Skip to navigation

Security Advisory Moderate: mod_cluster security update

Advisory: RHSA-2012:1053-1
Type: Security Advisory
Severity: Moderate
Issued on: 2012-07-03
Last updated on: 2012-07-03
Affected Products: JBoss Enterprise Web Platform 5 EL4
JBoss Enterprise Web Platform 5 EL5
JBoss Enterprise Web Platform 5 EL6
CVEs (cve.mitre.org): CVE-2012-1154

Details

Updated mod_cluster packages that fix one security issue are now available
for JBoss Enterprise Web Platform 5.1.2 for Red Hat Enterprise Linux 4, 5,
and 6.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

mod_cluster is an Apache HTTP Server (httpd) based load balancer that
forwards requests from httpd to application server nodes. It can use the
AJP, HTTP, or HTTPS protocols for communication with application server
nodes.

The JBoss Enterprise Web Platform 5.1.2 release (RHSA-2011:1804,
RHSA-2011:1803, RHSA-2011:1802) introduced a regression, causing
mod_cluster to register and expose the root context of a server by default,
even when "ROOT" was in the "excludedContexts" list in the mod_cluster
configuration. If an application was deployed on the root context, a remote
attacker could use this flaw to bypass intended access restrictions and
gain access to that application. (CVE-2012-1154)

Warning: Before applying this update, back up your JBoss Enterprise Web
Platform's "server/[PROFILE]/deploy/" directory and any other customized
configuration files.

Users of JBoss Enterprise Web Platform 5.1.2 on Red Hat Enterprise Linux 4,
5, and 6 should upgrade to these updated packages, which correct this
issue. The JBoss server process must be restarted for this update to take
effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

JBoss Enterprise Web Platform 5 EL4

SRPMS:
mod_cluster-1.0.10-4.GA_CP02_patch01.ep5.el4.src.rpm
File outdated by:  RHSA-2013:0197
    MD5: ba2d18289783134938f0445be7ae804f
SHA-256: 55c34b19f720be94d22ed17eaadb92e5550e8044598698858a8eb4c170a17aed
 
IA-32:
mod_cluster-demo-1.0.10-4.GA_CP02_patch01.ep5.el4.noarch.rpm
File outdated by:  RHSA-2013:0197
    MD5: 51a974ef8c5c5cea79865c0ee08f5493
SHA-256: e2896ea69ed261fbfdae5003d4c22bae0b725362461350b52526865fb8be4569
mod_cluster-jbossas-1.0.10-4.GA_CP02_patch01.ep5.el4.noarch.rpm
File outdated by:  RHSA-2013:0197
    MD5: 53709cd1f7f436f630a811821b5224dc
SHA-256: 9c4f0e2ea719bcc7c3ba2daa5671b72cfeca8e4393a944ec864838f10fdedf70
mod_cluster-jbossweb2-1.0.10-4.GA_CP02_patch01.ep5.el4.noarch.rpm
File outdated by:  RHSA-2013:0197
    MD5: 0dba539fd3d3ceec610439f822029206
SHA-256: 5e11e239d841a60fb80ab9fc3e89a9b750be86f4a0cda5867496f3cfbe6f3e26
mod_cluster-tomcat6-1.0.10-4.GA_CP02_patch01.ep5.el4.noarch.rpm
File outdated by:  RHSA-2013:0197
    MD5: 0470a568654b5242378e6bf985b9b90b
SHA-256: a306d9b74607812f1aea535cf123cd6a6203f6f45a55dfdee23ae935e4e356bb
 
x86_64:
mod_cluster-demo-1.0.10-4.GA_CP02_patch01.ep5.el4.noarch.rpm
File outdated by:  RHSA-2013:0197
    MD5: 51a974ef8c5c5cea79865c0ee08f5493
SHA-256: e2896ea69ed261fbfdae5003d4c22bae0b725362461350b52526865fb8be4569
mod_cluster-jbossas-1.0.10-4.GA_CP02_patch01.ep5.el4.noarch.rpm
File outdated by:  RHSA-2013:0197
    MD5: 53709cd1f7f436f630a811821b5224dc
SHA-256: 9c4f0e2ea719bcc7c3ba2daa5671b72cfeca8e4393a944ec864838f10fdedf70
mod_cluster-jbossweb2-1.0.10-4.GA_CP02_patch01.ep5.el4.noarch.rpm
File outdated by:  RHSA-2013:0197
    MD5: 0dba539fd3d3ceec610439f822029206
SHA-256: 5e11e239d841a60fb80ab9fc3e89a9b750be86f4a0cda5867496f3cfbe6f3e26
mod_cluster-tomcat6-1.0.10-4.GA_CP02_patch01.ep5.el4.noarch.rpm
File outdated by:  RHSA-2013:0197
    MD5: 0470a568654b5242378e6bf985b9b90b
SHA-256: a306d9b74607812f1aea535cf123cd6a6203f6f45a55dfdee23ae935e4e356bb
 
JBoss Enterprise Web Platform 5 EL5

SRPMS:
mod_cluster-1.0.10-4.1.GA_CP02_patch01.ep5.el5.src.rpm
File outdated by:  RHSA-2013:0196
    MD5: 3b4050503555a1152d1f5e732e0d6824
SHA-256: e8fe77d7a774488c45decb55a9a1328c605bbd06e588fbb6534904dfd88a074d
 
IA-32:
mod_cluster-demo-1.0.10-4.1.GA_CP02_patch01.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0196
    MD5: 5e7448c40f5fe932eb5262bad123fc9a
SHA-256: 1fc28f3c1cbf66f7fc4019800e3b11f46bb3d0b9c5aac542e8636da0fdeecea3
mod_cluster-jbossas-1.0.10-4.1.GA_CP02_patch01.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0196
    MD5: 930042e40dc9d50a128acb3d37a7f68c
SHA-256: 2923f7c7d738b1f0bea8aea62cbfbed88040032578bc49074847ee587fd5b5b0
mod_cluster-jbossweb2-1.0.10-4.1.GA_CP02_patch01.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0196
    MD5: e8f43b215cadcba1e34db17d400a4b8e
SHA-256: f19a0182637582985a0d56bb5537f0e80ab35798c9c52f11ca308028b803ae69
mod_cluster-tomcat6-1.0.10-4.1.GA_CP02_patch01.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0196
    MD5: 97598f4db4261e3e311f2ec1568a1696
SHA-256: 6f137688a7ce510496a481d5cad25ab46084ab51c1cc6ced61fbded66c236c5e
 
x86_64:
mod_cluster-demo-1.0.10-4.1.GA_CP02_patch01.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0196
    MD5: 5e7448c40f5fe932eb5262bad123fc9a
SHA-256: 1fc28f3c1cbf66f7fc4019800e3b11f46bb3d0b9c5aac542e8636da0fdeecea3
mod_cluster-jbossas-1.0.10-4.1.GA_CP02_patch01.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0196
    MD5: 930042e40dc9d50a128acb3d37a7f68c
SHA-256: 2923f7c7d738b1f0bea8aea62cbfbed88040032578bc49074847ee587fd5b5b0
mod_cluster-jbossweb2-1.0.10-4.1.GA_CP02_patch01.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0196
    MD5: e8f43b215cadcba1e34db17d400a4b8e
SHA-256: f19a0182637582985a0d56bb5537f0e80ab35798c9c52f11ca308028b803ae69
mod_cluster-tomcat6-1.0.10-4.1.GA_CP02_patch01.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0196
    MD5: 97598f4db4261e3e311f2ec1568a1696
SHA-256: 6f137688a7ce510496a481d5cad25ab46084ab51c1cc6ced61fbded66c236c5e
 
JBoss Enterprise Web Platform 5 EL6

SRPMS:
mod_cluster-1.0.10-4.1.GA_CP02_patch01.ep5.el6.src.rpm
File outdated by:  RHSA-2013:0195
    MD5: c5dae638aa2dbe73c0ea4ccd7491a0c7
SHA-256: 6c1ac971516de4710e1574d4d66c00861126a6663df57f735328da801fb77ac8
 
IA-32:
mod_cluster-demo-1.0.10-4.1.GA_CP02_patch01.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0195
    MD5: ea6925023d8a1f4ba79543bd2b5a118d
SHA-256: fe14e972b0c7be23a5bcb6e690e6e47c5f552463b6786e3dbfa44a4cd12544f0
mod_cluster-jbossas-1.0.10-4.1.GA_CP02_patch01.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0195
    MD5: 4c0536607e3cb8025ce4d3a4759a9976
SHA-256: e891e9b20d7eee5a24328c451e2fb7857851f8e006a811e8ed580e1c9ec15a4e
mod_cluster-jbossweb2-1.0.10-4.1.GA_CP02_patch01.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0195
    MD5: 5b4c3f45c04ea4500e269c46f524a696
SHA-256: 7000fe8b0bae8a053195db4c8975bb8836ef9f754053c1e39a6a86ee86dd3fcc
mod_cluster-tomcat6-1.0.10-4.1.GA_CP02_patch01.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0195
    MD5: 1ce77be3bc42cd1cef06f1b31750aedd
SHA-256: 1c7d305ac79b5597ad61197f32a7c7d97f8725a76d8f747ebda3728b49eff79d
 
x86_64:
mod_cluster-demo-1.0.10-4.1.GA_CP02_patch01.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0195
    MD5: ea6925023d8a1f4ba79543bd2b5a118d
SHA-256: fe14e972b0c7be23a5bcb6e690e6e47c5f552463b6786e3dbfa44a4cd12544f0
mod_cluster-jbossas-1.0.10-4.1.GA_CP02_patch01.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0195
    MD5: 4c0536607e3cb8025ce4d3a4759a9976
SHA-256: e891e9b20d7eee5a24328c451e2fb7857851f8e006a811e8ed580e1c9ec15a4e
mod_cluster-jbossweb2-1.0.10-4.1.GA_CP02_patch01.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0195
    MD5: 5b4c3f45c04ea4500e269c46f524a696
SHA-256: 7000fe8b0bae8a053195db4c8975bb8836ef9f754053c1e39a6a86ee86dd3fcc
mod_cluster-tomcat6-1.0.10-4.1.GA_CP02_patch01.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0195
    MD5: 1ce77be3bc42cd1cef06f1b31750aedd
SHA-256: 1c7d305ac79b5597ad61197f32a7c7d97f8725a76d8f747ebda3728b49eff79d
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

802200 - CVE-2012-1154 mod_cluster registers and exposes the root context of a server by default, despite ROOT being in the excluded-contexts list


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/