Security Advisory Moderate: jboss-remoting security update

Advisory: RHSA-2013:1369-1
Type: Security Advisory
Severity: Moderate
Issued on: 2013-09-30
Last updated on: 2013-09-30
Affected Products: JBoss Enterprise Application Platform 5 EL4
JBoss Enterprise Application Platform 5 EL5
JBoss Enterprise Application Platform 5 EL6
CVEs (cve.mitre.org): CVE-2013-4210

Details

An updated jboss-remoting package that fixes one security issue is now
available for Red Hat JBoss Enterprise Application Platform 5.2.0 for Red
Hat Enterprise Linux 4, 5, and 6.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

JBoss Remoting is a framework for building distributed applications in
Java.

A denial of service flaw was found in the implementation of the
org.jboss.remoting.transport.socket.ServerThread class in JBoss Remoting.
An attacker could use this flaw to exhaust all available file descriptors
on the target server, preventing legitimate connections. Note that to
exploit this flaw remotely, the remoting port must be exposed directly or
indirectly (for example, deploying a public facing application that uses
JBoss Remoting could indirectly expose this flaw). (CVE-2013-4210)

This issue was discovered by James Livingston of the Red Hat Support
Engineering Group.

Warning: Before applying this update, back up your existing Red Hat JBoss
Enterprise Application Platform installation (including all applications
and configuration files).

All users of Red Hat JBoss Enterprise Application Platform 5.2.0 on Red Hat
Enterprise Linux 4, 5, and 6 are advised to upgrade to this updated
package. The JBoss server process must be restarted for the update to take
effect.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Updated packages

JBoss Enterprise Application Platform 5 EL4

SRPMS:
jboss-remoting-2.5.4-11.SP4_patch01.ep5.el4.src.rpm     MD5: cd5a4da0ee1b2ef40e8d17206e64cc79
SHA-256: ff71d20df419873dada1aaf00ec55b34581385d6693e50fbb20e16326049d9fb
 
IA-32:
jboss-remoting-2.5.4-11.SP4_patch01.ep5.el4.noarch.rpm     MD5: a251bec4b503d43a362c260ab3069153
SHA-256: ab5328c3b43f1f83dda5db22cb5beab1ff6039fb2988595e63cc9d40484c0bae
 
x86_64:
jboss-remoting-2.5.4-11.SP4_patch01.ep5.el4.noarch.rpm     MD5: a251bec4b503d43a362c260ab3069153
SHA-256: ab5328c3b43f1f83dda5db22cb5beab1ff6039fb2988595e63cc9d40484c0bae
 
JBoss Enterprise Application Platform 5 EL5

SRPMS:
jboss-remoting-2.5.4-11.SP4_patch01.ep5.el5.src.rpm     MD5: 28e99f59848d5581ed462ee56e56b05a
SHA-256: aaa0166eef4262aa60eff10e87a03b5fbdd10323a55cc72c3db1c00adc4f0a46
 
IA-32:
jboss-remoting-2.5.4-11.SP4_patch01.ep5.el5.noarch.rpm     MD5: 911c285dbedd182565a0fc8ee8af5631
SHA-256: 16b590051765fb75bed980819970b82131bf754198f69dc533eee6e246cb143d
 
x86_64:
jboss-remoting-2.5.4-11.SP4_patch01.ep5.el5.noarch.rpm     MD5: 911c285dbedd182565a0fc8ee8af5631
SHA-256: 16b590051765fb75bed980819970b82131bf754198f69dc533eee6e246cb143d
 
JBoss Enterprise Application Platform 5 EL6

SRPMS:
jboss-remoting-2.5.4-11.SP4_patch01.ep5.el6.src.rpm     MD5: 60bc40a6651bf6955d6f904d5abf7999
SHA-256: d12798fd19490d4590acabb4bbfcd549464d34938bf814861b9c23e850f5df92
 
IA-32:
jboss-remoting-2.5.4-11.SP4_patch01.ep5.el6.noarch.rpm     MD5: 6218b8f240e77c3c15b30d5dccc4dd66
SHA-256: c4924d17e4129ea45abb4f5b689566338f6d61d9bc3420b0349debe08457bc54
 
x86_64:
jboss-remoting-2.5.4-11.SP4_patch01.ep5.el6.noarch.rpm     MD5: 6218b8f240e77c3c15b30d5dccc4dd66
SHA-256: c4924d17e4129ea45abb4f5b689566338f6d61d9bc3420b0349debe08457bc54
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

994321 - CVE-2013-4210 JBoss Remoting: DoS by file descriptor exhaustion


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/