Security Advisory Important: Red Hat JBoss Enterprise Application Platform 5.2.0 security update

Advisory: RHSA-2014:0591-1
Type: Security Advisory
Severity: Important
Issued on: 2014-06-02
Last updated on: 2014-06-02
Affected Products: JBoss Enterprise Application Platform 5 EL4
JBoss Enterprise Application Platform 5 EL5
JBoss Enterprise Application Platform 5 EL6
CVEs (cve.mitre.org): CVE-2014-0107

Details

Updated packages for JBoss Enterprise Application Platform 5.2.0 which fix
one security issue and one bug are now available for Red Hat Enterprise
Linux 4, 5, and 6.

The Red Hat Security Response Team has rated this update as having
Important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

JBoss Enterprise Application Platform is a platform for Java applications,
which integrates the JBoss Application Server with JBoss Hibernate and
JBoss Seam.

It was found that the secure processing feature of Xalan-Java had
insufficient restrictions defined for certain properties and features.
A remote attacker able to provide Extensible Stylesheet Language
Transformations (XSLT) content to be processed by an application using
Xalan-Java could use this flaw to bypass the intended constraints of the
secure processing feature. Depending on the components available in the
classpath, this could lead to arbitrary remote code execution in the
context of the application server running the application that uses
Xalan-Java. (CVE-2014-0107)

This update also fixes the following bug:

It was observed that when using the Transfomer to convert a StreamSource to
DOMResult, the performance of the conversion degraded as the size of the
character data increased. For example, converting a 50 MB XML BLOB would
take a very long time to finish. This issue has been resolved in this
release by adjusting both the SAX2DOM and DOMBuilder classes to handle
larger inputs more efficiently. (JBPAPP-10991)

All users of JBoss Enterprise Application Platform 5.2.0 on Red Hat
Enterprise Linux 4, 5, and 6 are advised to upgrade to these updated
packages. The JBoss server process must be restarted for the update to
take effect.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied. Also, back up your existing Red
Hat JBoss Enterprise Application Platform 5 installation (including all
applications and configuration files).

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

JBoss Enterprise Application Platform 5 EL4

SRPMS:
xalan-j2-2.7.1-12_patch_08.ep5.el4.src.rpm     MD5: ee2eb945d57a71b9ffb4ae7060ccc7a6
SHA-256: 3d6c43472ee31ef9f277dd085a8bb916d1c834e27f218d5d5557cd94d349b117
 
IA-32:
xalan-j2-2.7.1-12_patch_08.ep5.el4.noarch.rpm     MD5: 02277d05afb5d1bdf8d0e029b43f8f5d
SHA-256: f7176ea6c2e3d8eb9a97af61857f032366211ea4e2859d58b4c3561e5ade762b
 
x86_64:
xalan-j2-2.7.1-12_patch_08.ep5.el4.noarch.rpm     MD5: 02277d05afb5d1bdf8d0e029b43f8f5d
SHA-256: f7176ea6c2e3d8eb9a97af61857f032366211ea4e2859d58b4c3561e5ade762b
 
JBoss Enterprise Application Platform 5 EL5

SRPMS:
xalan-j2-2.7.1-12_patch_08.ep5.el5.src.rpm     MD5: d6300dd3fb326482a5ada4ffa828fbcc
SHA-256: e119ccb9780bdcc098586782e789358551276053721634f45ede98bfa286dc37
 
IA-32:
xalan-j2-2.7.1-12_patch_08.ep5.el5.noarch.rpm     MD5: 3e808a7dfe8ffdaf4bf59ebefc2d0cbe
SHA-256: 9b8ea49f43f100a16ef98571d55b1d43ee583d0a799cd10800dd9dfbd6c530a5
 
x86_64:
xalan-j2-2.7.1-12_patch_08.ep5.el5.noarch.rpm     MD5: 3e808a7dfe8ffdaf4bf59ebefc2d0cbe
SHA-256: 9b8ea49f43f100a16ef98571d55b1d43ee583d0a799cd10800dd9dfbd6c530a5
 
JBoss Enterprise Application Platform 5 EL6

SRPMS:
xalan-j2-2.7.1-12_patch_08.ep5.el6.src.rpm     MD5: abddf5fd55278e93798923666a8bda34
SHA-256: e34cb335ef4d76e214f6a74b831bac25127d2f022a868e7943b280b7e8c95bb3
 
IA-32:
xalan-j2-2.7.1-12_patch_08.ep5.el6.noarch.rpm     MD5: d8e2f9b519db0fff5bd604fd4fca0876
SHA-256: bfb4094f4224c51efbcc8731762f6f1fe877ae26750c6f9c45157665a0498bba
 
x86_64:
xalan-j2-2.7.1-12_patch_08.ep5.el6.noarch.rpm     MD5: d8e2f9b519db0fff5bd604fd4fca0876
SHA-256: bfb4094f4224c51efbcc8731762f6f1fe877ae26750c6f9c45157665a0498bba
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1080248 - CVE-2014-0107 Xalan-Java: insufficient constraints in secure processing feature


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/