Skip to navigation

Security Advisory Moderate: JBoss Operations Network 3.1.0 update

Advisory: RHSA-2012:0725-1
Type: Security Advisory
Severity: Moderate
Issued on: 2012-06-12
Last updated on: 2012-06-12
Affected Products:
CVEs (cve.mitre.org): CVE-2009-2625

Details

JBoss Operations Network 3.1.0, which fixes one security issue, several
bugs, and adds enhancements, is now available from the Red Hat Customer
Portal.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

JBoss Operations Network (JBoss ON) is a middleware management solution
that provides a single point of control to deploy, manage, and monitor
JBoss Enterprise Middleware, applications, and services.

This JBoss ON 3.1.0 release serves as a replacement for JBoss ON 3.0.1, and
includes several bug fixes and enhancements. Refer to the JBoss ON 3.1.0
Release Notes for information on the most significant of these changes. The
Release Notes will be available shortly from
https://docs.redhat.com/docs/en-US/index.html

The following security issue is also fixed with this release:

A flaw was found in the way the Apache Xerces2 Java Parser processed the
SYSTEM identifier in DTDs. A remote attacker could provide a
specially-crafted XML file, which once parsed by an application using the
Apache Xerces2 Java Parser, would lead to a denial of service (application
hang due to excessive CPU use). (CVE-2009-2625)

Warning: Before applying the update, back up your existing JBoss ON
installation (including its databases, applications, configuration files,
the JBoss ON server's file system directory, and so on).

All users of JBoss Operations Network 3.0.1 as provided from the Red Hat
Customer Portal are advised to upgrade to JBoss Operations Network 3.1.0.


Solution

The References section of this erratum contains a download link (you must
log in to download the update). Before applying this update, back up your
existing JBoss ON installation (including its databases, applications,
configuration files, the JBoss ON server's file system directory, and so
on).

Refer to the JBoss Operations Network 3.1.0 Release Notes for installation
information.

Updated packages


Bugs fixed (see bugzilla for more information)

512921 - CVE-2009-2625 xerces-j2, JDK: XML parsing Denial-Of-Service (6845701)


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/