
SHA-256: a2fac9ad6ddf87174ca16fc1a093ba4f2b5c23bfe9abfc3e783db919cbfc29b3
rh-eap-docs-4.2.0-7.GA_CP09.ep1.4.1.el5.src.rpm     MD5: dbce79049febb2a9640749f34be34b03
SHA-256: 18a7ca211982e59bec96f032f09030cfc6bcbcca0151b2e6ce06837965760445
 
IA-32:
hibernate3-3.2.4-1.SP1_CP10.0jpp.ep1.1.el5.noarch.rpm     MD5: 5345cef40cacf635243ce216e51c960a
SHA-256: 1333760df8ece58bfeaa75ee8bf37bb3787d8037582f4798d1c20c45f476d8b0
hibernate3-annotations-3.3.1-1.12.GA_CP03.ep1.el5.noarch.rpm     MD5: 5e9dfb3e314d6c1c106feb506a08bba1
SHA-256: cba755656618d4def41a3ae486508d8d0e9ec3fa8b4f028e0af6b8fe3089d290
hibernate3-annotations-javadoc-3.3.1-1.12.GA_CP03.ep1.el5.noarch.rpm     MD5: 4650eb4a7a37529c76595da9198e1f2c
SHA-256: 1e04bca04503052bdf1d7ff8c44a3518c5ba393c512f9cd30b9296611760b380
hibernate3-javadoc-3.2.4-1.SP1_CP10.0jpp.ep1.1.el5.noarch.rpm     MD5: 243b0c2cdc42ad9315419c07c788076a
SHA-256: 73c9b7684bafb03deaa7b0dc269a81dad37e2ae5076009a83fc5f82f15ce871d
jacorb-2.3.0-1jpp.ep1.10.1.el5.noarch.rpm     MD5: ef2a31d044ff98815c4cda3986ca649a
SHA-256: 97a5d0d67b87aec4e00c097ad6b6a4859b3158b4696368d45d22dcb10c629e65
jboss-aop-1.5.5-3.CP05.2.ep1.1.el5.noarch.rpm     MD5: b845dbc6cc149a2d253b6b6937e453d7
SHA-256: 6cd3c3b6e7ef7e0143607c5064149dd87b366061e7619cb90db375b1c76333b8
jboss-cache-1.4.1-6.SP14.1.ep1.1.el5.noarch.rpm     MD5: c781c396ed79b069856c71775f2302fe
SHA-256: abedfb68ad2fe662a8fae872458ceba689c72f10096183e6ed3d27cba79c0e07
jboss-remoting-2.2.3-3.SP2.ep1.1.el5.noarch.rpm     MD5: 887d53c9e87596e15f6a58788b06a016
SHA-256: 479f1c481bf9cc95b1740b7c749cf1ea54bc2430b5cebe2678c97795051de1e3
jboss-seam-1.2.1-1.ep1.24.el5.noarch.rpm     MD5: 296734bdc2377da66c2d4f2925df80e6
SHA-256: fa3a38534e6517c3ae83b8f3ad6211a2695098a5c2c2c04e9f26c24c6f5c2624
jboss-seam-docs-1.2.1-1.ep1.24.el5.noarch.rpm     MD5: c1bf43a70f2552a6486d156f525a5166
SHA-256: c236f73ef9432956ad21bfa6fb9d6513e9b5a26f5fb51c2f596e8c9d9356e9da
jbossas-4.2.0-6.GA_CP09.6.ep1.el5.noarch.rpm
File outdated by:  RHSA-2011:1309
    MD5: 76f6f140a3c0b2c4f770ec9ad0a86e40
SHA-256: 5984e4914d11f3bb4fcefe2debdf968ae986259574a6cc6e2aace902d04cd57a
jbossas-4.2.0.GA_CP09-bin-4.2.0-6.GA_CP09.6.ep1.el5.noarch.rpm
File outdated by:  RHSA-2011:1309
    MD5: 7e824b4c9f171222a2e578e3b896eca7
SHA-256: 0d0ca6f69d5312618e71d81a04c48dcd43ce28c3d3086d4b378337c69828c28c
jbossas-client-4.2.0-6.GA_CP09.6.ep1.el5.noarch.rpm
File outdated by:  RHSA-2011:1309
    MD5: 0b01ea622f53da7bcfa2aa7ff3a3c88f
SHA-256: 7a843ce9fdfb3d6383acd19c4e328e1dadde9bb1be559a58b9644e0b526a71c5
jbossts-4.2.3-1.SP5_CP09.1jpp.ep1.1.1.el5.noarch.rpm     MD5: 5176f2d28a0c7598a89092699680e81e
SHA-256: 8e721f424595960787f85a3aa2d9021e7a19e7320f66d78c1dee8ef32e200e1d
jbossweb-2.0.0-6.CP13.0jpp.ep1.1.1.el5.noarch.rpm
File outdated by:  RHSA-2011:0210
    MD5: 8ae6066c396533d5bb1f43f425bc1f55
SHA-256: a893e19bc6b3a3f4880df0660631b35da7043a1d765ccce20feca2e7c77586ef
rh-eap-docs-4.2.0-7.GA_CP09.ep1.4.1.el5.noarch.rpm     MD5: a36fa9eafe3b3d4480a3b7cba03e59bd
SHA-256: 32078a57d76d3ceb42dbb56fecde4de35bd6d53a3b11d0a384f00426a7e27b41
rh-eap-docs-examples-4.2.0-7.GA_CP09.ep1.4.1.el5.noarch.rpm     MD5: 56e15acb435e476eaf39b5fc37e44c84
SHA-256: 4ae3ce533daf108658f0e94a49ced9973a1238ee16a1287844b2e880a39dba46
 
x86_64:
hibernate3-3.2.4-1.SP1_CP10.0jpp.ep1.1.el5.noarch.rpm     MD5: 5345cef40cacf635243ce216e51c960a
SHA-256: 1333760df8ece58bfeaa75ee8bf37bb3787d8037582f4798d1c20c45f476d8b0
hibernate3-annotations-3.3.1-1.12.GA_CP03.ep1.el5.noarch.rpm     MD5: 5e9dfb3e314d6c1c106feb506a08bba1
SHA-256: cba755656618d4def41a3ae486508d8d0e9ec3fa8b4f028e0af6b8fe3089d290
hibernate3-annotations-javadoc-3.3.1-1.12.GA_CP03.ep1.el5.noarch.rpm     MD5: 4650eb4a7a37529c76595da9198e1f2c
SHA-256: 1e04bca04503052bdf1d7ff8c44a3518c5ba393c512f9cd30b9296611760b380
hibernate3-javadoc-3.2.4-1.SP1_CP10.0jpp.ep1.1.el5.noarch.rpm     MD5: 243b0c2cdc42ad9315419c07c788076a
SHA-256: 73c9b7684bafb03deaa7b0dc269a81dad37e2ae5076009a83fc5f82f15ce871d
jacorb-2.3.0-1jpp.ep1.10.1.el5.noarch.rpm     MD5: ef2a31d044ff98815c4cda3986ca649a
SHA-256: 97a5d0d67b87aec4e00c097ad6b6a4859b3158b4696368d45d22dcb10c629e65
jboss-aop-1.5.5-3.CP05.2.ep1.1.el5.noarch.rpm     MD5: b845dbc6cc149a2d253b6b6937e453d7
SHA-256: 6cd3c3b6e7ef7e0143607c5064149dd87b366061e7619cb90db375b1c76333b8
jboss-cache-1.4.1-6.SP14.1.ep1.1.el5.noarch.rpm     MD5: c781c396ed79b069856c71775f2302fe
SHA-256: abedfb68ad2fe662a8fae872458ceba689c72f10096183e6ed3d27cba79c0e07
jboss-remoting-2.2.3-3.SP2.ep1.1.el5.noarch.rpm     MD5: 887d53c9e87596e15f6a58788b06a016
SHA-256: 479f1c481bf9cc95b1740b7c749cf1ea54bc2430b5cebe2678c97795051de1e3
jboss-seam-1.2.1-1.ep1.24.el5.noarch.rpm     MD5: 296734bdc2377da66c2d4f2925df80e6
SHA-256: fa3a38534e6517c3ae83b8f3ad6211a2695098a5c2c2c04e9f26c24c6f5c2624
jboss-seam-docs-1.2.1-1.ep1.24.el5.noarch.rpm     MD5: c1bf43a70f2552a6486d156f525a5166
SHA-256: c236f73ef9432956ad21bfa6fb9d6513e9b5a26f5fb51c2f596e8c9d9356e9da
jbossas-4.2.0-6.GA_CP09.6.ep1.el5.noarch.rpm
File outdated by:  RHSA-2011:1309
    MD5: 76f6f140a3c0b2c4f770ec9ad0a86e40
SHA-256: 5984e4914d11f3bb4fcefe2debdf968ae986259574a6cc6e2aace902d04cd57a
jbossas-4.2.0.GA_CP09-bin-4.2.0-6.GA_CP09.6.ep1.el5.noarch.rpm
File outdated by:  RHSA-2011:1309
    MD5: 7e824b4c9f171222a2e578e3b896eca7
SHA-256: 0d0ca6f69d5312618e71d81a04c48dcd43ce28c3d3086d4b378337c69828c28c
jbossas-client-4.2.0-6.GA_CP09.6.ep1.el5.noarch.rpm
File outdated by:  RHSA-2011:1309
    MD5: 0b01ea622f53da7bcfa2aa7ff3a3c88f
SHA-256: 7a843ce9fdfb3d6383acd19c4e328e1dadde9bb1be559a58b9644e0b526a71c5
jbossts-4.2.3-1.SP5_CP09.1jpp.ep1.1.1.el5.noarch.rpm     MD5: 5176f2d28a0c7598a89092699680e81e
SHA-256: 8e721f424595960787f85a3aa2d9021e7a19e7320f66d78c1dee8ef32e200e1d
jbossweb-2.0.0-6.CP13.0jpp.ep1.1.1.el5.noarch.rpm
File outdated by:  RHSA-2011:0210
    MD5: 8ae6066c396533d5bb1f43f425bc1f55
SHA-256: a893e19bc6b3a3f4880df0660631b35da7043a1d765ccce20feca2e7c77586ef
rh-eap-docs-4.2.0-7.GA_CP09.ep1.4.1.el5.noarch.rpm     MD5: a36fa9eafe3b3d4480a3b7cba03e59bd
SHA-256: 32078a57d76d3ceb42dbb56fecde4de35bd6d53a3b11d0a384f00426a7e27b41
rh-eap-docs-examples-4.2.0-7.GA_CP09.ep1.4.1.el5.noarch.rpm     MD5: 56e15acb435e476eaf39b5fc37e44c84
SHA-256: 4ae3ce533daf108658f0e94a49ced9973a1238ee16a1287844b2e880a39dba46
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

571835 - Tracker bug for the EAP 4.2.0.cp09 release for RHEL-5.
574105 - CVE-2010-0738 JBoss EAP jmx authentication bypass with crafted HTTP request
585899 - CVE-2010-1428 JBoss Application Server Web Console Authentication bypass
585900 - CVE-2010-1429 JBossEAP status servlet info leak


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/