Security Advisory Important: JBoss Enterprise Web Platform 5.2.0 security update

Advisory: RHSA-2013:0874-1
Type: Security Advisory
Severity: Important
Issued on: 2013-05-28
Last updated on: 2013-05-28
Affected Products: JBoss Enterprise Web Platform 5 EL4
JBoss Enterprise Web Platform 5 EL5
JBoss Enterprise Web Platform 5 EL6
CVEs (cve.mitre.org): CVE-2012-5575

Details

Updated packages for JBoss Enterprise Web Platform 5.2.0 which fix one
security issue are now available for Red Hat Enterprise Linux 4, 5, and 6.

The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

The Enterprise Web Platform is a slimmed down profile of the JBoss
Enterprise Application Platform intended for mid-size workloads with light
and rich Java applications.

XML encryption backwards compatibility attacks were found against various
frameworks, including Apache CXF. An attacker could force a server to use
insecure, legacy cryptosystems, even when secure cryptosystems were enabled
on endpoints. By forcing the use of legacy cryptosystems, flaws such as
CVE-2011-1096 and CVE-2011-2487 would be exposed, allowing plain text to be
recovered from cryptograms and symmetric keys. This issue affected both the
JBoss Web Services CXF (jbossws-cxf) and JBoss Web Services Native
(jbossws-native) stacks. (CVE-2012-5575)

Red Hat would like to thank Tibor Jager, Kenneth G. Paterson and Juraj
Somorovsky of Ruhr-University Bochum for reporting this issue.

If you are using jbossws-cxf, then automatic checks to prevent this flaw
are only run when WS-SecurityPolicy is used to enforce security
requirements. It is best practice to use WS-SecurityPolicy to enforce
security requirements.

If you are using jbossws-native, the fix for this flaw is implemented by
two new configuration parameters in the 'encryption' element. This element
can be a child of 'requires' in both client and server wsse configuration
descriptors (set on a per-application basis via the application's
jboss-wsse-server.xml and jboss-wsse-client.xml files). The new attributes
are 'algorithms' and 'keyWrapAlgorithms'. These attributes should contain a
blank space or comma separated list of algorithm IDs that are allowed for
the encrypted incoming message, both for encryption and private key
wrapping. For backwards compatibility, no algorithm checks are performed by
default for empty lists or missing attributes.

For example (do not include the line break in your configuration):

encryption algorithms="aes-192-gcm aes-256-gcm"
keyWrapAlgorithms="rsa_oaep"

Specifies that incoming messages are required to be encrypted, and that the
only permitted encryption algorithms are AES-192 and 256 in GCM mode, and
RSA-OAEP only for key wrapping.

Before performing any decryption, the jbossws-native stack will verify that
each algorithm specified in the incoming messages is included in the
allowed algorithms lists from these new encryption element attributes. The
algorithm values to be used for 'algorithms' and 'keyWrapAlgorithms' are
the same as for 'algorithm' and 'keyWrapAlgorithm' in the 'encrypt'
element.

Warning: Before applying this update, back up your existing JBoss
Enterprise Web Platform installation (including all applications and
configuration files).

All users of JBoss Enterprise Web Platform 5.2.0 on Red Hat Enterprise
Linux 4, 5, and 6 are advised to upgrade to these updated packages. The
JBoss server process must be restarted for the update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

JBoss Enterprise Web Platform 5 EL4

SRPMS:
apache-cxf-2.2.12-12.patch_07.ep5.el4.src.rpm
File outdated by:  RHSA-2014:1833
    MD5: eb8cd7221b0a87327d4242ac775456b5
SHA-256: fe0a3a001725ebb995dbf663247bbf4efaf8437978009c92d7fcf0fa06482d5e
wss4j-1.5.12-6_patch_03.ep5.el4.src.rpm     MD5: d5659d143d23d661cc46758a160a5436
SHA-256: 9c24c57467de130dbe9ab73bf5e7c4c194d3daaa2585980d7b4ffc4730d7eea0
 
IA-32:
apache-cxf-2.2.12-12.patch_07.ep5.el4.noarch.rpm
File outdated by:  RHSA-2014:1833
    MD5: af39c28f073607d89972ba981565cef5
SHA-256: acc1b9913783ea002708247d2ca5f280fc424bbae26083217d4c5d5819e12c24
jbossws-3.1.2-14.SP15_patch_02.ep5.el4.noarch.rpm     MD5: ca41a88c2f90fac8b6509cee03729dec
SHA-256: fb54b3ae422acc7c22d7a3743484bec4b2c899995a59d1f517f7970faf00af70
wss4j-1.5.12-6_patch_03.ep5.el4.noarch.rpm     MD5: 6cacaffedfba46b0960a0092866c5c42
SHA-256: a5dc46e392b0f66188b282b690fc0b69c8d6717d7148f805e51296a111d3190d
 
x86_64:
apache-cxf-2.2.12-12.patch_07.ep5.el4.noarch.rpm
File outdated by:  RHSA-2014:1833
    MD5: af39c28f073607d89972ba981565cef5
SHA-256: acc1b9913783ea002708247d2ca5f280fc424bbae26083217d4c5d5819e12c24
jbossws-3.1.2-14.SP15_patch_02.ep5.el4.noarch.rpm     MD5: ca41a88c2f90fac8b6509cee03729dec
SHA-256: fb54b3ae422acc7c22d7a3743484bec4b2c899995a59d1f517f7970faf00af70
wss4j-1.5.12-6_patch_03.ep5.el4.noarch.rpm     MD5: 6cacaffedfba46b0960a0092866c5c42
SHA-256: a5dc46e392b0f66188b282b690fc0b69c8d6717d7148f805e51296a111d3190d
 
JBoss Enterprise Web Platform 5 EL5

SRPMS:
apache-cxf-2.2.12-12.patch_07.ep5.el5.src.rpm
File outdated by:  RHSA-2014:1833
    MD5: 9e7e56011c34bfc69bd1b4da26f47678
SHA-256: c7afd9ae97567a4bae9f37a23f013ef9f5beeaad90cec1a07d94bedb6ac3138f
jbossws-3.1.2-14.SP15_patch_02.ep5.el5.src.rpm     MD5: d06597e6d733740c38181d696aaa80c7
SHA-256: 89752dcfad131114be845e1a0bfeaceecf5a5c7f4a5e6032de2b9ce04dec8662
 
IA-32:
apache-cxf-2.2.12-12.patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2014:1833
    MD5: c2fae29fea5f23f8c56259fa0289198a
SHA-256: 6aedaea16f0f4b6772e76c8034280757d406a01e1ad596d2e01a8122c5e5389b
jbossws-3.1.2-14.SP15_patch_02.ep5.el5.noarch.rpm     MD5: cb7d504a4c3565d892d4e290f0698a53
SHA-256: 0cc585cbffcd27342a7e0900039bb02457555cea61b7eb73d1db34b5aab7778a
wss4j-1.5.12-6_patch_03.ep5.el5.noarch.rpm     MD5: e77e9800a616f57c1a4850c3f7b00048
SHA-256: 6cb2d28922ccddb45ffdfa86829239db14dcee81da18258fe1ad6379692f922f
 
x86_64:
apache-cxf-2.2.12-12.patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2014:1833
    MD5: c2fae29fea5f23f8c56259fa0289198a
SHA-256: 6aedaea16f0f4b6772e76c8034280757d406a01e1ad596d2e01a8122c5e5389b
jbossws-3.1.2-14.SP15_patch_02.ep5.el5.noarch.rpm     MD5: cb7d504a4c3565d892d4e290f0698a53
SHA-256: 0cc585cbffcd27342a7e0900039bb02457555cea61b7eb73d1db34b5aab7778a
wss4j-1.5.12-6_patch_03.ep5.el5.noarch.rpm     MD5: e77e9800a616f57c1a4850c3f7b00048
SHA-256: 6cb2d28922ccddb45ffdfa86829239db14dcee81da18258fe1ad6379692f922f
 
JBoss Enterprise Web Platform 5 EL6

SRPMS:
apache-cxf-2.2.12-12.patch_07.ep5.el6.src.rpm
File outdated by:  RHSA-2014:1833
    MD5: 5f40d6a522239d26c1af1e054fac3cae
SHA-256: be5fea942e2ce874d2547919219563b5feb602fb5d7f9625e64457f765dafc0a
jbossws-3.1.2-14.SP15_patch_02.ep5.el6.src.rpm     MD5: e6196400f278865151e2c114da7349e7
SHA-256: 414a71ed9ec37e0d24f966cbbf5001bc2dd5420f8cc7dbb152d4b963edc0a5c7
 
IA-32:
apache-cxf-2.2.12-12.patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2014:1833
    MD5: eb6392a6b1114f3163a0289cd084bac4
SHA-256: 6767a323837984ce1cc474fbd1afc6be5e7959ed1a586f2fb06f267fa5d270d9
jbossws-3.1.2-14.SP15_patch_02.ep5.el6.noarch.rpm     MD5: 13c9db3271295c4e74e7bbc3e5a7935a
SHA-256: 281a682225aa1b7f649f3000cce511b5ff84addc127d419679ef0ff6c9221249
wss4j-1.5.12-6_patch_03.ep5.el6.noarch.rpm     MD5: 2db51d914478d4c73d6d90e94927ff6f
SHA-256: 72b063d921a1f76532146d4f1d10d0e3eafca8b0771db0497c80010e757cbd50
 
x86_64:
apache-cxf-2.2.12-12.patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2014:1833
    MD5: eb6392a6b1114f3163a0289cd084bac4
SHA-256: 6767a323837984ce1cc474fbd1afc6be5e7959ed1a586f2fb06f267fa5d270d9
jbossws-3.1.2-14.SP15_patch_02.ep5.el6.noarch.rpm     MD5: 13c9db3271295c4e74e7bbc3e5a7935a
SHA-256: 281a682225aa1b7f649f3000cce511b5ff84addc127d419679ef0ff6c9221249
wss4j-1.5.12-6_patch_03.ep5.el6.noarch.rpm     MD5: 2db51d914478d4c73d6d90e94927ff6f
SHA-256: 72b063d921a1f76532146d4f1d10d0e3eafca8b0771db0497c80010e757cbd50
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

880443 - CVE-2012-5575 jbossws-native, jbossws-cxf, apache-cxf: XML encryption backwards compatibility attacks


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/