Skip to navigation

Security Advisory Important: jbossas security update

Advisory: RHSA-2013:0147-1
Type: Security Advisory
Severity: Important
Issued on: 2013-01-08
Last updated on: 2013-01-08
Affected Products: JBoss Enterprise Application Platform 4.3.0 EL4
JBoss Enterprise Application Platform 4.3.0 EL5
CVEs (cve.mitre.org): CVE-2012-3546

Details

Updated jbossas packages that fix one security issue are now available for
JBoss Enterprise Application Platform 4.3.0 CP10 for Red Hat
Enterprise Linux 4 and 5.

The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

JBoss Web is the web container, based on Apache Tomcat, in JBoss Enterprise
Application Platform. It provides a single deployment platform for the
JavaServer Pages (JSP) and Java Servlet technologies.

It was found that when an application used FORM authentication, along with
another component that calls request.setUserPrincipal() before the call to
FormAuthenticator#authenticate() (such as the Single-Sign-On valve), it was
possible to bypass the security constraint checks in the FORM authenticator
by appending "/j_security_check" to the end of a URL. A remote attacker
with an authenticated session on an affected application could use this
flaw to circumvent authorization controls, and thereby access resources not
permitted by the roles associated with their authenticated session.
(CVE-2012-3546)

Warning: Before applying this update, back up your JBoss Enterprise
Application Platform's "server/[PROFILE]/deploy/" directory, along with all
other customized configuration files.

Users of JBoss Enterprise Application Platform 4.3.0 CP10 on Red Hat
Enterprise Linux 4 and 5 should upgrade to these updated packages, which
correct this issue. The JBoss server process must be restarted for this
update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

JBoss Enterprise Application Platform 4.3.0 EL4

SRPMS:
jbossas-4.3.0-11.GA_CP10_patch_02.1.ep1.el4.src.rpm
File outdated by:  RHSA-2013:0249
    MD5: f78e66f4652aed7c6c237c5389d010cd
SHA-256: 65ec17d50be04c716bf5653e112a56cd85e2f1844660367d972f1022544b8262
 
IA-32:
jbossas-4.3.0-11.GA_CP10_patch_02.1.ep1.el4.noarch.rpm
File outdated by:  RHSA-2013:0249
    MD5: 7102c8a32bed51ecb184177c7e6cfa05
SHA-256: 98c07e5d4e162d72cce369b0bcfd397f7baeab4132c222201f5acdf511ddf217
jbossas-client-4.3.0-11.GA_CP10_patch_02.1.ep1.el4.noarch.rpm
File outdated by:  RHSA-2013:0249
    MD5: 5d176580a66cab94f8619316c791662d
SHA-256: 40135b01f50825ba503ee460414685193141d7924eeaef224f3a9b894d7e63d4
 
x86_64:
jbossas-4.3.0-11.GA_CP10_patch_02.1.ep1.el4.noarch.rpm
File outdated by:  RHSA-2013:0249
    MD5: 7102c8a32bed51ecb184177c7e6cfa05
SHA-256: 98c07e5d4e162d72cce369b0bcfd397f7baeab4132c222201f5acdf511ddf217
jbossas-client-4.3.0-11.GA_CP10_patch_02.1.ep1.el4.noarch.rpm
File outdated by:  RHSA-2013:0249
    MD5: 5d176580a66cab94f8619316c791662d
SHA-256: 40135b01f50825ba503ee460414685193141d7924eeaef224f3a9b894d7e63d4
 
JBoss Enterprise Application Platform 4.3.0 EL5

SRPMS:
jbossas-4.3.0-11.GA_CP10_patch_02.2.ep1.el5.src.rpm
File outdated by:  RHSA-2013:0249
    MD5: 5a2c85e05fe586655582705f3aaf61c6
SHA-256: f09934b502cd5ff5f398963d959a9724672a08986edc694e16069d98ea91f00d
 
IA-32:
jbossas-4.3.0-11.GA_CP10_patch_02.2.ep1.el5.noarch.rpm
File outdated by:  RHSA-2013:0249
    MD5: 64ba0c8128b65a486e87469af238c9e3
SHA-256: a32688687bb69029958583b456742217cbb8925cdebcd7e823f7db97d20499a1
jbossas-client-4.3.0-11.GA_CP10_patch_02.2.ep1.el5.noarch.rpm
File outdated by:  RHSA-2013:0249
    MD5: 72b0efe3700909420625a2b10dce3b3b
SHA-256: aade819593f4ddd03446e4e63adaee9c7729799ffc40895ae317b3680960c8c8
 
x86_64:
jbossas-4.3.0-11.GA_CP10_patch_02.2.ep1.el5.noarch.rpm
File outdated by:  RHSA-2013:0249
    MD5: 64ba0c8128b65a486e87469af238c9e3
SHA-256: a32688687bb69029958583b456742217cbb8925cdebcd7e823f7db97d20499a1
jbossas-client-4.3.0-11.GA_CP10_patch_02.2.ep1.el5.noarch.rpm
File outdated by:  RHSA-2013:0249
    MD5: 72b0efe3700909420625a2b10dce3b3b
SHA-256: aade819593f4ddd03446e4e63adaee9c7729799ffc40895ae317b3680960c8c8
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

883634 - CVE-2012-3546 Tomcat/JBoss Web: Bypass of security constraints


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/