Security Advisory Important: JBoss Enterprise Application Platform 4.3.0 CP10 security update

Advisory: RHSA-2013:0249-1
Type: Security Advisory
Severity: Important
Issued on: 2013-02-11
Last updated on: 2013-02-11
Affected Products: JBoss Enterprise Application Platform 4.3.0 EL4
JBoss Enterprise Application Platform 4.3.0 EL5
CVEs (cve.mitre.org): CVE-2012-5629

Details

Updated JBoss Enterprise Application Platform 4.3.0 CP10 packages that fix
one security issue are now available for Red Hat Enterprise Linux 4 and 5.

The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

JBoss Enterprise Application Platform is a platform for Java applications,
which integrates the JBoss Application Server with JBoss Hibernate and
JBoss Seam.

When using LDAP authentication with the provided LDAP login modules
(LdapLoginModule/LdapExtLoginModule), empty passwords were allowed by
default. An attacker could use this flaw to bypass intended authentication
by providing an empty password for a valid username, as the LDAP server may
recognize this as an 'unauthenticated authentication' (RFC 4513). This
update sets the allowEmptyPasswords option for the LDAP login modules to
false if the option is not already configured. (CVE-2012-5629)

Warning: Before applying this update, back up your existing JBoss
Enterprise Application Platform installation (including all applications
and configuration files).

All users of JBoss Enterprise Application Platform 4.3.0 CP10 on Red Hat
Enterprise Linux 4 and 5 are advised to upgrade to these updated packages.
The JBoss server process must be restarted for the update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

JBoss Enterprise Application Platform 4.3.0 EL4

SRPMS:
jbossas-4.3.0-12.GA_CP10_patch_01.1.ep1.el4.src.rpm     MD5: 687f41d18045ed16c3217f5825bd0e21
SHA-256: a3dff50fe5a8c8532b4e52c59fd7be3bf24c32485a5cc61f97d22f103e6c632b
 
IA-32:
jbossas-4.3.0-12.GA_CP10_patch_01.1.ep1.el4.noarch.rpm     MD5: 05ce84af78080990454a7006b1689169
SHA-256: 95283aa9549ee0cc48da05f1a0ff09d3ad99c145d03bd8859edd1e777a21009a
jbossas-client-4.3.0-12.GA_CP10_patch_01.1.ep1.el4.noarch.rpm     MD5: 64572b1993f720122069dc9d8f0779f1
SHA-256: a0ea0504ad94072479a25385f371965d033aa0bcffc2c24d456322a9d477b43e
 
x86_64:
jbossas-4.3.0-12.GA_CP10_patch_01.1.ep1.el4.noarch.rpm     MD5: 05ce84af78080990454a7006b1689169
SHA-256: 95283aa9549ee0cc48da05f1a0ff09d3ad99c145d03bd8859edd1e777a21009a
jbossas-client-4.3.0-12.GA_CP10_patch_01.1.ep1.el4.noarch.rpm     MD5: 64572b1993f720122069dc9d8f0779f1
SHA-256: a0ea0504ad94072479a25385f371965d033aa0bcffc2c24d456322a9d477b43e
 
JBoss Enterprise Application Platform 4.3.0 EL5

SRPMS:
jbossas-4.3.0-12.GA_CP10_patch_01.1.ep1.el5.src.rpm     MD5: 1c5dfaf0e3b55f35d2ed669fec06a567
SHA-256: 45946b85a4259b7de6d1ea5a4588feb95d08c358913aefc6ad8deb32d2e47445
 
IA-32:
jbossas-4.3.0-12.GA_CP10_patch_01.1.ep1.el5.noarch.rpm     MD5: 40672f7486ed9060a5a60c9f5e44625b
SHA-256: 9ea0b554830a5902df29fe5520e0764a5a1d5580842d258723010a7dc508e682
jbossas-client-4.3.0-12.GA_CP10_patch_01.1.ep1.el5.noarch.rpm     MD5: 8e90c2d88acdaa998e0dcdc84247ccd1
SHA-256: af9ff7c4443b92eb9561f2e8423d3f3f83cf1b21f0394544c276c93137645de3
 
x86_64:
jbossas-4.3.0-12.GA_CP10_patch_01.1.ep1.el5.noarch.rpm     MD5: 40672f7486ed9060a5a60c9f5e44625b
SHA-256: 9ea0b554830a5902df29fe5520e0764a5a1d5580842d258723010a7dc508e682
jbossas-client-4.3.0-12.GA_CP10_patch_01.1.ep1.el5.noarch.rpm     MD5: 8e90c2d88acdaa998e0dcdc84247ccd1
SHA-256: af9ff7c4443b92eb9561f2e8423d3f3f83cf1b21f0394544c276c93137645de3
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

885569 - CVE-2012-5629 JBoss: allows empty password to authenticate against LDAP


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/