Skip to navigation

Security Advisory Critical: JBoss Enterprise Application Platform 4.3.0.CP08 update

Advisory: RHSA-2010:0379-1
Type: Security Advisory
Severity: Critical
Issued on: 2010-04-27
Last updated on: 2010-04-27
Affected Products: JBoss Enterprise Application Platform 4.3.0 EL5
CVEs (cve.mitre.org): CVE-2010-0738
CVE-2010-1428
CVE-2010-1429

Details

Updated JBoss Enterprise Application Platform (JBEAP) 4.3 packages that fix
three security issues and multiple bugs are now available for Red Hat
Enterprise Linux 5 as JBEAP 4.3.0.CP08.

The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

JBoss Enterprise Application Platform is the market leading platform for
innovative and scalable Java applications; integrating the JBoss
Application Server, with JBoss Hibernate and JBoss Seam into a complete,
simple enterprise solution.

This release of JBEAP for Red Hat Enterprise Linux 5 serves as a
replacement to JBEAP 4.3.0.CP07.

These updated packages include multiple bug fixes which are detailed in the
Release Notes. The Release Notes will be available shortly from the link
in the References section.

The following security issues are also fixed with this release:

The JMX Console configuration only specified an authentication requirement
for requests that used the GET and POST HTTP "verbs". A remote attacker
could create an HTTP request that does not specify GET or POST, causing it
to be executed by the default GET handler without authentication. This
release contains a JMX Console with an updated configuration that no longer
specifies the HTTP verbs. This means that the authentication requirement is
applied to all requests. (CVE-2010-0738)

For the CVE-2010-0738 issue, if an immediate upgrade is not possible or the
server deployment has been customized, a manual fix can be applied. Refer
to the "Security" subsection of the "Issues fixed in this release" section
(JBPAPP-3952) of the JBEAP Release Notes, linked to in the References, for
details. Contact Red Hat JBoss Support for advice before making the changes
noted in the Release Notes.

Red Hat would like to thank Stefano Di Paola and Giorgio Fedon of Minded
Security for responsibly reporting the CVE-2010-0738 issue.

Unauthenticated access to the JBoss Application Server Web Console
(/web-console) is blocked by default. However, it was found that this block
was incomplete, and only blocked GET and POST HTTP verbs. A remote attacker
could use this flaw to gain access to sensitive information. This release
contains a Web Console with an updated configuration that now blocks all
unauthenticated access to it by default. (CVE-2010-1428)

The RHSA-2008:0828 update fixed an issue (CVE-2008-3273) where
unauthenticated users were able to access the status servlet; however, a
bug fix included in the RHSA-2009:0349 update re-introduced the issue. A
remote attacker could use this flaw to acquire details about deployed web
contexts. (CVE-2010-1429)

Warning: Before applying this update, please backup the JBEAP
"server/[configuration]/deploy/" directory, and any other customized
configuration files.

All users of JBEAP 4.3 on Red Hat Enterprise Linux 5 are advised to upgrade
to these updated packages.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

JBoss Enterprise Application Platform 4.3.0 EL5

SRPMS:
hibernate3-3.2.4-1.SP1_CP10.0jpp.ep1.1.el5.src.rpm
File outdated by:  RHBA-2011:1298
    MD5: 7f88424daa3fec5595d406bb9eea401c
SHA-256: 343440d8a599e6a2ebb608c695d6f2de4df2e4c907c528b5da28750b4277a385
hibernate3-annotations-3.3.1-1.12.GA_CP03.ep1.el5.src.rpm
File outdated by:  RHBA-2011:1298
    MD5: cc02685d566f5537235244e7dffd5731
SHA-256: 589f21b516de16725ba5f3ad3a8934ea6efd5c6e7796557ba012e1ba87c531d3
jacorb-2.3.0-1jpp.ep1.10.1.el5.src.rpm     MD5: 4b5f7b89e349fa2cb8bbb7f7502c0486
SHA-256: 4c4e377317b1390feb4bc6351a6e7f25ceb4692da2fbbef6e3070d8b3202ba06
jboss-aop-1.5.5-3.CP05.2.ep1.1.el5.src.rpm     MD5: c4265e93177a1eaf4390059eab421162
SHA-256: aab90f656044cb2ae81e4f47eb8925a262e4ec7f752aa1d2a15e2b1b8e3a0839
jboss-cache-1.4.1-6.SP14.1.ep1.1.el5.src.rpm
File outdated by:  RHBA-2011:1298
    MD5: ad128e107efe6cd9c830ca9b854af523
SHA-256: ee61a904421cf7088007606061d0ab3b85ee76bc9919ea2f742ef63c95345cd7
jboss-messaging-1.4.0-3.SP3_CP10.2.ep1.el5.src.rpm
File outdated by:  RHBA-2011:1298
    MD5: 76e06c709b0c9681f53d7484e2f22b15
SHA-256: 4b322b36dd119983a109634ad8210dbf19b2a7ea991559a83cd5408629206436
jboss-remoting-2.2.3-3.SP2.ep1.1.el5.src.rpm
File outdated by:  RHBA-2011:1298
    MD5: 1bed3929a352fac3582189508e7d5c62
SHA-256: 8e93308b6b2c2dc18fb9e120d71f7147a566f056694db237947c1817e1dde4be
jboss-seam-1.2.1-3.JBPAPP_4_3_0_GA.ep1.20.el5.1.src.rpm
File outdated by:  RHBA-2011:1298
    MD5: 1da7b09b26eb82a36829595bc2924d3f
SHA-256: 1b6dcfef86872f5a906943506ee21046e637998c427e98463efdb38e99ef3833
jboss-seam2-2.0.2.FP-1.ep1.23.el5.src.rpm
File outdated by:  RHBA-2013:1099
    MD5: 9a31c2086a1b6ec88eca1ba858d206a5
SHA-256: c8a69fbe19c8f12b5208787114fdbfeb88674fe1b03129166b4cdb79382eeb99
jbossas-4.3.0-7.GA_CP08.5.ep1.el5.src.rpm
File outdated by:  RHSA-2013:0249
    MD5: 150bc86c1428bb1a6c393ddf14429822
SHA-256: cc5d843fc7efad43a8ad9256879b9f0d916a3150dcd9af77c570412f6289e56f
jbossts-4.2.3-1.SP5_CP09.1jpp.ep1.1.1.el5.src.rpm
File outdated by:  RHSA-2010:0938
    MD5: 5d81a19ab43cf0a75b32795c47290b5b
SHA-256: b38420fb4a7ce6f7261d6590d085ce65253149ab15f40bdc35d5056109566fd6
jbossweb-2.0.0-6.CP13.0jpp.ep1.1.1.el5.src.rpm
File outdated by:  RHBA-2011:1298
    MD5: 319ff92cb2c42c9f8cfaaa74e3500157
SHA-256: a2fac9ad6ddf87174ca16fc1a093ba4f2b5c23bfe9abfc3e783db919cbfc29b3
jbossws-2.0.1-5.SP2_CP08.1.ep1.1.el5.src.rpm
File outdated by:  RHBA-2011:1298
    MD5: 89ce3854d95dd4fbb95c6e5f81af3593
SHA-256: 4b7225398dd580067758641b7d8a8e57623b057711a5db930da7f634c6ab0f24
rh-eap-docs-4.3.0-7.GA_CP08.ep1.5.el5.src.rpm
File outdated by:  RHBA-2011:1298
    MD5: a801e2c0a6b442c9fb3d4a375cbe02cd
SHA-256: 561687abcf735052b0c4abeed2f079d65fb626e1a770c275e0716b0437eab34c
 
IA-32:
hibernate3-3.2.4-1.SP1_CP10.0jpp.ep1.1.el5.noarch.rpm
File outdated by:  RHBA-2011:1298
    MD5: 5345cef40cacf635243ce216e51c960a
SHA-256: 1333760df8ece58bfeaa75ee8bf37bb3787d8037582f4798d1c20c45f476d8b0
hibernate3-annotations-3.3.1-1.12.GA_CP03.ep1.el5.noarch.rpm
File outdated by:  RHBA-2011:1298
    MD5: 5e9dfb3e314d6c1c106feb506a08bba1
SHA-256: cba755656618d4def41a3ae486508d8d0e9ec3fa8b4f028e0af6b8fe3089d290
hibernate3-annotations-javadoc-3.3.1-1.12.GA_CP03.ep1.el5.noarch.rpm
File outdated by:  RHBA-2011:1298
    MD5: 4650eb4a7a37529c76595da9198e1f2c
SHA-256: 1e04bca04503052bdf1d7ff8c44a3518c5ba393c512f9cd30b9296611760b380
hibernate3-javadoc-3.2.4-1.SP1_CP10.0jpp.ep1.1.el5.noarch.rpm
File outdated by:  RHBA-2011:1298
    MD5: 243b0c2cdc42ad9315419c07c788076a
SHA-256: 73c9b7684bafb03deaa7b0dc269a81dad37e2ae5076009a83fc5f82f15ce871d
jacorb-2.3.0-1jpp.ep1.10.1.el5.noarch.rpm     MD5: ef2a31d044ff98815c4cda3986ca649a
SHA-256: 97a5d0d67b87aec4e00c097ad6b6a4859b3158b4696368d45d22dcb10c629e65
jboss-aop-1.5.5-3.CP05.2.ep1.1.el5.noarch.rpm     MD5: b845dbc6cc149a2d253b6b6937e453d7
SHA-256: 6cd3c3b6e7ef7e0143607c5064149dd87b366061e7619cb90db375b1c76333b8
jboss-cache-1.4.1-6.SP14.1.ep1.1.el5.noarch.rpm
File outdated by:  RHBA-2011:1298
    MD5: c781c396ed79b069856c71775f2302fe
SHA-256: abedfb68ad2fe662a8fae872458ceba689c72f10096183e6ed3d27cba79c0e07
jboss-messaging-1.4.0-3.SP3_CP10.2.ep1.el5.noarch.rpm
File outdated by:  RHBA-2011:1298
    MD5: b43edea033d814c2bc75037665223c31
SHA-256: 99854c8cb94cc53bd5a5b24d18973a1bd1848cb993825e0b97e8b5cc392b146c
jboss-remoting-2.2.3-3.SP2.ep1.1.el5.noarch.rpm
File outdated by:  RHBA-2011:1298
    MD5: 887d53c9e87596e15f6a58788b06a016
SHA-256: 479f1c481bf9cc95b1740b7c749cf1ea54bc2430b5cebe2678c97795051de1e3
jboss-seam-1.2.1-3.JBPAPP_4_3_0_GA.ep1.20.el5.1.noarch.rpm
File outdated by:  RHBA-2011:1298
    MD5: 85c6042c1eb380f36a3b866fb916f411
SHA-256: cf2a6a9bbb6b62680c7eccba8a4370c6aacfc749b5678b3a633bf94ceb72c69f
jboss-seam-docs-1.2.1-3.JBPAPP_4_3_0_GA.ep1.20.el5.1.noarch.rpm
File outdated by:  RHBA-2011:1298
    MD5: c528f16f24d3a458b010cda00f92fc61
SHA-256: 4b518014a649d33bf8c6b495458796331dfa220d54ee0badc1e8dd04b92af3ad
jboss-seam2-2.0.2.FP-1.ep1.23.el5.noarch.rpm
File outdated by:  RHBA-2013:1099
    MD5: 78ac03c405ed2dfcb5fa417685be99ff
SHA-256: d61edaa2a5208dd1d6391259c239eee3949c583f39f950788cacbb7454b31f46
jboss-seam2-docs-2.0.2.FP-1.ep1.23.el5.noarch.rpm
File outdated by:  RHBA-2013:1099
    MD5: ec4a4408f2db65feb858c0ba77984319
SHA-256: 7a8103d18ca0f91e3cfcbdfa773284dee14231cd5cce07a46680e21fe2922b02
jbossas-4.3.0-7.GA_CP08.5.ep1.el5.noarch.rpm
File outdated by:  RHSA-2013:0249
    MD5: 2e93d36668d0bdc322b73a4a61697171
SHA-256: 391e1d3f36bd843c94b10735bdd38285dd25e97391c3f5267b18b94c013f7495
jbossas-4.3.0.GA_CP08-bin-4.3.0-7.GA_CP08.5.ep1.el5.noarch.rpm     MD5: d90eaf87e4fa5414f81aec8fb16c7758
SHA-256: 4305630c2796015864f370073474933f633b7af9ccd4099a4ca50c1f4b8a2bd0
jbossas-client-4.3.0-7.GA_CP08.5.ep1.el5.noarch.rpm
File outdated by:  RHSA-2013:0249
    MD5: d5c3e05e892770f6eda8020b75be8b24
SHA-256: f74064ccdbee9e4566a06812467ee7f03ac0f6f1aad33ed3190a4da3a639192b
jbossts-4.2.3-1.SP5_CP09.1jpp.ep1.1.1.el5.noarch.rpm
File outdated by:  RHSA-2010:0938
    MD5: 5176f2d28a0c7598a89092699680e81e
SHA-256: 8e721f424595960787f85a3aa2d9021e7a19e7320f66d78c1dee8ef32e200e1d
jbossweb-2.0.0-6.CP13.0jpp.ep1.1.1.el5.noarch.rpm
File outdated by:  RHBA-2011:1298
    MD5: 8ae6066c396533d5bb1f43f425bc1f55
SHA-256: a893e19bc6b3a3f4880df0660631b35da7043a1d765ccce20feca2e7c77586ef
jbossws-2.0.1-5.SP2_CP08.1.ep1.1.el5.noarch.rpm
File outdated by:  RHBA-2011:1298
    MD5: 3e4b116ed8af669b59219bf76e46864a
SHA-256: 53e0a9273adcb2098ef40b1c71f953612210a6d2c28d1d6894132d7104d9f8a1
rh-eap-docs-4.3.0-7.GA_CP08.ep1.5.el5.noarch.rpm
File outdated by:  RHBA-2011:1298
    MD5: 5f5502992c4212f3c8e26e019393db36
SHA-256: a9bfc231c4bbd0022746e1f35c600427eb7f5e0e9dbb06c0f1f2cb3a10329846
rh-eap-docs-examples-4.3.0-7.GA_CP08.ep1.5.el5.noarch.rpm
File outdated by:  RHBA-2011:1298
    MD5: 5020b68d109c40553b36e4236722240f
SHA-256: ef1fa50c643664403a68fec14bca6d9d37f48a1a1a21e068c700e62128798218
 
x86_64:
hibernate3-3.2.4-1.SP1_CP10.0jpp.ep1.1.el5.noarch.rpm
File outdated by:  RHBA-2011:1298
    MD5: 5345cef40cacf635243ce216e51c960a
SHA-256: 1333760df8ece58bfeaa75ee8bf37bb3787d8037582f4798d1c20c45f476d8b0
hibernate3-annotations-3.3.1-1.12.GA_CP03.ep1.el5.noarch.rpm
File outdated by:  RHBA-2011:1298
    MD5: 5e9dfb3e314d6c1c106feb506a08bba1
SHA-256: cba755656618d4def41a3ae486508d8d0e9ec3fa8b4f028e0af6b8fe3089d290
hibernate3-annotations-javadoc-3.3.1-1.12.GA_CP03.ep1.el5.noarch.rpm
File outdated by:  RHBA-2011:1298
    MD5: 4650eb4a7a37529c76595da9198e1f2c
SHA-256: 1e04bca04503052bdf1d7ff8c44a3518c5ba393c512f9cd30b9296611760b380
hibernate3-javadoc-3.2.4-1.SP1_CP10.0jpp.ep1.1.el5.noarch.rpm
File outdated by:  RHBA-2011:1298
    MD5: 243b0c2cdc42ad9315419c07c788076a
SHA-256: 73c9b7684bafb03deaa7b0dc269a81dad37e2ae5076009a83fc5f82f15ce871d
jacorb-2.3.0-1jpp.ep1.10.1.el5.noarch.rpm     MD5: ef2a31d044ff98815c4cda3986ca649a
SHA-256: 97a5d0d67b87aec4e00c097ad6b6a4859b3158b4696368d45d22dcb10c629e65
jboss-aop-1.5.5-3.CP05.2.ep1.1.el5.noarch.rpm     MD5: b845dbc6cc149a2d253b6b6937e453d7
SHA-256: 6cd3c3b6e7ef7e0143607c5064149dd87b366061e7619cb90db375b1c76333b8
jboss-cache-1.4.1-6.SP14.1.ep1.1.el5.noarch.rpm
File outdated by:  RHBA-2011:1298
    MD5: c781c396ed79b069856c71775f2302fe
SHA-256: abedfb68ad2fe662a8fae872458ceba689c72f10096183e6ed3d27cba79c0e07
jboss-messaging-1.4.0-3.SP3_CP10.2.ep1.el5.noarch.rpm
File outdated by:  RHBA-2011:1298
    MD5: b43edea033d814c2bc75037665223c31
SHA-256: 99854c8cb94cc53bd5a5b24d18973a1bd1848cb993825e0b97e8b5cc392b146c
jboss-remoting-2.2.3-3.SP2.ep1.1.el5.noarch.rpm
File outdated by:  RHBA-2011:1298
    MD5: 887d53c9e87596e15f6a58788b06a016
SHA-256: 479f1c481bf9cc95b1740b7c749cf1ea54bc2430b5cebe2678c97795051de1e3
jboss-seam-1.2.1-3.JBPAPP_4_3_0_GA.ep1.20.el5.1.noarch.rpm
File outdated by:  RHBA-2011:1298
    MD5: 85c6042c1eb380f36a3b866fb916f411
SHA-256: cf2a6a9bbb6b62680c7eccba8a4370c6aacfc749b5678b3a633bf94ceb72c69f
jboss-seam-docs-1.2.1-3.JBPAPP_4_3_0_GA.ep1.20.el5.1.noarch.rpm
File outdated by:  RHBA-2011:1298
    MD5: c528f16f24d3a458b010cda00f92fc61
SHA-256: 4b518014a649d33bf8c6b495458796331dfa220d54ee0badc1e8dd04b92af3ad
jboss-seam2-2.0.2.FP-1.ep1.23.el5.noarch.rpm
File outdated by:  RHBA-2013:1099
    MD5: 78ac03c405ed2dfcb5fa417685be99ff
SHA-256: d61edaa2a5208dd1d6391259c239eee3949c583f39f950788cacbb7454b31f46
jboss-seam2-docs-2.0.2.FP-1.ep1.23.el5.noarch.rpm
File outdated by:  RHBA-2013:1099
    MD5: ec4a4408f2db65feb858c0ba77984319
SHA-256: 7a8103d18ca0f91e3cfcbdfa773284dee14231cd5cce07a46680e21fe2922b02
jbossas-4.3.0-7.GA_CP08.5.ep1.el5.noarch.rpm
File outdated by:  RHSA-2013:0249
    MD5: 2e93d36668d0bdc322b73a4a61697171
SHA-256: 391e1d3f36bd843c94b10735bdd38285dd25e97391c3f5267b18b94c013f7495
jbossas-4.3.0.GA_CP08-bin-4.3.0-7.GA_CP08.5.ep1.el5.noarch.rpm     MD5: d90eaf87e4fa5414f81aec8fb16c7758
SHA-256: 4305630c2796015864f370073474933f633b7af9ccd4099a4ca50c1f4b8a2bd0
jbossas-client-4.3.0-7.GA_CP08.5.ep1.el5.noarch.rpm
File outdated by:  RHSA-2013:0249
    MD5: d5c3e05e892770f6eda8020b75be8b24
SHA-256: f74064ccdbee9e4566a06812467ee7f03ac0f6f1aad33ed3190a4da3a639192b
jbossts-4.2.3-1.SP5_CP09.1jpp.ep1.1.1.el5.noarch.rpm
File outdated by:  RHSA-2010:0938
    MD5: 5176f2d28a0c7598a89092699680e81e
SHA-256: 8e721f424595960787f85a3aa2d9021e7a19e7320f66d78c1dee8ef32e200e1d
jbossweb-2.0.0-6.CP13.0jpp.ep1.1.1.el5.noarch.rpm
File outdated by:  RHBA-2011:1298
    MD5: 8ae6066c396533d5bb1f43f425bc1f55
SHA-256: a893e19bc6b3a3f4880df0660631b35da7043a1d765ccce20feca2e7c77586ef
jbossws-2.0.1-5.SP2_CP08.1.ep1.1.el5.noarch.rpm
File outdated by:  RHBA-2011:1298
    MD5: 3e4b116ed8af669b59219bf76e46864a
SHA-256: 53e0a9273adcb2098ef40b1c71f953612210a6d2c28d1d6894132d7104d9f8a1
rh-eap-docs-4.3.0-7.GA_CP08.ep1.5.el5.noarch.rpm
File outdated by:  RHBA-2011:1298
    MD5: 5f5502992c4212f3c8e26e019393db36
SHA-256: a9bfc231c4bbd0022746e1f35c600427eb7f5e0e9dbb06c0f1f2cb3a10329846
rh-eap-docs-examples-4.3.0-7.GA_CP08.ep1.5.el5.noarch.rpm
File outdated by:  RHBA-2011:1298
    MD5: 5020b68d109c40553b36e4236722240f
SHA-256: ef1fa50c643664403a68fec14bca6d9d37f48a1a1a21e068c700e62128798218
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

571905 - Tracker bug for the EAP 4.3.0.cp08 release.
574105 - CVE-2010-0738 JBoss EAP jmx authentication bypass with crafted HTTP request
585899 - CVE-2010-1428 JBoss Application Server Web Console Authentication bypass
585900 - CVE-2010-1429 JBossEAP status servlet info leak


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/