Security Advisory Important: JBoss Enterprise Web Platform 5.2.0 security update

Advisory: RHSA-2013:0230-1
Type: Security Advisory
Severity: Important
Issued on: 2013-02-04
Last updated on: 2013-02-04
Affected Products: JBoss Enterprise Web Platform 5 EL4
JBoss Enterprise Web Platform 5 EL5
JBoss Enterprise Web Platform 5 EL6
CVEs (cve.mitre.org): CVE-2012-5629

Details

An updated jbosssx2 package for JBoss Enterprise Web Platform 5.2.0 that
fixes one security issue is now available for Red Hat Enterprise Linux 4,
5, and 6.

The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

The Enterprise Web Platform is a slimmed down profile of the JBoss
Enterprise Application Platform intended for mid-size workloads with light
and rich Java applications.

When using LDAP authentication with the provided LDAP login modules
(LdapLoginModule/LdapExtLoginModule), empty passwords were allowed by
default. An attacker could use this flaw to bypass intended authentication
by providing an empty password for a valid username, as the LDAP server may
recognize this as an 'unauthenticated authentication' (RFC 4513). This
update sets the allowEmptyPasswords option for the LDAP login modules to
false if the option is not already configured. (CVE-2012-5629)

Warning: Before applying this update, back up your existing JBoss
Enterprise Web Platform installation (including all applications and
configuration files).

All users of JBoss Enterprise Web Platform 5.2.0 on Red Hat Enterprise
Linux 4, 5, and 6 are advised to upgrade to this updated package. The JBoss
server process must be restarted for the update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

JBoss Enterprise Web Platform 5 EL4

SRPMS:
jbosssx2-2.0.5-9.SP3_1_patch_01.ep5.el4.src.rpm     MD5: 09c5ed014c80084576c652da68461afd
SHA-256: 3164ceca8eed600f45157988b75e8462cc552500cc9634b90b5faa2deed1f57b
 
IA-32:
jbosssx2-2.0.5-9.SP3_1_patch_01.ep5.el4.noarch.rpm     MD5: 95121743e3d07244d3e3e416945df5ea
SHA-256: 9c4a5b1c0d0f4dfe7fc12ea7eb0c8dbdd2c0907a889434dbfc8f3a0046397780
 
x86_64:
jbosssx2-2.0.5-9.SP3_1_patch_01.ep5.el4.noarch.rpm     MD5: 95121743e3d07244d3e3e416945df5ea
SHA-256: 9c4a5b1c0d0f4dfe7fc12ea7eb0c8dbdd2c0907a889434dbfc8f3a0046397780
 
JBoss Enterprise Web Platform 5 EL5

SRPMS:
jbosssx2-2.0.5-9.SP3_1_patch_01.ep5.el5.src.rpm     MD5: 8a3e901d29aaac056f3242257cbb1bc4
SHA-256: 04e79da270872832bbe9b5ae6c35ec9a4b11017f352fae834b00ae2876190e73
 
IA-32:
jbosssx2-2.0.5-9.SP3_1_patch_01.ep5.el5.noarch.rpm     MD5: 9a482dd252d0b70cba4a0f8802f182fa
SHA-256: 36d45428b4b9d353a8a2ac9d3226415b1766c5c299f5aca7ebb16a126f09b4a3
 
x86_64:
jbosssx2-2.0.5-9.SP3_1_patch_01.ep5.el5.noarch.rpm     MD5: 9a482dd252d0b70cba4a0f8802f182fa
SHA-256: 36d45428b4b9d353a8a2ac9d3226415b1766c5c299f5aca7ebb16a126f09b4a3
 
JBoss Enterprise Web Platform 5 EL6

SRPMS:
jbosssx2-2.0.5-9.1.SP3_1_patch_01.ep5.el6.src.rpm     MD5: 7891f99fc222d2e2c7ebf94646eb8e80
SHA-256: 8511aae426cc52c491ed72ff09c7179c052abb561547d27fa5fcc15c11a77e79
 
IA-32:
jbosssx2-2.0.5-9.1.SP3_1_patch_01.ep5.el6.noarch.rpm     MD5: 6f917e164eff5239605f905d4b7d9aa1
SHA-256: 06b78f4d9e95778fbca7ac892647a2e408ac1740c4be270daac2f0a63c3fc732
 
x86_64:
jbosssx2-2.0.5-9.1.SP3_1_patch_01.ep5.el6.noarch.rpm     MD5: 6f917e164eff5239605f905d4b7d9aa1
SHA-256: 06b78f4d9e95778fbca7ac892647a2e408ac1740c4be270daac2f0a63c3fc732
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

885569 - CVE-2012-5629 JBoss: allows empty password to authenticate against LDAP


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/