Security Advisory Important: JBoss Enterprise Application Platform 6.0.1 security update

Advisory: RHSA-2013:0231-1
Type: Security Advisory
Severity: Important
Issued on: 2013-02-04
Last updated on: 2013-02-04
Affected Products: JBoss Enterprise Application Platform 6 EL5
JBoss Enterprise Application Platform 6 EL6
CVEs (cve.mitre.org): CVE-2012-5629

Details

Updated JBoss Enterprise Application Platform 6.0.1 packages that fix one
security issue are now available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

JBoss Enterprise Application Platform 6 is a platform for Java applications
based on JBoss Application Server 7.

When using LDAP authentication with either the "ldap" configuration entry
or the provided LDAP login modules (LdapLoginModule/LdapExtLoginModule),
empty passwords were allowed by default. An attacker could use this flaw to
bypass intended authentication by providing an empty password for a valid
username, as the LDAP server may recognize this as an 'unauthenticated
authentication' (RFC 4513). This update sets the allowEmptyPasswords option
for the LDAP login modules to false if the option is not already
configured. (CVE-2012-5629)

Note: If you are using the "ldap" configuration entry and rely on empty
passwords, they will no longer work after applying this update. The
jboss-as-domain-management module, by default, will prevent empty
passwords. This cannot be configured; however, a future release may add a
configuration option to allow empty passwords when using the "ldap"
configuration entry.

Warning: Before applying this update, back up your existing JBoss
Enterprise Application Platform installation and deployed applications.

All users of JBoss Enterprise Application Platform 6.0.1 on Red Hat
Enterprise Linux 5 and 6 are advised to upgrade to these updated packages.
The JBoss server process must be restarted for the update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

JBoss Enterprise Application Platform 6 EL5

SRPMS:
jboss-as-domain-management-7.1.3-5.Final_redhat_5.ep6.el5.src.rpm
File outdated by:  RHSA-2017:1550
    MD5: 2de8d8d633f3e4161f6e300048191844
SHA-256: 6551ba3462b4869879441fab86f08c157f783c092a2c625868dd8f50b6a7cc91
picketbox-4.0.14-3.Final_redhat_3.ep6.el5.src.rpm
File outdated by:  RHSA-2017:1550
    MD5: 69842db8fa95391d11b15b0156bc2609
SHA-256: 22c65f19793f162eff59aa98a3aa9e751fc4feae6d4b42f4634207c64bed75de
 
IA-32:
jboss-as-domain-management-7.1.3-5.Final_redhat_5.ep6.el5.noarch.rpm
File outdated by:  RHSA-2017:1550
    MD5: 4503c597ec1bf1c5997bd9e2f8b3e6dd
SHA-256: 15524e6857036ef83ef4a2efe7d500ba4bc3421af0529145feab58a2b7e59190
picketbox-4.0.14-3.Final_redhat_3.ep6.el5.noarch.rpm
File outdated by:  RHSA-2017:1550
    MD5: bcb9e22c99706d5fa76dd11177f66579
SHA-256: 36b95575602e55957ae1c795d425c6940a09d4651898b7e02c8b06338c49ce17
 
x86_64:
jboss-as-domain-management-7.1.3-5.Final_redhat_5.ep6.el5.noarch.rpm
File outdated by:  RHSA-2017:1550
    MD5: 4503c597ec1bf1c5997bd9e2f8b3e6dd
SHA-256: 15524e6857036ef83ef4a2efe7d500ba4bc3421af0529145feab58a2b7e59190
picketbox-4.0.14-3.Final_redhat_3.ep6.el5.noarch.rpm
File outdated by:  RHSA-2017:1550
    MD5: bcb9e22c99706d5fa76dd11177f66579
SHA-256: 36b95575602e55957ae1c795d425c6940a09d4651898b7e02c8b06338c49ce17
 
JBoss Enterprise Application Platform 6 EL6

SRPMS:
jboss-as-domain-management-7.1.3-5.Final_redhat_5.ep6.el6.src.rpm
File outdated by:  RHSA-2017:1549
    MD5: a84386b9db17264d18e8e5724e9869dc
SHA-256: 7d5acada54215df893eeb6e7d7d572437c0945715613ab643f3c28ce6868e7b8
picketbox-4.0.14-3.Final_redhat_3.ep6.el6.src.rpm
File outdated by:  RHSA-2017:1549
    MD5: 88887bda11d0c46c496089257259154d
SHA-256: 8fbbf0067f572f251415e63c455e61711d18718cd094247167a73af3e2de446e
 
IA-32:
jboss-as-domain-management-7.1.3-5.Final_redhat_5.ep6.el6.noarch.rpm
File outdated by:  RHSA-2017:1549
    MD5: 98029901389ff23fe0b68cd0f94e0515
SHA-256: 54bfa9ca3a46661b43be74ad3c7b6919d725461e85d156c09e9954114273f439
picketbox-4.0.14-3.Final_redhat_3.ep6.el6.noarch.rpm
File outdated by:  RHSA-2017:1549
    MD5: 65d3fc95a2a64bc28d1f6b603b8012ca
SHA-256: 0991422d6e8d12ba4b3c227fd02c7ce79b5641660c66b8b24d07e6b277377a6f
 
x86_64:
jboss-as-domain-management-7.1.3-5.Final_redhat_5.ep6.el6.noarch.rpm
File outdated by:  RHSA-2017:1549
    MD5: 98029901389ff23fe0b68cd0f94e0515
SHA-256: 54bfa9ca3a46661b43be74ad3c7b6919d725461e85d156c09e9954114273f439
picketbox-4.0.14-3.Final_redhat_3.ep6.el6.noarch.rpm
File outdated by:  RHSA-2017:1549
    MD5: 65d3fc95a2a64bc28d1f6b603b8012ca
SHA-256: 0991422d6e8d12ba4b3c227fd02c7ce79b5641660c66b8b24d07e6b277377a6f
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

885569 - CVE-2012-5629 JBoss: allows empty password to authenticate against LDAP


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/