Skip to navigation

Security Advisory Important: jbossweb security update

Advisory: RHSA-2013:0164-1
Type: Security Advisory
Severity: Important
Issued on: 2013-01-15
Last updated on: 2013-01-15
Affected Products: JBoss Enterprise Application Platform 6 EL5
JBoss Enterprise Application Platform 6 EL6
CVEs (cve.mitre.org): CVE-2012-3546

Details

Updated jbossweb packages that fix one security issue are now available for
JBoss Enterprise Application Platform 6.0.1 for Red Hat Enterprise Linux 5
and 6.

The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

JBoss Web is the web container, based on Apache Tomcat, in JBoss Enterprise
Application Platform. It provides a single deployment platform for the
JavaServer Pages (JSP) and Java Servlet technologies.

It was found that when an application used FORM authentication, along with
another component that calls request.setUserPrincipal() before the call to
FormAuthenticator#authenticate() (such as the Single-Sign-On valve), it was
possible to bypass the security constraint checks in the FORM authenticator
by appending "/j_security_check" to the end of a URL. A remote attacker
with an authenticated session on an affected application could use this
flaw to circumvent authorization controls, and thereby access resources not
permitted by the roles associated with their authenticated session.
(CVE-2012-3546)

Warning: Before applying this update, back up your existing JBoss
Enterprise Application Platform installation (including all applications
and configuration files).

Users of JBoss Enterprise Application Platform 6.0.1 on Red Hat
Enterprise Linux 5 and 6 should upgrade to these updated packages, which
correct this issue. The JBoss server process must be restarted for this
update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

JBoss Enterprise Application Platform 6 EL5

SRPMS:
jbossweb-7.0.17-3.Final_redhat_2.ep6.el5.src.rpm
File outdated by:  RHSA-2014:0343
    MD5: f00e5c84df9c2ffb8b91a502b5aef931
SHA-256: 7d8f6627899141a449eae87361ba954a6e463294c730e87a9ecf9b68c9e158f1
 
IA-32:
jbossweb-7.0.17-3.Final_redhat_2.ep6.el5.noarch.rpm
File outdated by:  RHSA-2014:0343
    MD5: d0e9588fa60c5d854568c42b561fc7ff
SHA-256: 66cdc85d20d65eba17ecf8be1c19259501460b101d467d594bd35a1824ddb0c7
jbossweb-lib-7.0.17-3.Final_redhat_2.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:0647
    MD5: 346af0ba690b52ba8d40c929af425b15
SHA-256: 8115462eda6b378ff4313497c399d0b0504e4744e3df3964d79535b4ccee6753
 
x86_64:
jbossweb-7.0.17-3.Final_redhat_2.ep6.el5.noarch.rpm
File outdated by:  RHSA-2014:0343
    MD5: d0e9588fa60c5d854568c42b561fc7ff
SHA-256: 66cdc85d20d65eba17ecf8be1c19259501460b101d467d594bd35a1824ddb0c7
jbossweb-lib-7.0.17-3.Final_redhat_2.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:0647
    MD5: 346af0ba690b52ba8d40c929af425b15
SHA-256: 8115462eda6b378ff4313497c399d0b0504e4744e3df3964d79535b4ccee6753
 
JBoss Enterprise Application Platform 6 EL6

SRPMS:
jbossweb-7.0.17-3.Final_redhat_2.ep6.el6.src.rpm
File outdated by:  RHSA-2014:0344
    MD5: 02e794e8878f9fddd5bf6057d1ff8218
SHA-256: a3419f6197ae67831a4dd0f041d5e82ed0bfec139fddacf28731939140df40d4
 
IA-32:
jbossweb-7.0.17-3.Final_redhat_2.ep6.el6.noarch.rpm
File outdated by:  RHSA-2014:0344
    MD5: 599b3a57b4ef1654ac3e6b84109bb931
SHA-256: 901a28cb4ca79167c0f0179a694b316c15586e9fb463c2e6d99684c92487771a
jbossweb-lib-7.0.17-3.Final_redhat_2.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:0647
    MD5: cd42da7b7f94ca39b39936d01d8d7238
SHA-256: 716c056296f478916f7afccf3214655b70e5f071acca5f7c0e42e8ee6731c08f
 
x86_64:
jbossweb-7.0.17-3.Final_redhat_2.ep6.el6.noarch.rpm
File outdated by:  RHSA-2014:0344
    MD5: 599b3a57b4ef1654ac3e6b84109bb931
SHA-256: 901a28cb4ca79167c0f0179a694b316c15586e9fb463c2e6d99684c92487771a
jbossweb-lib-7.0.17-3.Final_redhat_2.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:0647
    MD5: cd42da7b7f94ca39b39936d01d8d7238
SHA-256: 716c056296f478916f7afccf3214655b70e5f071acca5f7c0e42e8ee6731c08f
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

883634 - CVE-2012-3546 Tomcat/JBoss Web: Bypass of security constraints


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/