Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2012-0818 (GCVE-0-2012-0818)
Vulnerability from cvelistv5 – Published: 2012-11-23 20:00 – Updated: 2024-08-06 18:38
VLAI
EPSS
Summary
RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document, aka an XML external entity (XXE) injection attack.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
22 references
Date Public
2011-12-30 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T18:38:14.782Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=785631"
},
{
"name": "RHSA-2012:1059",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2012-1059.html"
},
{
"name": "51748",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/51748"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.jboss.org/browse/RESTEASY-637"
},
{
"name": "RHSA-2012:1056",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2012-1056.html"
},
{
"name": "RHSA-2012:1058",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2012-1058.html"
},
{
"name": "51766",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/51766"
},
{
"name": "78679",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/78679"
},
{
"name": "RHSA-2012:0519",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2012-0519.html"
},
{
"name": "50084",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/50084"
},
{
"name": "RHSA-2014:0371",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0371.html"
},
{
"name": "RHSA-2012:1057",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2012-1057.html"
},
{
"name": "resteasy-xml-info-disclosure(72808)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72808"
},
{
"name": "48954",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/48954"
},
{
"name": "RHSA-2012:0441",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2012-0441.html"
},
{
"name": "47832",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/47832"
},
{
"name": "57719",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/57719"
},
{
"name": "57716",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/57716"
},
{
"name": "47818",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/47818"
},
{
"name": "RHSA-2014:0372",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0372.html"
},
{
"name": "48697",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/48697"
},
{
"name": "RHSA-2012:1125",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2012-1125.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2011-12-30T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document, aka an XML external entity (XXE) injection attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=785631"
},
{
"name": "RHSA-2012:1059",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2012-1059.html"
},
{
"name": "51748",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/51748"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.jboss.org/browse/RESTEASY-637"
},
{
"name": "RHSA-2012:1056",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2012-1056.html"
},
{
"name": "RHSA-2012:1058",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2012-1058.html"
},
{
"name": "51766",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/51766"
},
{
"name": "78679",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/78679"
},
{
"name": "RHSA-2012:0519",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2012-0519.html"
},
{
"name": "50084",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/50084"
},
{
"name": "RHSA-2014:0371",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0371.html"
},
{
"name": "RHSA-2012:1057",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2012-1057.html"
},
{
"name": "resteasy-xml-info-disclosure(72808)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72808"
},
{
"name": "48954",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/48954"
},
{
"name": "RHSA-2012:0441",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2012-0441.html"
},
{
"name": "47832",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/47832"
},
{
"name": "57719",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/57719"
},
{
"name": "57716",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/57716"
},
{
"name": "47818",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/47818"
},
{
"name": "RHSA-2014:0372",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0372.html"
},
{
"name": "48697",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/48697"
},
{
"name": "RHSA-2012:1125",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2012-1125.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-0818",
"datePublished": "2012-11-23T20:00:00.000Z",
"dateReserved": "2012-01-19T00:00:00.000Z",
"dateUpdated": "2024-08-06T18:38:14.782Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2012-0818",
"date": "2026-05-27",
"epss": "0.01376",
"percentile": "0.80505"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:resteasy:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"2.3.0\", \"matchCriteriaId\": \"1B9CAFED-9068-40C0-BD72-72D01F433DB0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:resteasy:1.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"02480F00-302E-49DA-9FF3-41DC8A5A5E39\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:resteasy:1.0.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"59E0CE57-59C4-485C-87DB-CD5E3EDFBFC6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:resteasy:1.0.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D332D87E-6270-4DC6-8EC2-8053890DA545\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:resteasy:1.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D0A15B5C-0538-4C1E-99FC-E4620D4157BD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:resteasy:1.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"AC38C8FE-62D3-4FC6-8BF0-6437A1FC9F26\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:resteasy:2.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B945333E-1B4E-4B60-B060-1186B8AC2527\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:resteasy:2.0.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F75F5EC0-639A-40D3-871D-1FA38BF1A37E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:resteasy:2.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"22F557EA-05E8-4773-BB81-C0EBFE89C61F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:resteasy:2.2.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"6EB842B8-6D95-484F-AE07-9C97BFD161D8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:resteasy:2.2.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"FC3D6E8C-E691-404C-9647-3ABFBF66FCDD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:resteasy:2.2.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"715FCD38-C218-45AB-824A-0EA7908BA951\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:resteasy:2.2.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"45635C9A-7AA2-42E0-95CC-C1DEC0AF60BC\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document, aka an XML external entity (XXE) injection attack.\"}, {\"lang\": \"es\", \"value\": \"RESTEasy anterior a v2.3.1 permite a atacantes remotos leer archivos de su elecci\\u00f3n a trav\\u00e9s de una referencia de entidad externa en un documento DOM, tambi\\u00e9n conocido como un ataque de inyecci\\u00f3n XML de entidad externa (XXE)\"}]",
"id": "CVE-2012-0818",
"lastModified": "2024-11-21T01:35:46.960",
"metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2012-11-23T20:55:02.320",
"references": "[{\"url\": \"http://rhn.redhat.com/errata/RHSA-2012-0441.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2012-0519.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2012-1056.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2012-1057.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2012-1058.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2012-1059.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2012-1125.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2014-0371.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2014-0372.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://secunia.com/advisories/47818\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://secunia.com/advisories/47832\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://secunia.com/advisories/48697\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://secunia.com/advisories/48954\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://secunia.com/advisories/50084\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://secunia.com/advisories/57716\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://secunia.com/advisories/57719\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.osvdb.org/78679\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.securityfocus.com/bid/51748\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.securityfocus.com/bid/51766\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=785631\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/72808\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://issues.jboss.org/browse/RESTEASY-637\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Patch\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2012-0441.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2012-0519.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2012-1056.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2012-1057.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2012-1058.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2012-1059.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2012-1125.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2014-0371.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2014-0372.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/47818\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://secunia.com/advisories/47832\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://secunia.com/advisories/48697\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/48954\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/50084\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://secunia.com/advisories/57716\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/57719\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.osvdb.org/78679\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securityfocus.com/bid/51748\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securityfocus.com/bid/51766\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=785631\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/72808\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://issues.jboss.org/browse/RESTEASY-637\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}]",
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-200\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2012-0818\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2012-11-23T20:55:02.320\",\"lastModified\":\"2026-04-29T01:13:23.040\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document, aka an XML external entity (XXE) injection attack.\"},{\"lang\":\"es\",\"value\":\"RESTEasy anterior a v2.3.1 permite a atacantes remotos leer archivos de su elecci\u00f3n a trav\u00e9s de una referencia de entidad externa en un documento DOM, tambi\u00e9n conocido como un ataque de inyecci\u00f3n XML de entidad externa (XXE)\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:resteasy:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.3.0\",\"matchCriteriaId\":\"1B9CAFED-9068-40C0-BD72-72D01F433DB0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:resteasy:1.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"02480F00-302E-49DA-9FF3-41DC8A5A5E39\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:resteasy:1.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"59E0CE57-59C4-485C-87DB-CD5E3EDFBFC6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:resteasy:1.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D332D87E-6270-4DC6-8EC2-8053890DA545\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:resteasy:1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D0A15B5C-0538-4C1E-99FC-E4620D4157BD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:resteasy:1.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AC38C8FE-62D3-4FC6-8BF0-6437A1FC9F26\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:resteasy:2.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B945333E-1B4E-4B60-B060-1186B8AC2527\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:resteasy:2.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F75F5EC0-639A-40D3-871D-1FA38BF1A37E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:resteasy:2.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"22F557EA-05E8-4773-BB81-C0EBFE89C61F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:resteasy:2.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6EB842B8-6D95-484F-AE07-9C97BFD161D8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:resteasy:2.2.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FC3D6E8C-E691-404C-9647-3ABFBF66FCDD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:resteasy:2.2.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"715FCD38-C218-45AB-824A-0EA7908BA951\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:resteasy:2.2.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"45635C9A-7AA2-42E0-95CC-C1DEC0AF60BC\"}]}]}],\"references\":[{\"url\":\"http://rhn.redhat.com/errata/RHSA-2012-0441.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2012-0519.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2012-1056.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2012-1057.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2012-1058.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2012-1059.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2012-1125.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2014-0371.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2014-0372.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/47818\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/47832\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/48697\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/48954\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/50084\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/57716\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/57719\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.osvdb.org/78679\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.securityfocus.com/bid/51748\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.securityfocus.com/bid/51766\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=785631\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/72808\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://issues.jboss.org/browse/RESTEASY-637\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Patch\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2012-0441.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2012-0519.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2012-1056.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2012-1057.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2012-1058.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2012-1059.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2012-1125.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2014-0371.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2014-0372.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/47818\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/47832\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/48697\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/48954\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/50084\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/57716\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/57719\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.osvdb.org/78679\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/51748\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/51766\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=785631\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/72808\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://issues.jboss.org/browse/RESTEASY-637\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]}]}}"
}
}
RHSA-2012_1125
Vulnerability from csaf_redhat - Published: 2012-07-31 14:24 - Updated: 2024-11-22 05:43Summary
Red Hat Security Advisory: JBoss Enterprise SOA Platform 5.3.0 update
Severity
Important
Notes
Topic: JBoss Enterprise SOA Platform 5.3.0, which fixes multiple security issues,
various bugs, and adds enhancements, is now available from the Red Hat
Customer Portal.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Details: JBoss Enterprise SOA Platform is the next-generation ESB and business
process automation infrastructure.
This release of JBoss Enterprise SOA Platform 5.3.0 serves as a replacement
for JBoss Enterprise SOA Platform 5.2.0. It includes various bug fixes and
enhancements which are detailed in the JBoss Enterprise SOA Platform 5.3.0
Release Notes. The Release Notes will be available shortly from
https://access.redhat.com/knowledge/docs/
The following security issues are also fixed with this release:
It was found that the JBoss JNDI service allowed unauthenticated, remote
write access by default. The JNDI and HA-JNDI services, and the
HAJNDIFactory invoker servlet were all affected. A remote attacker able to
access the JNDI service (port 1099), HA-JNDI service (port 1100), or the
HAJNDIFactory invoker servlet on a JBoss server could use this flaw to add,
delete, and modify items in the JNDI tree. This could have various,
application-specific impacts. (CVE-2011-4605)
A denial of service flaw was found in the implementation of associative
arrays (hashes) in JRuby. An attacker able to supply a large number of
inputs to a JRuby application (such as HTTP POST request parameters sent to
a web application) that are used as keys when inserting data into an array
could trigger multiple hash function collisions, making array operations
take an excessive amount of CPU time. To mitigate this issue, randomization
has been added to the hash function to reduce the chance of an attacker
successfully causing intentional collisions. (CVE-2011-4838)
Note: JBoss Enterprise SOA Platform only provides JRuby as a dependency of
the scripting_chain quickstart example application. The CVE-2011-4838 flaw
is not exposed unless the version of JRuby shipped with that quickstart is
used by a deployed, custom application.
It was found that RESTEasy was vulnerable to XML External Entity (XXE)
attacks. If a remote attacker submitted a request containing an external
XML entity to a RESTEasy endpoint, the entity would be resolved, allowing
the attacker to read files accessible to the user running the application
server. This flaw affected DOM (Document Object Model) Document and JAXB
(Java Architecture for XML Binding) input. The fix for this issue is not
enabled by default. Refer to the Solution section for details.
(CVE-2012-0818)
Multiple flaws were found in the Oracle OpenSSO authentication and
administration components. A remote attacker could use these flaws to
affect the integrity and availability of a service that uses Oracle
OpenSSO. (CVE-2011-3506, CVE-2011-3517, CVE-2012-0079)
Note: JBoss Enterprise SOA Platform only provides Oracle OpenSSO as part of
the opensso quickstart example application. The CVE-2011-3506,
CVE-2011-3517, and CVE-2012-0079 flaws are not exposed unless the opensso
quickstart example application is deployed, or you have created and
deployed a custom application that is packaged with a copy of Oracle
OpenSSO as provided by the opensso quickstart.
The opensso quickstart has been removed in this release to address these
flaws. Users interested in continuing to receive updates for their custom
applications using Oracle OpenSSO are advised to contact Oracle as Red Hat
is no longer supporting OpenSSO.
When a JGroups channel is started, the JGroups diagnostics service would be
enabled by default with no authentication. This service is exposed via IP
multicast. An attacker on an adjacent network could exploit this flaw to
read diagnostics information. (CVE-2012-2377)
Red Hat would like to thank Christian Schlüter (VIADA) for reporting
CVE-2011-4605, and oCERT for reporting CVE-2011-4838. oCERT
acknowledges Julian Wälde and Alexander Klink as the original reporters of
CVE-2011-4838.
Warning: Before installing version 5.3.0, back up your existing JBoss
Enterprise SOA Platform installation (including its databases,
applications, configuration files, and so on).
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Unspecified vulnerability in the Oracle OpenSSO component in Oracle Sun Products Suite 7.1 and 8.0 allows remote attackers to affect integrity via unknown vectors related to Authentication.
2.6 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss SOA Platform 5.3
Red Hat / Red Hat JBoss Middleware
|
cpe:/a:redhat:jboss_soa_platform:5.3
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
Unspecified vulnerability in the Oracle OpenSSO component in Oracle Sun Products Suite 8.0 allows remote attackers to affect availability via unknown vectors related to Authentication.
4.3 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss SOA Platform 5.3
Red Hat / Red Hat JBoss Middleware
|
cpe:/a:redhat:jboss_soa_platform:5.3
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
The (1) JNDI service, (2) HA-JNDI service, and (3) HAJNDIFactory invoker servlet in JBoss Enterprise Application Platform 4.3.0 CP10 and 5.1.2, Web Platform 5.1.2, SOA Platform 4.2.0.CP05 and 4.3.0.CP05, Portal Platform 4.3 CP07 and 5.2.x before 5.2.2, and BRMS Platform before 5.3.0 do not properly restrict write access, which allows remote attackers to add, delete, or modify items in a JNDI tree via unspecified vectors.
7.5 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss SOA Platform 5.3
Red Hat / Red Hat JBoss Middleware
|
cpe:/a:redhat:jboss_soa_platform:5.3
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.
5.0 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss SOA Platform 5.3
Red Hat / Red Hat JBoss Middleware
|
cpe:/a:redhat:jboss_soa_platform:5.3
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
The readFrom function in providers.jaxb.JAXBXmlTypeProvider in RESTEasy before 2.3.2 allows remote attackers to read arbitrary files via an external entity reference in a Java Architecture for XML Binding (JAXB) input, aka an XML external entity (XXE) injection attack, a similar vulnerability to CVE-2012-0818.
5.0 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss SOA Platform 5.3
Red Hat / Red Hat JBoss Middleware
|
cpe:/a:redhat:jboss_soa_platform:5.3
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
Unspecified vulnerability in Oracle OpenSSO 7.1 and 8.0 allows remote attackers to affect integrity via unknown vectors related to Administration.
2.6 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss SOA Platform 5.3
Red Hat / Red Hat JBoss Middleware
|
cpe:/a:redhat:jboss_soa_platform:5.3
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document, aka an XML external entity (XXE) injection attack.
5.0 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss SOA Platform 5.3
Red Hat / Red Hat JBoss Middleware
|
cpe:/a:redhat:jboss_soa_platform:5.3
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
The JBoss Server in JBoss Enterprise Application Platform 5.1.x before 5.1.2 and 5.2.x before 5.2.2, Web Platform before 5.1.2, BRMS Platform before 5.3.0, and SOA Platform before 5.3.0, when the server is configured to use the JaccAuthorizationRealm and the ignoreBaseDecision property is set to true on the JBossWebRealm, does not properly check the permissions created by the WebPermissionMapping class, which allows remote authenticated users to access arbitrary applications.
4.6 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss SOA Platform 5.3
Red Hat / Red Hat JBoss Middleware
|
cpe:/a:redhat:jboss_soa_platform:5.3
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
JGroups diagnostics service in JBoss Enterprise Portal Platform before 5.2.2, SOA Platform before 5.3.0, and BRMS Platform before 5.3.0, is enabled without authentication when started by the JGroups channel, which allows remote attackers in adjacent networks to read diagnostics information via a crafted IP multicast.
3.3 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss SOA Platform 5.3
Red Hat / Red Hat JBoss Middleware
|
cpe:/a:redhat:jboss_soa_platform:5.3
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
References
50 references
Acknowledgments
VIADA
Christian Schlüter
oCERT
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "JBoss Enterprise SOA Platform 5.3.0, which fixes multiple security issues,\nvarious bugs, and adds enhancements, is now available from the Red Hat\nCustomer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "JBoss Enterprise SOA Platform is the next-generation ESB and business\nprocess automation infrastructure.\n\nThis release of JBoss Enterprise SOA Platform 5.3.0 serves as a replacement\nfor JBoss Enterprise SOA Platform 5.2.0. It includes various bug fixes and\nenhancements which are detailed in the JBoss Enterprise SOA Platform 5.3.0\nRelease Notes. The Release Notes will be available shortly from\nhttps://access.redhat.com/knowledge/docs/\n\nThe following security issues are also fixed with this release:\n\nIt was found that the JBoss JNDI service allowed unauthenticated, remote\nwrite access by default. The JNDI and HA-JNDI services, and the\nHAJNDIFactory invoker servlet were all affected. A remote attacker able to\naccess the JNDI service (port 1099), HA-JNDI service (port 1100), or the\nHAJNDIFactory invoker servlet on a JBoss server could use this flaw to add,\ndelete, and modify items in the JNDI tree. This could have various,\napplication-specific impacts. (CVE-2011-4605)\n\nA denial of service flaw was found in the implementation of associative\narrays (hashes) in JRuby. An attacker able to supply a large number of\ninputs to a JRuby application (such as HTTP POST request parameters sent to\na web application) that are used as keys when inserting data into an array\ncould trigger multiple hash function collisions, making array operations\ntake an excessive amount of CPU time. To mitigate this issue, randomization\nhas been added to the hash function to reduce the chance of an attacker\nsuccessfully causing intentional collisions. (CVE-2011-4838)\n\nNote: JBoss Enterprise SOA Platform only provides JRuby as a dependency of\nthe scripting_chain quickstart example application. The CVE-2011-4838 flaw\nis not exposed unless the version of JRuby shipped with that quickstart is\nused by a deployed, custom application.\n\nIt was found that RESTEasy was vulnerable to XML External Entity (XXE)\nattacks. If a remote attacker submitted a request containing an external\nXML entity to a RESTEasy endpoint, the entity would be resolved, allowing\nthe attacker to read files accessible to the user running the application\nserver. This flaw affected DOM (Document Object Model) Document and JAXB\n(Java Architecture for XML Binding) input. The fix for this issue is not\nenabled by default. Refer to the Solution section for details.\n(CVE-2012-0818)\n\nMultiple flaws were found in the Oracle OpenSSO authentication and\nadministration components. A remote attacker could use these flaws to\naffect the integrity and availability of a service that uses Oracle\nOpenSSO. (CVE-2011-3506, CVE-2011-3517, CVE-2012-0079)\n\nNote: JBoss Enterprise SOA Platform only provides Oracle OpenSSO as part of\nthe opensso quickstart example application. The CVE-2011-3506,\nCVE-2011-3517, and CVE-2012-0079 flaws are not exposed unless the opensso\nquickstart example application is deployed, or you have created and\ndeployed a custom application that is packaged with a copy of Oracle\nOpenSSO as provided by the opensso quickstart.\n\nThe opensso quickstart has been removed in this release to address these\nflaws. Users interested in continuing to receive updates for their custom\napplications using Oracle OpenSSO are advised to contact Oracle as Red Hat\nis no longer supporting OpenSSO.\n\nWhen a JGroups channel is started, the JGroups diagnostics service would be\nenabled by default with no authentication. This service is exposed via IP\nmulticast. An attacker on an adjacent network could exploit this flaw to\nread diagnostics information. (CVE-2012-2377)\n\nRed Hat would like to thank Christian Schl\u00fcter (VIADA) for reporting\nCVE-2011-4605, and oCERT for reporting CVE-2011-4838. oCERT\nacknowledges Julian W\u00e4lde and Alexander Klink as the original reporters of\nCVE-2011-4838.\n\nWarning: Before installing version 5.3.0, back up your existing JBoss\nEnterprise SOA Platform installation (including its databases,\napplications, configuration files, and so on).",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2012:1125",
"url": "https://access.redhat.com/errata/RHSA-2012:1125"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform\u0026downloadType=distributions",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform\u0026downloadType=distributions"
},
{
"category": "external",
"summary": "http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html",
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html"
},
{
"category": "external",
"summary": "http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html",
"url": "http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html"
},
{
"category": "external",
"summary": "785631",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=785631"
},
{
"category": "external",
"summary": "https://access.redhat.com/knowledge/docs/",
"url": "https://access.redhat.com/knowledge/docs/"
},
{
"category": "external",
"summary": "749078",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=749078"
},
{
"category": "external",
"summary": "749079",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=749079"
},
{
"category": "external",
"summary": "766469",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=766469"
},
{
"category": "external",
"summary": "770820",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=770820"
},
{
"category": "external",
"summary": "783898",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=783898"
},
{
"category": "external",
"summary": "823392",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=823392"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2012/rhsa-2012_1125.json"
}
],
"title": "Red Hat Security Advisory: JBoss Enterprise SOA Platform 5.3.0 update",
"tracking": {
"current_release_date": "2024-11-22T05:43:20+00:00",
"generator": {
"date": "2024-11-22T05:43:20+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2012:1125",
"initial_release_date": "2012-07-31T14:24:00+00:00",
"revision_history": [
{
"date": "2012-07-31T14:24:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2012-07-31T14:32:35+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T05:43:20+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss SOA Platform 5.3",
"product": {
"name": "Red Hat JBoss SOA Platform 5.3",
"product_id": "Red Hat JBoss SOA Platform 5.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_soa_platform:5.3"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Middleware"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2011-3506",
"discovery_date": "2011-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "749078"
}
],
"notes": [
{
"category": "description",
"text": "Unspecified vulnerability in the Oracle OpenSSO component in Oracle Sun Products Suite 7.1 and 8.0 allows remote attackers to affect integrity via unknown vectors related to Authentication.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "OpenSSO: unspecified vulnerability in the authentication component",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Oracle OpenSSO is provided as part of the opensso quickstart example application shipped with JBoss Enterprise SOA Platform 5. The CVE-2011-3506, CVE-2011-3517, and CVE-2012-0079 flaws are not exposed unless the opensso quickstart example application is deployed, or you have created and deployed a custom application that is packaged with a copy of Oracle OpenSSO as provided by the opensso quickstart.\n\nThe opensso quickstart has been removed in JBoss Enterprise SOA Platform 5.3.0 to address these flaws. Users interested in continuing to receive updates for their custom applications using Oracle OpenSSO are advised to contact Oracle as Red Hat is no longer supporting OpenSSO.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss SOA Platform 5.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2011-3506"
},
{
"category": "external",
"summary": "RHBZ#749078",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=749078"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2011-3506",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3506"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2011-3506",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-3506"
},
{
"category": "external",
"summary": "http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html",
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html"
}
],
"release_date": "2011-10-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-07-31T14:24:00+00:00",
"details": "All users of JBoss Enterprise SOA Platform 5.2.0 as provided from the Red\nHat Customer Portal are advised to upgrade to JBoss Enterprise SOA Platform\n5.3.0.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the new version). Before installing version 5.3.0, back\nup your existing JBoss Enterprise SOA Platform installation (including its\ndatabases, applications, configuration files, and so on).\n\nThe fix for CVE-2012-0818 is not enabled by default. This update adds a new\nconfiguration option to disable entity expansion in RESTEasy. If\napplications on your server expose RESTEasy XML endpoints, a\nresteasy.document.expand.entity.references configuration snippet must be\nadded to their web.xml file to disable entity expansion in RESTEasy. Refer\nto Red Hat Bugzilla bug 785631 for details.",
"product_ids": [
"Red Hat JBoss SOA Platform 5.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1125"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss SOA Platform 5.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "OpenSSO: unspecified vulnerability in the authentication component"
},
{
"cve": "CVE-2011-3517",
"discovery_date": "2011-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "749079"
}
],
"notes": [
{
"category": "description",
"text": "Unspecified vulnerability in the Oracle OpenSSO component in Oracle Sun Products Suite 8.0 allows remote attackers to affect availability via unknown vectors related to Authentication.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "OpenSSO: unspecified vulnerability in the authentication component",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Oracle OpenSSO is provided as part of the opensso quickstart example application shipped with JBoss Enterprise SOA Platform 5. The CVE-2011-3506, CVE-2011-3517, and CVE-2012-0079 flaws are not exposed unless the opensso quickstart example application is deployed, or you have created and deployed a custom application that is packaged with a copy of Oracle OpenSSO as provided by the opensso quickstart.\n\nThe opensso quickstart has been removed in JBoss Enterprise SOA Platform 5.3.0 to address these flaws. Users interested in continuing to receive updates for their custom applications using Oracle OpenSSO are advised to contact Oracle as Red Hat is no longer supporting OpenSSO.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss SOA Platform 5.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2011-3517"
},
{
"category": "external",
"summary": "RHBZ#749079",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=749079"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2011-3517",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3517"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2011-3517",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-3517"
},
{
"category": "external",
"summary": "http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html",
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html"
}
],
"release_date": "2011-10-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-07-31T14:24:00+00:00",
"details": "All users of JBoss Enterprise SOA Platform 5.2.0 as provided from the Red\nHat Customer Portal are advised to upgrade to JBoss Enterprise SOA Platform\n5.3.0.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the new version). Before installing version 5.3.0, back\nup your existing JBoss Enterprise SOA Platform installation (including its\ndatabases, applications, configuration files, and so on).\n\nThe fix for CVE-2012-0818 is not enabled by default. This update adds a new\nconfiguration option to disable entity expansion in RESTEasy. If\napplications on your server expose RESTEasy XML endpoints, a\nresteasy.document.expand.entity.references configuration snippet must be\nadded to their web.xml file to disable entity expansion in RESTEasy. Refer\nto Red Hat Bugzilla bug 785631 for details.",
"product_ids": [
"Red Hat JBoss SOA Platform 5.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1125"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss SOA Platform 5.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "OpenSSO: unspecified vulnerability in the authentication component"
},
{
"acknowledgments": [
{
"names": [
"Christian Schl\u00fcter"
],
"organization": "VIADA"
}
],
"cve": "CVE-2011-4605",
"cwe": {
"id": "CWE-306",
"name": "Missing Authentication for Critical Function"
},
"discovery_date": "2011-12-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "766469"
}
],
"notes": [
{
"category": "description",
"text": "The (1) JNDI service, (2) HA-JNDI service, and (3) HAJNDIFactory invoker servlet in JBoss Enterprise Application Platform 4.3.0 CP10 and 5.1.2, Web Platform 5.1.2, SOA Platform 4.2.0.CP05 and 4.3.0.CP05, Portal Platform 4.3 CP07 and 5.2.x before 5.2.2, and BRMS Platform before 5.3.0 do not properly restrict write access, which allows remote attackers to add, delete, or modify items in a JNDI tree via unspecified vectors.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "JNDI: unauthenticated remote write access is permitted by default",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss SOA Platform 5.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2011-4605"
},
{
"category": "external",
"summary": "RHBZ#766469",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=766469"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2011-4605",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-4605"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2011-4605",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-4605"
}
],
"release_date": "2012-06-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-07-31T14:24:00+00:00",
"details": "All users of JBoss Enterprise SOA Platform 5.2.0 as provided from the Red\nHat Customer Portal are advised to upgrade to JBoss Enterprise SOA Platform\n5.3.0.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the new version). Before installing version 5.3.0, back\nup your existing JBoss Enterprise SOA Platform installation (including its\ndatabases, applications, configuration files, and so on).\n\nThe fix for CVE-2012-0818 is not enabled by default. This update adds a new\nconfiguration option to disable entity expansion in RESTEasy. If\napplications on your server expose RESTEasy XML endpoints, a\nresteasy.document.expand.entity.references configuration snippet must be\nadded to their web.xml file to disable entity expansion in RESTEasy. Refer\nto Red Hat Bugzilla bug 785631 for details.",
"product_ids": [
"Red Hat JBoss SOA Platform 5.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1125"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss SOA Platform 5.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "JNDI: unauthenticated remote write access is permitted by default"
},
{
"acknowledgments": [
{
"names": [
"oCERT"
]
}
],
"cve": "CVE-2011-4838",
"discovery_date": "2011-11-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "770820"
}
],
"notes": [
{
"category": "description",
"text": "JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jruby: hash table collisions DoS (oCERT-2011-003)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss SOA Platform 5.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2011-4838"
},
{
"category": "external",
"summary": "RHBZ#770820",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=770820"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2011-4838",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-4838"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2011-4838",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-4838"
}
],
"release_date": "2011-12-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-07-31T14:24:00+00:00",
"details": "All users of JBoss Enterprise SOA Platform 5.2.0 as provided from the Red\nHat Customer Portal are advised to upgrade to JBoss Enterprise SOA Platform\n5.3.0.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the new version). Before installing version 5.3.0, back\nup your existing JBoss Enterprise SOA Platform installation (including its\ndatabases, applications, configuration files, and so on).\n\nThe fix for CVE-2012-0818 is not enabled by default. This update adds a new\nconfiguration option to disable entity expansion in RESTEasy. If\napplications on your server expose RESTEasy XML endpoints, a\nresteasy.document.expand.entity.references configuration snippet must be\nadded to their web.xml file to disable entity expansion in RESTEasy. Refer\nto Red Hat Bugzilla bug 785631 for details.",
"product_ids": [
"Red Hat JBoss SOA Platform 5.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1125"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss SOA Platform 5.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jruby: hash table collisions DoS (oCERT-2011-003)"
},
{
"cve": "CVE-2011-5245",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2012-01-24T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "785631"
}
],
"notes": [
{
"category": "description",
"text": "The readFrom function in providers.jaxb.JAXBXmlTypeProvider in RESTEasy before 2.3.2 allows remote attackers to read arbitrary files via an external entity reference in a Java Architecture for XML Binding (JAXB) input, aka an XML external entity (XXE) injection attack, a similar vulnerability to CVE-2012-0818.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "RESTEasy: XML eXternal Entity (XXE) flaw",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss SOA Platform 5.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2011-5245"
},
{
"category": "external",
"summary": "RHBZ#785631",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=785631"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2011-5245",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-5245"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2011-5245",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-5245"
}
],
"release_date": "2011-12-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-07-31T14:24:00+00:00",
"details": "All users of JBoss Enterprise SOA Platform 5.2.0 as provided from the Red\nHat Customer Portal are advised to upgrade to JBoss Enterprise SOA Platform\n5.3.0.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the new version). Before installing version 5.3.0, back\nup your existing JBoss Enterprise SOA Platform installation (including its\ndatabases, applications, configuration files, and so on).\n\nThe fix for CVE-2012-0818 is not enabled by default. This update adds a new\nconfiguration option to disable entity expansion in RESTEasy. If\napplications on your server expose RESTEasy XML endpoints, a\nresteasy.document.expand.entity.references configuration snippet must be\nadded to their web.xml file to disable entity expansion in RESTEasy. Refer\nto Red Hat Bugzilla bug 785631 for details.",
"product_ids": [
"Red Hat JBoss SOA Platform 5.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1125"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss SOA Platform 5.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "RESTEasy: XML eXternal Entity (XXE) flaw"
},
{
"cve": "CVE-2012-0079",
"discovery_date": "2012-01-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "783898"
}
],
"notes": [
{
"category": "description",
"text": "Unspecified vulnerability in Oracle OpenSSO 7.1 and 8.0 allows remote attackers to affect integrity via unknown vectors related to Administration.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "OpenSSO: Unspecified vulnerability allows remote attackers to affect integrity via unknown vectors",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Oracle OpenSSO is provided as part of the opensso quickstart example application shipped with JBoss Enterprise SOA Platform 5. The CVE-2011-3506, CVE-2011-3517, and CVE-2012-0079 flaws are not exposed unless the opensso quickstart example application is deployed, or you have created and deployed a custom application that is packaged with a copy of Oracle OpenSSO as provided by the opensso quickstart.\n\nThe opensso quickstart has been removed in JBoss Enterprise SOA Platform 5.3.0 to address these flaws. Users interested in continuing to receive updates for their custom applications using Oracle OpenSSO are advised to contact Oracle as Red Hat is no longer supporting OpenSSO.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss SOA Platform 5.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-0079"
},
{
"category": "external",
"summary": "RHBZ#783898",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=783898"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-0079",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-0079"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-0079",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-0079"
}
],
"release_date": "2012-01-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-07-31T14:24:00+00:00",
"details": "All users of JBoss Enterprise SOA Platform 5.2.0 as provided from the Red\nHat Customer Portal are advised to upgrade to JBoss Enterprise SOA Platform\n5.3.0.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the new version). Before installing version 5.3.0, back\nup your existing JBoss Enterprise SOA Platform installation (including its\ndatabases, applications, configuration files, and so on).\n\nThe fix for CVE-2012-0818 is not enabled by default. This update adds a new\nconfiguration option to disable entity expansion in RESTEasy. If\napplications on your server expose RESTEasy XML endpoints, a\nresteasy.document.expand.entity.references configuration snippet must be\nadded to their web.xml file to disable entity expansion in RESTEasy. Refer\nto Red Hat Bugzilla bug 785631 for details.",
"product_ids": [
"Red Hat JBoss SOA Platform 5.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1125"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss SOA Platform 5.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "OpenSSO: Unspecified vulnerability allows remote attackers to affect integrity via unknown vectors"
},
{
"cve": "CVE-2012-0818",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2012-01-24T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "785631"
}
],
"notes": [
{
"category": "description",
"text": "RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document, aka an XML external entity (XXE) injection attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "RESTEasy: XML eXternal Entity (XXE) flaw",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss SOA Platform 5.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-0818"
},
{
"category": "external",
"summary": "RHBZ#785631",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=785631"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-0818",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-0818"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-0818",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-0818"
}
],
"release_date": "2011-12-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-07-31T14:24:00+00:00",
"details": "All users of JBoss Enterprise SOA Platform 5.2.0 as provided from the Red\nHat Customer Portal are advised to upgrade to JBoss Enterprise SOA Platform\n5.3.0.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the new version). Before installing version 5.3.0, back\nup your existing JBoss Enterprise SOA Platform installation (including its\ndatabases, applications, configuration files, and so on).\n\nThe fix for CVE-2012-0818 is not enabled by default. This update adds a new\nconfiguration option to disable entity expansion in RESTEasy. If\napplications on your server expose RESTEasy XML endpoints, a\nresteasy.document.expand.entity.references configuration snippet must be\nadded to their web.xml file to disable entity expansion in RESTEasy. Refer\nto Red Hat Bugzilla bug 785631 for details.",
"product_ids": [
"Red Hat JBoss SOA Platform 5.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1125"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss SOA Platform 5.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "RESTEasy: XML eXternal Entity (XXE) flaw"
},
{
"cve": "CVE-2012-1167",
"discovery_date": "2012-03-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "802622"
}
],
"notes": [
{
"category": "description",
"text": "The JBoss Server in JBoss Enterprise Application Platform 5.1.x before 5.1.2 and 5.2.x before 5.2.2, Web Platform before 5.1.2, BRMS Platform before 5.3.0, and SOA Platform before 5.3.0, when the server is configured to use the JaccAuthorizationRealm and the ignoreBaseDecision property is set to true on the JBossWebRealm, does not properly check the permissions created by the WebPermissionMapping class, which allows remote authenticated users to access arbitrary applications.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "JBoss: authentication bypass when running under JACC with ignoreBaseDecision on JBossWebRealm",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss SOA Platform 5.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-1167"
},
{
"category": "external",
"summary": "RHBZ#802622",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=802622"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-1167",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-1167"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-1167",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-1167"
}
],
"release_date": "2012-06-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-07-31T14:24:00+00:00",
"details": "All users of JBoss Enterprise SOA Platform 5.2.0 as provided from the Red\nHat Customer Portal are advised to upgrade to JBoss Enterprise SOA Platform\n5.3.0.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the new version). Before installing version 5.3.0, back\nup your existing JBoss Enterprise SOA Platform installation (including its\ndatabases, applications, configuration files, and so on).\n\nThe fix for CVE-2012-0818 is not enabled by default. This update adds a new\nconfiguration option to disable entity expansion in RESTEasy. If\napplications on your server expose RESTEasy XML endpoints, a\nresteasy.document.expand.entity.references configuration snippet must be\nadded to their web.xml file to disable entity expansion in RESTEasy. Refer\nto Red Hat Bugzilla bug 785631 for details.",
"product_ids": [
"Red Hat JBoss SOA Platform 5.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1125"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss SOA Platform 5.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "JBoss: authentication bypass when running under JACC with ignoreBaseDecision on JBossWebRealm"
},
{
"acknowledgments": [
{
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2012-2377",
"discovery_date": "2012-05-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "823392"
}
],
"notes": [
{
"category": "description",
"text": "JGroups diagnostics service in JBoss Enterprise Portal Platform before 5.2.2, SOA Platform before 5.3.0, and BRMS Platform before 5.3.0, is enabled without authentication when started by the JGroups channel, which allows remote attackers in adjacent networks to read diagnostics information via a crafted IP multicast.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "JGroups diagnostics service enabled by default with no authentication when a JGroups channel is started",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss SOA Platform 5.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-2377"
},
{
"category": "external",
"summary": "RHBZ#823392",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=823392"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-2377",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-2377"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-2377",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2377"
}
],
"release_date": "2012-06-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-07-31T14:24:00+00:00",
"details": "All users of JBoss Enterprise SOA Platform 5.2.0 as provided from the Red\nHat Customer Portal are advised to upgrade to JBoss Enterprise SOA Platform\n5.3.0.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the new version). Before installing version 5.3.0, back\nup your existing JBoss Enterprise SOA Platform installation (including its\ndatabases, applications, configuration files, and so on).\n\nThe fix for CVE-2012-0818 is not enabled by default. This update adds a new\nconfiguration option to disable entity expansion in RESTEasy. If\napplications on your server expose RESTEasy XML endpoints, a\nresteasy.document.expand.entity.references configuration snippet must be\nadded to their web.xml file to disable entity expansion in RESTEasy. Refer\nto Red Hat Bugzilla bug 785631 for details.",
"product_ids": [
"Red Hat JBoss SOA Platform 5.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1125"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss SOA Platform 5.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "JGroups diagnostics service enabled by default with no authentication when a JGroups channel is started"
}
]
}
RHSA-2013:1263
Vulnerability from csaf_redhat - Published: 2013-09-16 03:07 - Updated: 2025-11-21 17:45Summary
Red Hat Security Advisory: Red Hat Storage Console 2.1 security update
Severity
Moderate
Notes
Topic: Updated Red Hat Storage Console packages that fix one security issue,
various bugs, and add enhancements are now available for Red Hat Storage
Server 2.1.
The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
Details: Red Hat Storage Console (RHS-C) is a powerful and simple web based
Graphical User Interface for managing a Red Hat Storage 2.1 environment.
This feature is provided as a Technology Preview, and is currently not
supported under Red Hat Storage subscription services. Refer to the
following for more information about Technology Previews:
https://access.redhat.com/support/offerings/techpreview/
It was found that RESTEasy was vulnerable to XML External Entity (XXE)
attacks. If a remote attacker who is able to access the Red Hat Storage
Console REST API submitted a request containing an external XML entity
to a RESTEasy endpoint, the entity would be resolved, allowing the
attacker to read files accessible to the user running the application
server. This flaw affected DOM (Document Object Model) Document and JAXB
(Java Architecture for XML Binding) input. (CVE-2012-0818)
This update also fixes the following bugs:
* A new server could not be added to a cluster if the required packages
were not installed on the server. Now, the administrator can add a server
to a cluster which will automatically install the required packages, if
missing. (BZ#850431)
* Previously, the rhs-log-collector tool did not collect GlusterFS related
logs. (BZ#855271)
* Previously, it was not possible for rhsc-setup to complete successfully
on systems that have SELinux in disabled mode. (BZ#841342)
* The 'Add Brick' button in the 'Add Bricks' pop up is now placed next to
the 'Brick Directory' field for a better UI experience. (BZ#863929)
* The UUID of the volume was not visible. Now, a new field is added to the
'Summary' sub-tab of the 'Volumes' tab to display the UUIDs. (BZ#887806)
* The web console was not accessible after a server reboot. The setup
mechanism has been modified to ensure the web console is accessible after a
server reboot. (BZ#838284)
This update also adds the following enhancements:
* Previously, to import an existing storage cluster into the Red Hat
Storage Console the hosts were added one by one. Now, a new feature has
been added that allows users to import an existing storage cluster. The new
Cluster Creation window has an option to import an existing storage
cluster. If IP_Address or the hostname and password of one of the hosts of
the cluster is entered, a list containing all the hosts of the cluster is
displayed and the same can be added to the Console. The volumes which are
part of the cluster also get imported. (BZ#850438)
* The command line was required to enable a volume to use CIFS. Now, you
can enable or disable the export of a volume with the new 'CIFS' checkbox
in the 'Create Volume' window. (BZ#850452)
* The new Red Hat Support plug-in for Red Hat Storage is a Technology
Preview feature that offers seamless, integrated access to the Red Hat
subscription services from the Red Hat Customer Portal. Subscribers who
install this plug-in can access these features:
- Create, manage, and update the Red Hat support cases.
- Conveniently access exclusive Red Hat knowledge and solutions.
- Search error codes, messages, etc. and view related knowledge from the
Red Hat Customer Portal. (BZ#999245)
* A new 'Event ID' column is added to the 'Events' table in the 'Advanced
View' of 'Events' tab which allows users to see the ID of each event in the
'Events' tab. (BZ#889942)
* A new feature is added to manage and monitor the hooks on the Console. It
also reports changes in the hooks and checks for new hook scripts by
polling at regular intervals. (BZ#850483)
* A new 'Optimize for Virt Store' option is added to optimize a volume to
use it as a virt store. The system sets the "virt" group option on the
volume and also the following two volume options:
- storage.owner-uid=36
- storage.owner-gid=36
This option is available during volume creation and also for existing
volumes. (BZ#891493, BZ#891491)
All users of Red Hat Storage Server 2.1 are advised to upgrade to these
updated packages.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document, aka an XML external entity (XXE) injection attack.
5.0 ()
Affected products
Fixed
33 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 6Server-RHSC-2.1:otopi-0:1.1.0-1.el6ev.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:otopi-0:1.1.0-1.el6ev.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:otopi-devel-0:1.1.0-1.el6ev.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:otopi-java-0:1.1.0-1.el6ev.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:otopi-repolib-0:1.1.0-1.el6ev.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:ovirt-host-deploy-0:1.1.0-1.el6ev.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:ovirt-host-deploy-0:1.1.0-1.el6ev.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:ovirt-host-deploy-java-0:1.1.0-1.el6ev.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:ovirt-host-deploy-repolib-0:1.1.0-1.el6ev.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:python-daemon-0:1.5.2-1.el6.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:python-daemon-0:1.5.2-1.el6.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:python-kitchen-0:1.1.1-2.el6ev.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:python-kitchen-0:1.1.1-2.el6ev.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:python-lockfile-0:0.8-5.el6.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:python-lockfile-0:0.8-5.el6.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:python-ply-0:3.3-7.el6ev.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:python-ply-0:3.3-7.el6ev.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:redhat-access-plugin-storage-0:2.1.0-0.el6rhs.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:redhat-access-plugin-storage-0:2.1.0-0.el6rhs.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:rhsc-0:2.1.0-0.bb10.el6rhs.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:rhsc-0:2.1.0-0.bb10.el6rhs.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:rhsc-backend-0:2.1.0-0.bb10.el6rhs.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:rhsc-cli-0:2.1.0.0-0.bb3a.el6rhs.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:rhsc-cli-0:2.1.0.0-0.bb3a.el6rhs.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:rhsc-dbscripts-0:2.1.0-0.bb10.el6rhs.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:rhsc-log-collector-0:2.1-0.1.el6rhs.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:rhsc-log-collector-0:2.1-0.1.el6rhs.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:rhsc-restapi-0:2.1.0-0.bb10.el6rhs.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:rhsc-sdk-0:2.1.0.0-0.bb3a.el6rhs.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:rhsc-sdk-0:2.1.0.0-0.bb3a.el6rhs.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:rhsc-setup-0:2.1.0-0.bb10.el6rhs.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:rhsc-tools-0:2.1.0-0.bb10.el6rhs.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:rhsc-webadmin-portal-0:2.1.0-0.bb10.el6rhs.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
13 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated Red Hat Storage Console packages that fix one security issue,\nvarious bugs, and add enhancements are now available for Red Hat Storage\nServer 2.1.\n\nThe Red Hat Security Response Team has rated this update as having moderate\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Storage Console (RHS-C) is a powerful and simple web based\nGraphical User Interface for managing a Red Hat Storage 2.1 environment.\nThis feature is provided as a Technology Preview, and is currently not\nsupported under Red Hat Storage subscription services. Refer to the\nfollowing for more information about Technology Previews:\nhttps://access.redhat.com/support/offerings/techpreview/\n\nIt was found that RESTEasy was vulnerable to XML External Entity (XXE)\nattacks. If a remote attacker who is able to access the Red Hat Storage\nConsole REST API submitted a request containing an external XML entity\nto a RESTEasy endpoint, the entity would be resolved, allowing the\nattacker to read files accessible to the user running the application\nserver. This flaw affected DOM (Document Object Model) Document and JAXB\n(Java Architecture for XML Binding) input. (CVE-2012-0818)\n\nThis update also fixes the following bugs:\n\n* A new server could not be added to a cluster if the required packages\nwere not installed on the server. Now, the administrator can add a server\nto a cluster which will automatically install the required packages, if\nmissing. (BZ#850431)\n\n* Previously, the rhs-log-collector tool did not collect GlusterFS related\nlogs. (BZ#855271)\n\n* Previously, it was not possible for rhsc-setup to complete successfully\non systems that have SELinux in disabled mode. (BZ#841342)\n\n* The \u0027Add Brick\u0027 button in the \u0027Add Bricks\u0027 pop up is now placed next to\nthe \u0027Brick Directory\u0027 field for a better UI experience. (BZ#863929)\n\n* The UUID of the volume was not visible. Now, a new field is added to the\n\u0027Summary\u0027 sub-tab of the \u0027Volumes\u0027 tab to display the UUIDs. (BZ#887806)\n\n* The web console was not accessible after a server reboot. The setup\nmechanism has been modified to ensure the web console is accessible after a\nserver reboot. (BZ#838284)\n\nThis update also adds the following enhancements:\n\n* Previously, to import an existing storage cluster into the Red Hat\nStorage Console the hosts were added one by one. Now, a new feature has\nbeen added that allows users to import an existing storage cluster. The new\nCluster Creation window has an option to import an existing storage\ncluster. If IP_Address or the hostname and password of one of the hosts of\nthe cluster is entered, a list containing all the hosts of the cluster is\ndisplayed and the same can be added to the Console. The volumes which are\npart of the cluster also get imported. (BZ#850438)\n\n* The command line was required to enable a volume to use CIFS. Now, you\ncan enable or disable the export of a volume with the new \u0027CIFS\u0027 checkbox\nin the \u0027Create Volume\u0027 window. (BZ#850452)\n\n* The new Red Hat Support plug-in for Red Hat Storage is a Technology\nPreview feature that offers seamless, integrated access to the Red Hat\nsubscription services from the Red Hat Customer Portal. Subscribers who\ninstall this plug-in can access these features:\n\n- Create, manage, and update the Red Hat support cases.\n- Conveniently access exclusive Red Hat knowledge and solutions.\n- Search error codes, messages, etc. and view related knowledge from the\nRed Hat Customer Portal. (BZ#999245)\n\n* A new \u0027Event ID\u0027 column is added to the \u0027Events\u0027 table in the \u0027Advanced\nView\u0027 of \u0027Events\u0027 tab which allows users to see the ID of each event in the\n\u0027Events\u0027 tab. (BZ#889942)\n\n* A new feature is added to manage and monitor the hooks on the Console. It\nalso reports changes in the hooks and checks for new hook scripts by\npolling at regular intervals. (BZ#850483)\n\n* A new \u0027Optimize for Virt Store\u0027 option is added to optimize a volume to\nuse it as a virt store. The system sets the \"virt\" group option on the\nvolume and also the following two volume options:\n\n- storage.owner-uid=36\n- storage.owner-gid=36\n\nThis option is available during volume creation and also for existing\nvolumes. (BZ#891493, BZ#891491)\n\nAll users of Red Hat Storage Server 2.1 are advised to upgrade to these\nupdated packages.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2013:1263",
"url": "https://access.redhat.com/errata/RHSA-2013:1263"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/support/offerings/techpreview/",
"url": "https://access.redhat.com/support/offerings/techpreview/"
},
{
"category": "external",
"summary": "785631",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=785631"
},
{
"category": "external",
"summary": "855271",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=855271"
},
{
"category": "external",
"summary": "863929",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=863929"
},
{
"category": "external",
"summary": "887806",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=887806"
},
{
"category": "external",
"summary": "889942",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=889942"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_1263.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Storage Console 2.1 security update",
"tracking": {
"current_release_date": "2025-11-21T17:45:22+00:00",
"generator": {
"date": "2025-11-21T17:45:22+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2013:1263",
"initial_release_date": "2013-09-16T03:07:00+00:00",
"revision_history": [
{
"date": "2013-09-16T03:07:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2013-09-16T03:08:59+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T17:45:22+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Storage Console 2.1",
"product": {
"name": "Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:storage:2.1:console:el6"
}
}
}
],
"category": "product_family",
"name": "Red Hat Gluster Storage"
},
{
"branches": [
{
"category": "product_version",
"name": "python-ply-0:3.3-7.el6ev.noarch",
"product": {
"name": "python-ply-0:3.3-7.el6ev.noarch",
"product_id": "python-ply-0:3.3-7.el6ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-ply@3.3-7.el6ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-daemon-0:1.5.2-1.el6.noarch",
"product": {
"name": "python-daemon-0:1.5.2-1.el6.noarch",
"product_id": "python-daemon-0:1.5.2-1.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-daemon@1.5.2-1.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-kitchen-0:1.1.1-2.el6ev.noarch",
"product": {
"name": "python-kitchen-0:1.1.1-2.el6ev.noarch",
"product_id": "python-kitchen-0:1.1.1-2.el6ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-kitchen@1.1.1-2.el6ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rhsc-sdk-0:2.1.0.0-0.bb3a.el6rhs.noarch",
"product": {
"name": "rhsc-sdk-0:2.1.0.0-0.bb3a.el6rhs.noarch",
"product_id": "rhsc-sdk-0:2.1.0.0-0.bb3a.el6rhs.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhsc-sdk@2.1.0.0-0.bb3a.el6rhs?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rhsc-cli-0:2.1.0.0-0.bb3a.el6rhs.noarch",
"product": {
"name": "rhsc-cli-0:2.1.0.0-0.bb3a.el6rhs.noarch",
"product_id": "rhsc-cli-0:2.1.0.0-0.bb3a.el6rhs.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhsc-cli@2.1.0.0-0.bb3a.el6rhs?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rhsc-log-collector-0:2.1-0.1.el6rhs.noarch",
"product": {
"name": "rhsc-log-collector-0:2.1-0.1.el6rhs.noarch",
"product_id": "rhsc-log-collector-0:2.1-0.1.el6rhs.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhsc-log-collector@2.1-0.1.el6rhs?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-lockfile-0:0.8-5.el6.noarch",
"product": {
"name": "python-lockfile-0:0.8-5.el6.noarch",
"product_id": "python-lockfile-0:0.8-5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-lockfile@0.8-5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rhsc-webadmin-portal-0:2.1.0-0.bb10.el6rhs.noarch",
"product": {
"name": "rhsc-webadmin-portal-0:2.1.0-0.bb10.el6rhs.noarch",
"product_id": "rhsc-webadmin-portal-0:2.1.0-0.bb10.el6rhs.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhsc-webadmin-portal@2.1.0-0.bb10.el6rhs?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rhsc-tools-0:2.1.0-0.bb10.el6rhs.noarch",
"product": {
"name": "rhsc-tools-0:2.1.0-0.bb10.el6rhs.noarch",
"product_id": "rhsc-tools-0:2.1.0-0.bb10.el6rhs.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhsc-tools@2.1.0-0.bb10.el6rhs?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rhsc-0:2.1.0-0.bb10.el6rhs.noarch",
"product": {
"name": "rhsc-0:2.1.0-0.bb10.el6rhs.noarch",
"product_id": "rhsc-0:2.1.0-0.bb10.el6rhs.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhsc@2.1.0-0.bb10.el6rhs?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rhsc-restapi-0:2.1.0-0.bb10.el6rhs.noarch",
"product": {
"name": "rhsc-restapi-0:2.1.0-0.bb10.el6rhs.noarch",
"product_id": "rhsc-restapi-0:2.1.0-0.bb10.el6rhs.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhsc-restapi@2.1.0-0.bb10.el6rhs?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rhsc-backend-0:2.1.0-0.bb10.el6rhs.noarch",
"product": {
"name": "rhsc-backend-0:2.1.0-0.bb10.el6rhs.noarch",
"product_id": "rhsc-backend-0:2.1.0-0.bb10.el6rhs.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhsc-backend@2.1.0-0.bb10.el6rhs?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rhsc-dbscripts-0:2.1.0-0.bb10.el6rhs.noarch",
"product": {
"name": "rhsc-dbscripts-0:2.1.0-0.bb10.el6rhs.noarch",
"product_id": "rhsc-dbscripts-0:2.1.0-0.bb10.el6rhs.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhsc-dbscripts@2.1.0-0.bb10.el6rhs?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rhsc-setup-0:2.1.0-0.bb10.el6rhs.noarch",
"product": {
"name": "rhsc-setup-0:2.1.0-0.bb10.el6rhs.noarch",
"product_id": "rhsc-setup-0:2.1.0-0.bb10.el6rhs.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhsc-setup@2.1.0-0.bb10.el6rhs?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "otopi-repolib-0:1.1.0-1.el6ev.noarch",
"product": {
"name": "otopi-repolib-0:1.1.0-1.el6ev.noarch",
"product_id": "otopi-repolib-0:1.1.0-1.el6ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/otopi-repolib@1.1.0-1.el6ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "otopi-devel-0:1.1.0-1.el6ev.noarch",
"product": {
"name": "otopi-devel-0:1.1.0-1.el6ev.noarch",
"product_id": "otopi-devel-0:1.1.0-1.el6ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/otopi-devel@1.1.0-1.el6ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "otopi-0:1.1.0-1.el6ev.noarch",
"product": {
"name": "otopi-0:1.1.0-1.el6ev.noarch",
"product_id": "otopi-0:1.1.0-1.el6ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/otopi@1.1.0-1.el6ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "otopi-java-0:1.1.0-1.el6ev.noarch",
"product": {
"name": "otopi-java-0:1.1.0-1.el6ev.noarch",
"product_id": "otopi-java-0:1.1.0-1.el6ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/otopi-java@1.1.0-1.el6ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-host-deploy-0:1.1.0-1.el6ev.noarch",
"product": {
"name": "ovirt-host-deploy-0:1.1.0-1.el6ev.noarch",
"product_id": "ovirt-host-deploy-0:1.1.0-1.el6ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-host-deploy@1.1.0-1.el6ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-host-deploy-java-0:1.1.0-1.el6ev.noarch",
"product": {
"name": "ovirt-host-deploy-java-0:1.1.0-1.el6ev.noarch",
"product_id": "ovirt-host-deploy-java-0:1.1.0-1.el6ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-host-deploy-java@1.1.0-1.el6ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-host-deploy-repolib-0:1.1.0-1.el6ev.noarch",
"product": {
"name": "ovirt-host-deploy-repolib-0:1.1.0-1.el6ev.noarch",
"product_id": "ovirt-host-deploy-repolib-0:1.1.0-1.el6ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-host-deploy-repolib@1.1.0-1.el6ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "redhat-access-plugin-storage-0:2.1.0-0.el6rhs.noarch",
"product": {
"name": "redhat-access-plugin-storage-0:2.1.0-0.el6rhs.noarch",
"product_id": "redhat-access-plugin-storage-0:2.1.0-0.el6rhs.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/redhat-access-plugin-storage@2.1.0-0.el6rhs?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "python-ply-0:3.3-7.el6ev.src",
"product": {
"name": "python-ply-0:3.3-7.el6ev.src",
"product_id": "python-ply-0:3.3-7.el6ev.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-ply@3.3-7.el6ev?arch=src"
}
}
},
{
"category": "product_version",
"name": "python-daemon-0:1.5.2-1.el6.src",
"product": {
"name": "python-daemon-0:1.5.2-1.el6.src",
"product_id": "python-daemon-0:1.5.2-1.el6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-daemon@1.5.2-1.el6?arch=src"
}
}
},
{
"category": "product_version",
"name": "python-kitchen-0:1.1.1-2.el6ev.src",
"product": {
"name": "python-kitchen-0:1.1.1-2.el6ev.src",
"product_id": "python-kitchen-0:1.1.1-2.el6ev.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-kitchen@1.1.1-2.el6ev?arch=src"
}
}
},
{
"category": "product_version",
"name": "rhsc-sdk-0:2.1.0.0-0.bb3a.el6rhs.src",
"product": {
"name": "rhsc-sdk-0:2.1.0.0-0.bb3a.el6rhs.src",
"product_id": "rhsc-sdk-0:2.1.0.0-0.bb3a.el6rhs.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhsc-sdk@2.1.0.0-0.bb3a.el6rhs?arch=src"
}
}
},
{
"category": "product_version",
"name": "rhsc-cli-0:2.1.0.0-0.bb3a.el6rhs.src",
"product": {
"name": "rhsc-cli-0:2.1.0.0-0.bb3a.el6rhs.src",
"product_id": "rhsc-cli-0:2.1.0.0-0.bb3a.el6rhs.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhsc-cli@2.1.0.0-0.bb3a.el6rhs?arch=src"
}
}
},
{
"category": "product_version",
"name": "rhsc-log-collector-0:2.1-0.1.el6rhs.src",
"product": {
"name": "rhsc-log-collector-0:2.1-0.1.el6rhs.src",
"product_id": "rhsc-log-collector-0:2.1-0.1.el6rhs.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhsc-log-collector@2.1-0.1.el6rhs?arch=src"
}
}
},
{
"category": "product_version",
"name": "python-lockfile-0:0.8-5.el6.src",
"product": {
"name": "python-lockfile-0:0.8-5.el6.src",
"product_id": "python-lockfile-0:0.8-5.el6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-lockfile@0.8-5.el6?arch=src"
}
}
},
{
"category": "product_version",
"name": "rhsc-0:2.1.0-0.bb10.el6rhs.src",
"product": {
"name": "rhsc-0:2.1.0-0.bb10.el6rhs.src",
"product_id": "rhsc-0:2.1.0-0.bb10.el6rhs.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhsc@2.1.0-0.bb10.el6rhs?arch=src"
}
}
},
{
"category": "product_version",
"name": "otopi-0:1.1.0-1.el6ev.src",
"product": {
"name": "otopi-0:1.1.0-1.el6ev.src",
"product_id": "otopi-0:1.1.0-1.el6ev.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/otopi@1.1.0-1.el6ev?arch=src"
}
}
},
{
"category": "product_version",
"name": "ovirt-host-deploy-0:1.1.0-1.el6ev.src",
"product": {
"name": "ovirt-host-deploy-0:1.1.0-1.el6ev.src",
"product_id": "ovirt-host-deploy-0:1.1.0-1.el6ev.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-host-deploy@1.1.0-1.el6ev?arch=src"
}
}
},
{
"category": "product_version",
"name": "redhat-access-plugin-storage-0:2.1.0-0.el6rhs.src",
"product": {
"name": "redhat-access-plugin-storage-0:2.1.0-0.el6rhs.src",
"product_id": "redhat-access-plugin-storage-0:2.1.0-0.el6rhs.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/redhat-access-plugin-storage@2.1.0-0.el6rhs?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "otopi-0:1.1.0-1.el6ev.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:otopi-0:1.1.0-1.el6ev.noarch"
},
"product_reference": "otopi-0:1.1.0-1.el6ev.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "otopi-0:1.1.0-1.el6ev.src as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:otopi-0:1.1.0-1.el6ev.src"
},
"product_reference": "otopi-0:1.1.0-1.el6ev.src",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "otopi-devel-0:1.1.0-1.el6ev.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:otopi-devel-0:1.1.0-1.el6ev.noarch"
},
"product_reference": "otopi-devel-0:1.1.0-1.el6ev.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "otopi-java-0:1.1.0-1.el6ev.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:otopi-java-0:1.1.0-1.el6ev.noarch"
},
"product_reference": "otopi-java-0:1.1.0-1.el6ev.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "otopi-repolib-0:1.1.0-1.el6ev.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:otopi-repolib-0:1.1.0-1.el6ev.noarch"
},
"product_reference": "otopi-repolib-0:1.1.0-1.el6ev.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-host-deploy-0:1.1.0-1.el6ev.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:ovirt-host-deploy-0:1.1.0-1.el6ev.noarch"
},
"product_reference": "ovirt-host-deploy-0:1.1.0-1.el6ev.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-host-deploy-0:1.1.0-1.el6ev.src as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:ovirt-host-deploy-0:1.1.0-1.el6ev.src"
},
"product_reference": "ovirt-host-deploy-0:1.1.0-1.el6ev.src",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-host-deploy-java-0:1.1.0-1.el6ev.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:ovirt-host-deploy-java-0:1.1.0-1.el6ev.noarch"
},
"product_reference": "ovirt-host-deploy-java-0:1.1.0-1.el6ev.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-host-deploy-repolib-0:1.1.0-1.el6ev.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:ovirt-host-deploy-repolib-0:1.1.0-1.el6ev.noarch"
},
"product_reference": "ovirt-host-deploy-repolib-0:1.1.0-1.el6ev.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-daemon-0:1.5.2-1.el6.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:python-daemon-0:1.5.2-1.el6.noarch"
},
"product_reference": "python-daemon-0:1.5.2-1.el6.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-daemon-0:1.5.2-1.el6.src as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:python-daemon-0:1.5.2-1.el6.src"
},
"product_reference": "python-daemon-0:1.5.2-1.el6.src",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-kitchen-0:1.1.1-2.el6ev.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:python-kitchen-0:1.1.1-2.el6ev.noarch"
},
"product_reference": "python-kitchen-0:1.1.1-2.el6ev.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-kitchen-0:1.1.1-2.el6ev.src as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:python-kitchen-0:1.1.1-2.el6ev.src"
},
"product_reference": "python-kitchen-0:1.1.1-2.el6ev.src",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-lockfile-0:0.8-5.el6.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:python-lockfile-0:0.8-5.el6.noarch"
},
"product_reference": "python-lockfile-0:0.8-5.el6.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-lockfile-0:0.8-5.el6.src as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:python-lockfile-0:0.8-5.el6.src"
},
"product_reference": "python-lockfile-0:0.8-5.el6.src",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-ply-0:3.3-7.el6ev.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:python-ply-0:3.3-7.el6ev.noarch"
},
"product_reference": "python-ply-0:3.3-7.el6ev.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-ply-0:3.3-7.el6ev.src as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:python-ply-0:3.3-7.el6ev.src"
},
"product_reference": "python-ply-0:3.3-7.el6ev.src",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "redhat-access-plugin-storage-0:2.1.0-0.el6rhs.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:redhat-access-plugin-storage-0:2.1.0-0.el6rhs.noarch"
},
"product_reference": "redhat-access-plugin-storage-0:2.1.0-0.el6rhs.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "redhat-access-plugin-storage-0:2.1.0-0.el6rhs.src as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:redhat-access-plugin-storage-0:2.1.0-0.el6rhs.src"
},
"product_reference": "redhat-access-plugin-storage-0:2.1.0-0.el6rhs.src",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhsc-0:2.1.0-0.bb10.el6rhs.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:rhsc-0:2.1.0-0.bb10.el6rhs.noarch"
},
"product_reference": "rhsc-0:2.1.0-0.bb10.el6rhs.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhsc-0:2.1.0-0.bb10.el6rhs.src as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:rhsc-0:2.1.0-0.bb10.el6rhs.src"
},
"product_reference": "rhsc-0:2.1.0-0.bb10.el6rhs.src",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhsc-backend-0:2.1.0-0.bb10.el6rhs.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:rhsc-backend-0:2.1.0-0.bb10.el6rhs.noarch"
},
"product_reference": "rhsc-backend-0:2.1.0-0.bb10.el6rhs.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhsc-cli-0:2.1.0.0-0.bb3a.el6rhs.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:rhsc-cli-0:2.1.0.0-0.bb3a.el6rhs.noarch"
},
"product_reference": "rhsc-cli-0:2.1.0.0-0.bb3a.el6rhs.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhsc-cli-0:2.1.0.0-0.bb3a.el6rhs.src as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:rhsc-cli-0:2.1.0.0-0.bb3a.el6rhs.src"
},
"product_reference": "rhsc-cli-0:2.1.0.0-0.bb3a.el6rhs.src",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhsc-dbscripts-0:2.1.0-0.bb10.el6rhs.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:rhsc-dbscripts-0:2.1.0-0.bb10.el6rhs.noarch"
},
"product_reference": "rhsc-dbscripts-0:2.1.0-0.bb10.el6rhs.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhsc-log-collector-0:2.1-0.1.el6rhs.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:rhsc-log-collector-0:2.1-0.1.el6rhs.noarch"
},
"product_reference": "rhsc-log-collector-0:2.1-0.1.el6rhs.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhsc-log-collector-0:2.1-0.1.el6rhs.src as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:rhsc-log-collector-0:2.1-0.1.el6rhs.src"
},
"product_reference": "rhsc-log-collector-0:2.1-0.1.el6rhs.src",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhsc-restapi-0:2.1.0-0.bb10.el6rhs.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:rhsc-restapi-0:2.1.0-0.bb10.el6rhs.noarch"
},
"product_reference": "rhsc-restapi-0:2.1.0-0.bb10.el6rhs.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhsc-sdk-0:2.1.0.0-0.bb3a.el6rhs.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:rhsc-sdk-0:2.1.0.0-0.bb3a.el6rhs.noarch"
},
"product_reference": "rhsc-sdk-0:2.1.0.0-0.bb3a.el6rhs.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhsc-sdk-0:2.1.0.0-0.bb3a.el6rhs.src as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:rhsc-sdk-0:2.1.0.0-0.bb3a.el6rhs.src"
},
"product_reference": "rhsc-sdk-0:2.1.0.0-0.bb3a.el6rhs.src",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhsc-setup-0:2.1.0-0.bb10.el6rhs.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:rhsc-setup-0:2.1.0-0.bb10.el6rhs.noarch"
},
"product_reference": "rhsc-setup-0:2.1.0-0.bb10.el6rhs.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhsc-tools-0:2.1.0-0.bb10.el6rhs.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:rhsc-tools-0:2.1.0-0.bb10.el6rhs.noarch"
},
"product_reference": "rhsc-tools-0:2.1.0-0.bb10.el6rhs.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhsc-webadmin-portal-0:2.1.0-0.bb10.el6rhs.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:rhsc-webadmin-portal-0:2.1.0-0.bb10.el6rhs.noarch"
},
"product_reference": "rhsc-webadmin-portal-0:2.1.0-0.bb10.el6rhs.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2012-0818",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2012-01-24T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "785631"
}
],
"notes": [
{
"category": "description",
"text": "RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document, aka an XML external entity (XXE) injection attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "RESTEasy: XML eXternal Entity (XXE) flaw",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RHSC-2.1:otopi-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:otopi-0:1.1.0-1.el6ev.src",
"6Server-RHSC-2.1:otopi-devel-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:otopi-java-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:otopi-repolib-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:ovirt-host-deploy-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:ovirt-host-deploy-0:1.1.0-1.el6ev.src",
"6Server-RHSC-2.1:ovirt-host-deploy-java-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:ovirt-host-deploy-repolib-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:python-daemon-0:1.5.2-1.el6.noarch",
"6Server-RHSC-2.1:python-daemon-0:1.5.2-1.el6.src",
"6Server-RHSC-2.1:python-kitchen-0:1.1.1-2.el6ev.noarch",
"6Server-RHSC-2.1:python-kitchen-0:1.1.1-2.el6ev.src",
"6Server-RHSC-2.1:python-lockfile-0:0.8-5.el6.noarch",
"6Server-RHSC-2.1:python-lockfile-0:0.8-5.el6.src",
"6Server-RHSC-2.1:python-ply-0:3.3-7.el6ev.noarch",
"6Server-RHSC-2.1:python-ply-0:3.3-7.el6ev.src",
"6Server-RHSC-2.1:redhat-access-plugin-storage-0:2.1.0-0.el6rhs.noarch",
"6Server-RHSC-2.1:redhat-access-plugin-storage-0:2.1.0-0.el6rhs.src",
"6Server-RHSC-2.1:rhsc-0:2.1.0-0.bb10.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-0:2.1.0-0.bb10.el6rhs.src",
"6Server-RHSC-2.1:rhsc-backend-0:2.1.0-0.bb10.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-cli-0:2.1.0.0-0.bb3a.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-cli-0:2.1.0.0-0.bb3a.el6rhs.src",
"6Server-RHSC-2.1:rhsc-dbscripts-0:2.1.0-0.bb10.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-log-collector-0:2.1-0.1.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-log-collector-0:2.1-0.1.el6rhs.src",
"6Server-RHSC-2.1:rhsc-restapi-0:2.1.0-0.bb10.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-sdk-0:2.1.0.0-0.bb3a.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-sdk-0:2.1.0.0-0.bb3a.el6rhs.src",
"6Server-RHSC-2.1:rhsc-setup-0:2.1.0-0.bb10.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-tools-0:2.1.0-0.bb10.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-webadmin-portal-0:2.1.0-0.bb10.el6rhs.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-0818"
},
{
"category": "external",
"summary": "RHBZ#785631",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=785631"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-0818",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-0818"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-0818",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-0818"
}
],
"release_date": "2011-12-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-09-16T03:07:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
"product_ids": [
"6Server-RHSC-2.1:otopi-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:otopi-0:1.1.0-1.el6ev.src",
"6Server-RHSC-2.1:otopi-devel-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:otopi-java-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:otopi-repolib-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:ovirt-host-deploy-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:ovirt-host-deploy-0:1.1.0-1.el6ev.src",
"6Server-RHSC-2.1:ovirt-host-deploy-java-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:ovirt-host-deploy-repolib-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:python-daemon-0:1.5.2-1.el6.noarch",
"6Server-RHSC-2.1:python-daemon-0:1.5.2-1.el6.src",
"6Server-RHSC-2.1:python-kitchen-0:1.1.1-2.el6ev.noarch",
"6Server-RHSC-2.1:python-kitchen-0:1.1.1-2.el6ev.src",
"6Server-RHSC-2.1:python-lockfile-0:0.8-5.el6.noarch",
"6Server-RHSC-2.1:python-lockfile-0:0.8-5.el6.src",
"6Server-RHSC-2.1:python-ply-0:3.3-7.el6ev.noarch",
"6Server-RHSC-2.1:python-ply-0:3.3-7.el6ev.src",
"6Server-RHSC-2.1:redhat-access-plugin-storage-0:2.1.0-0.el6rhs.noarch",
"6Server-RHSC-2.1:redhat-access-plugin-storage-0:2.1.0-0.el6rhs.src",
"6Server-RHSC-2.1:rhsc-0:2.1.0-0.bb10.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-0:2.1.0-0.bb10.el6rhs.src",
"6Server-RHSC-2.1:rhsc-backend-0:2.1.0-0.bb10.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-cli-0:2.1.0.0-0.bb3a.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-cli-0:2.1.0.0-0.bb3a.el6rhs.src",
"6Server-RHSC-2.1:rhsc-dbscripts-0:2.1.0-0.bb10.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-log-collector-0:2.1-0.1.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-log-collector-0:2.1-0.1.el6rhs.src",
"6Server-RHSC-2.1:rhsc-restapi-0:2.1.0-0.bb10.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-sdk-0:2.1.0.0-0.bb3a.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-sdk-0:2.1.0.0-0.bb3a.el6rhs.src",
"6Server-RHSC-2.1:rhsc-setup-0:2.1.0-0.bb10.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-tools-0:2.1.0-0.bb10.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-webadmin-portal-0:2.1.0-0.bb10.el6rhs.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1263"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"6Server-RHSC-2.1:otopi-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:otopi-0:1.1.0-1.el6ev.src",
"6Server-RHSC-2.1:otopi-devel-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:otopi-java-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:otopi-repolib-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:ovirt-host-deploy-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:ovirt-host-deploy-0:1.1.0-1.el6ev.src",
"6Server-RHSC-2.1:ovirt-host-deploy-java-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:ovirt-host-deploy-repolib-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:python-daemon-0:1.5.2-1.el6.noarch",
"6Server-RHSC-2.1:python-daemon-0:1.5.2-1.el6.src",
"6Server-RHSC-2.1:python-kitchen-0:1.1.1-2.el6ev.noarch",
"6Server-RHSC-2.1:python-kitchen-0:1.1.1-2.el6ev.src",
"6Server-RHSC-2.1:python-lockfile-0:0.8-5.el6.noarch",
"6Server-RHSC-2.1:python-lockfile-0:0.8-5.el6.src",
"6Server-RHSC-2.1:python-ply-0:3.3-7.el6ev.noarch",
"6Server-RHSC-2.1:python-ply-0:3.3-7.el6ev.src",
"6Server-RHSC-2.1:redhat-access-plugin-storage-0:2.1.0-0.el6rhs.noarch",
"6Server-RHSC-2.1:redhat-access-plugin-storage-0:2.1.0-0.el6rhs.src",
"6Server-RHSC-2.1:rhsc-0:2.1.0-0.bb10.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-0:2.1.0-0.bb10.el6rhs.src",
"6Server-RHSC-2.1:rhsc-backend-0:2.1.0-0.bb10.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-cli-0:2.1.0.0-0.bb3a.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-cli-0:2.1.0.0-0.bb3a.el6rhs.src",
"6Server-RHSC-2.1:rhsc-dbscripts-0:2.1.0-0.bb10.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-log-collector-0:2.1-0.1.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-log-collector-0:2.1-0.1.el6rhs.src",
"6Server-RHSC-2.1:rhsc-restapi-0:2.1.0-0.bb10.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-sdk-0:2.1.0.0-0.bb3a.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-sdk-0:2.1.0.0-0.bb3a.el6rhs.src",
"6Server-RHSC-2.1:rhsc-setup-0:2.1.0-0.bb10.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-tools-0:2.1.0-0.bb10.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-webadmin-portal-0:2.1.0-0.bb10.el6rhs.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "RESTEasy: XML eXternal Entity (XXE) flaw"
}
]
}
RHSA-2013_1263
Vulnerability from csaf_redhat - Published: 2013-09-16 03:07 - Updated: 2024-11-14 11:32Summary
Red Hat Security Advisory: Red Hat Storage Console 2.1 security update
Severity
Moderate
Notes
Topic: Updated Red Hat Storage Console packages that fix one security issue,
various bugs, and add enhancements are now available for Red Hat Storage
Server 2.1.
The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
Details: Red Hat Storage Console (RHS-C) is a powerful and simple web based
Graphical User Interface for managing a Red Hat Storage 2.1 environment.
This feature is provided as a Technology Preview, and is currently not
supported under Red Hat Storage subscription services. Refer to the
following for more information about Technology Previews:
https://access.redhat.com/support/offerings/techpreview/
It was found that RESTEasy was vulnerable to XML External Entity (XXE)
attacks. If a remote attacker who is able to access the Red Hat Storage
Console REST API submitted a request containing an external XML entity
to a RESTEasy endpoint, the entity would be resolved, allowing the
attacker to read files accessible to the user running the application
server. This flaw affected DOM (Document Object Model) Document and JAXB
(Java Architecture for XML Binding) input. (CVE-2012-0818)
This update also fixes the following bugs:
* A new server could not be added to a cluster if the required packages
were not installed on the server. Now, the administrator can add a server
to a cluster which will automatically install the required packages, if
missing. (BZ#850431)
* Previously, the rhs-log-collector tool did not collect GlusterFS related
logs. (BZ#855271)
* Previously, it was not possible for rhsc-setup to complete successfully
on systems that have SELinux in disabled mode. (BZ#841342)
* The 'Add Brick' button in the 'Add Bricks' pop up is now placed next to
the 'Brick Directory' field for a better UI experience. (BZ#863929)
* The UUID of the volume was not visible. Now, a new field is added to the
'Summary' sub-tab of the 'Volumes' tab to display the UUIDs. (BZ#887806)
* The web console was not accessible after a server reboot. The setup
mechanism has been modified to ensure the web console is accessible after a
server reboot. (BZ#838284)
This update also adds the following enhancements:
* Previously, to import an existing storage cluster into the Red Hat
Storage Console the hosts were added one by one. Now, a new feature has
been added that allows users to import an existing storage cluster. The new
Cluster Creation window has an option to import an existing storage
cluster. If IP_Address or the hostname and password of one of the hosts of
the cluster is entered, a list containing all the hosts of the cluster is
displayed and the same can be added to the Console. The volumes which are
part of the cluster also get imported. (BZ#850438)
* The command line was required to enable a volume to use CIFS. Now, you
can enable or disable the export of a volume with the new 'CIFS' checkbox
in the 'Create Volume' window. (BZ#850452)
* The new Red Hat Support plug-in for Red Hat Storage is a Technology
Preview feature that offers seamless, integrated access to the Red Hat
subscription services from the Red Hat Customer Portal. Subscribers who
install this plug-in can access these features:
- Create, manage, and update the Red Hat support cases.
- Conveniently access exclusive Red Hat knowledge and solutions.
- Search error codes, messages, etc. and view related knowledge from the
Red Hat Customer Portal. (BZ#999245)
* A new 'Event ID' column is added to the 'Events' table in the 'Advanced
View' of 'Events' tab which allows users to see the ID of each event in the
'Events' tab. (BZ#889942)
* A new feature is added to manage and monitor the hooks on the Console. It
also reports changes in the hooks and checks for new hook scripts by
polling at regular intervals. (BZ#850483)
* A new 'Optimize for Virt Store' option is added to optimize a volume to
use it as a virt store. The system sets the "virt" group option on the
volume and also the following two volume options:
- storage.owner-uid=36
- storage.owner-gid=36
This option is available during volume creation and also for existing
volumes. (BZ#891493, BZ#891491)
All users of Red Hat Storage Server 2.1 are advised to upgrade to these
updated packages.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document, aka an XML external entity (XXE) injection attack.
5.0 ()
Affected products
Fixed
33 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 6Server-RHSC-2.1:otopi-0:1.1.0-1.el6ev.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:otopi-0:1.1.0-1.el6ev.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:otopi-devel-0:1.1.0-1.el6ev.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:otopi-java-0:1.1.0-1.el6ev.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:otopi-repolib-0:1.1.0-1.el6ev.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:ovirt-host-deploy-0:1.1.0-1.el6ev.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:ovirt-host-deploy-0:1.1.0-1.el6ev.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:ovirt-host-deploy-java-0:1.1.0-1.el6ev.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:ovirt-host-deploy-repolib-0:1.1.0-1.el6ev.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:python-daemon-0:1.5.2-1.el6.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:python-daemon-0:1.5.2-1.el6.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:python-kitchen-0:1.1.1-2.el6ev.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:python-kitchen-0:1.1.1-2.el6ev.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:python-lockfile-0:0.8-5.el6.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:python-lockfile-0:0.8-5.el6.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:python-ply-0:3.3-7.el6ev.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:python-ply-0:3.3-7.el6ev.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:redhat-access-plugin-storage-0:2.1.0-0.el6rhs.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:redhat-access-plugin-storage-0:2.1.0-0.el6rhs.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:rhsc-0:2.1.0-0.bb10.el6rhs.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:rhsc-0:2.1.0-0.bb10.el6rhs.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:rhsc-backend-0:2.1.0-0.bb10.el6rhs.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:rhsc-cli-0:2.1.0.0-0.bb3a.el6rhs.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:rhsc-cli-0:2.1.0.0-0.bb3a.el6rhs.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:rhsc-dbscripts-0:2.1.0-0.bb10.el6rhs.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:rhsc-log-collector-0:2.1-0.1.el6rhs.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:rhsc-log-collector-0:2.1-0.1.el6rhs.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:rhsc-restapi-0:2.1.0-0.bb10.el6rhs.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:rhsc-sdk-0:2.1.0.0-0.bb3a.el6rhs.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:rhsc-sdk-0:2.1.0.0-0.bb3a.el6rhs.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:rhsc-setup-0:2.1.0-0.bb10.el6rhs.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:rhsc-tools-0:2.1.0-0.bb10.el6rhs.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSC-2.1:rhsc-webadmin-portal-0:2.1.0-0.bb10.el6rhs.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
13 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated Red Hat Storage Console packages that fix one security issue,\nvarious bugs, and add enhancements are now available for Red Hat Storage\nServer 2.1.\n\nThe Red Hat Security Response Team has rated this update as having moderate\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Storage Console (RHS-C) is a powerful and simple web based\nGraphical User Interface for managing a Red Hat Storage 2.1 environment.\nThis feature is provided as a Technology Preview, and is currently not\nsupported under Red Hat Storage subscription services. Refer to the\nfollowing for more information about Technology Previews:\nhttps://access.redhat.com/support/offerings/techpreview/\n\nIt was found that RESTEasy was vulnerable to XML External Entity (XXE)\nattacks. If a remote attacker who is able to access the Red Hat Storage\nConsole REST API submitted a request containing an external XML entity\nto a RESTEasy endpoint, the entity would be resolved, allowing the\nattacker to read files accessible to the user running the application\nserver. This flaw affected DOM (Document Object Model) Document and JAXB\n(Java Architecture for XML Binding) input. (CVE-2012-0818)\n\nThis update also fixes the following bugs:\n\n* A new server could not be added to a cluster if the required packages\nwere not installed on the server. Now, the administrator can add a server\nto a cluster which will automatically install the required packages, if\nmissing. (BZ#850431)\n\n* Previously, the rhs-log-collector tool did not collect GlusterFS related\nlogs. (BZ#855271)\n\n* Previously, it was not possible for rhsc-setup to complete successfully\non systems that have SELinux in disabled mode. (BZ#841342)\n\n* The \u0027Add Brick\u0027 button in the \u0027Add Bricks\u0027 pop up is now placed next to\nthe \u0027Brick Directory\u0027 field for a better UI experience. (BZ#863929)\n\n* The UUID of the volume was not visible. Now, a new field is added to the\n\u0027Summary\u0027 sub-tab of the \u0027Volumes\u0027 tab to display the UUIDs. (BZ#887806)\n\n* The web console was not accessible after a server reboot. The setup\nmechanism has been modified to ensure the web console is accessible after a\nserver reboot. (BZ#838284)\n\nThis update also adds the following enhancements:\n\n* Previously, to import an existing storage cluster into the Red Hat\nStorage Console the hosts were added one by one. Now, a new feature has\nbeen added that allows users to import an existing storage cluster. The new\nCluster Creation window has an option to import an existing storage\ncluster. If IP_Address or the hostname and password of one of the hosts of\nthe cluster is entered, a list containing all the hosts of the cluster is\ndisplayed and the same can be added to the Console. The volumes which are\npart of the cluster also get imported. (BZ#850438)\n\n* The command line was required to enable a volume to use CIFS. Now, you\ncan enable or disable the export of a volume with the new \u0027CIFS\u0027 checkbox\nin the \u0027Create Volume\u0027 window. (BZ#850452)\n\n* The new Red Hat Support plug-in for Red Hat Storage is a Technology\nPreview feature that offers seamless, integrated access to the Red Hat\nsubscription services from the Red Hat Customer Portal. Subscribers who\ninstall this plug-in can access these features:\n\n- Create, manage, and update the Red Hat support cases.\n- Conveniently access exclusive Red Hat knowledge and solutions.\n- Search error codes, messages, etc. and view related knowledge from the\nRed Hat Customer Portal. (BZ#999245)\n\n* A new \u0027Event ID\u0027 column is added to the \u0027Events\u0027 table in the \u0027Advanced\nView\u0027 of \u0027Events\u0027 tab which allows users to see the ID of each event in the\n\u0027Events\u0027 tab. (BZ#889942)\n\n* A new feature is added to manage and monitor the hooks on the Console. It\nalso reports changes in the hooks and checks for new hook scripts by\npolling at regular intervals. (BZ#850483)\n\n* A new \u0027Optimize for Virt Store\u0027 option is added to optimize a volume to\nuse it as a virt store. The system sets the \"virt\" group option on the\nvolume and also the following two volume options:\n\n- storage.owner-uid=36\n- storage.owner-gid=36\n\nThis option is available during volume creation and also for existing\nvolumes. (BZ#891493, BZ#891491)\n\nAll users of Red Hat Storage Server 2.1 are advised to upgrade to these\nupdated packages.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2013:1263",
"url": "https://access.redhat.com/errata/RHSA-2013:1263"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/support/offerings/techpreview/",
"url": "https://access.redhat.com/support/offerings/techpreview/"
},
{
"category": "external",
"summary": "785631",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=785631"
},
{
"category": "external",
"summary": "855271",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=855271"
},
{
"category": "external",
"summary": "863929",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=863929"
},
{
"category": "external",
"summary": "887806",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=887806"
},
{
"category": "external",
"summary": "889942",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=889942"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_1263.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Storage Console 2.1 security update",
"tracking": {
"current_release_date": "2024-11-14T11:32:23+00:00",
"generator": {
"date": "2024-11-14T11:32:23+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.0"
}
},
"id": "RHSA-2013:1263",
"initial_release_date": "2013-09-16T03:07:00+00:00",
"revision_history": [
{
"date": "2013-09-16T03:07:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2013-09-16T03:08:59+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T11:32:23+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Storage Console 2.1",
"product": {
"name": "Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:storage:2.1:console:el6"
}
}
}
],
"category": "product_family",
"name": "Red Hat Gluster Storage"
},
{
"branches": [
{
"category": "product_version",
"name": "python-ply-0:3.3-7.el6ev.noarch",
"product": {
"name": "python-ply-0:3.3-7.el6ev.noarch",
"product_id": "python-ply-0:3.3-7.el6ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-ply@3.3-7.el6ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-daemon-0:1.5.2-1.el6.noarch",
"product": {
"name": "python-daemon-0:1.5.2-1.el6.noarch",
"product_id": "python-daemon-0:1.5.2-1.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-daemon@1.5.2-1.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-kitchen-0:1.1.1-2.el6ev.noarch",
"product": {
"name": "python-kitchen-0:1.1.1-2.el6ev.noarch",
"product_id": "python-kitchen-0:1.1.1-2.el6ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-kitchen@1.1.1-2.el6ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rhsc-sdk-0:2.1.0.0-0.bb3a.el6rhs.noarch",
"product": {
"name": "rhsc-sdk-0:2.1.0.0-0.bb3a.el6rhs.noarch",
"product_id": "rhsc-sdk-0:2.1.0.0-0.bb3a.el6rhs.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhsc-sdk@2.1.0.0-0.bb3a.el6rhs?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rhsc-cli-0:2.1.0.0-0.bb3a.el6rhs.noarch",
"product": {
"name": "rhsc-cli-0:2.1.0.0-0.bb3a.el6rhs.noarch",
"product_id": "rhsc-cli-0:2.1.0.0-0.bb3a.el6rhs.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhsc-cli@2.1.0.0-0.bb3a.el6rhs?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rhsc-log-collector-0:2.1-0.1.el6rhs.noarch",
"product": {
"name": "rhsc-log-collector-0:2.1-0.1.el6rhs.noarch",
"product_id": "rhsc-log-collector-0:2.1-0.1.el6rhs.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhsc-log-collector@2.1-0.1.el6rhs?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-lockfile-0:0.8-5.el6.noarch",
"product": {
"name": "python-lockfile-0:0.8-5.el6.noarch",
"product_id": "python-lockfile-0:0.8-5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-lockfile@0.8-5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rhsc-webadmin-portal-0:2.1.0-0.bb10.el6rhs.noarch",
"product": {
"name": "rhsc-webadmin-portal-0:2.1.0-0.bb10.el6rhs.noarch",
"product_id": "rhsc-webadmin-portal-0:2.1.0-0.bb10.el6rhs.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhsc-webadmin-portal@2.1.0-0.bb10.el6rhs?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rhsc-tools-0:2.1.0-0.bb10.el6rhs.noarch",
"product": {
"name": "rhsc-tools-0:2.1.0-0.bb10.el6rhs.noarch",
"product_id": "rhsc-tools-0:2.1.0-0.bb10.el6rhs.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhsc-tools@2.1.0-0.bb10.el6rhs?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rhsc-0:2.1.0-0.bb10.el6rhs.noarch",
"product": {
"name": "rhsc-0:2.1.0-0.bb10.el6rhs.noarch",
"product_id": "rhsc-0:2.1.0-0.bb10.el6rhs.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhsc@2.1.0-0.bb10.el6rhs?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rhsc-restapi-0:2.1.0-0.bb10.el6rhs.noarch",
"product": {
"name": "rhsc-restapi-0:2.1.0-0.bb10.el6rhs.noarch",
"product_id": "rhsc-restapi-0:2.1.0-0.bb10.el6rhs.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhsc-restapi@2.1.0-0.bb10.el6rhs?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rhsc-backend-0:2.1.0-0.bb10.el6rhs.noarch",
"product": {
"name": "rhsc-backend-0:2.1.0-0.bb10.el6rhs.noarch",
"product_id": "rhsc-backend-0:2.1.0-0.bb10.el6rhs.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhsc-backend@2.1.0-0.bb10.el6rhs?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rhsc-dbscripts-0:2.1.0-0.bb10.el6rhs.noarch",
"product": {
"name": "rhsc-dbscripts-0:2.1.0-0.bb10.el6rhs.noarch",
"product_id": "rhsc-dbscripts-0:2.1.0-0.bb10.el6rhs.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhsc-dbscripts@2.1.0-0.bb10.el6rhs?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rhsc-setup-0:2.1.0-0.bb10.el6rhs.noarch",
"product": {
"name": "rhsc-setup-0:2.1.0-0.bb10.el6rhs.noarch",
"product_id": "rhsc-setup-0:2.1.0-0.bb10.el6rhs.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhsc-setup@2.1.0-0.bb10.el6rhs?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "otopi-repolib-0:1.1.0-1.el6ev.noarch",
"product": {
"name": "otopi-repolib-0:1.1.0-1.el6ev.noarch",
"product_id": "otopi-repolib-0:1.1.0-1.el6ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/otopi-repolib@1.1.0-1.el6ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "otopi-devel-0:1.1.0-1.el6ev.noarch",
"product": {
"name": "otopi-devel-0:1.1.0-1.el6ev.noarch",
"product_id": "otopi-devel-0:1.1.0-1.el6ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/otopi-devel@1.1.0-1.el6ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "otopi-0:1.1.0-1.el6ev.noarch",
"product": {
"name": "otopi-0:1.1.0-1.el6ev.noarch",
"product_id": "otopi-0:1.1.0-1.el6ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/otopi@1.1.0-1.el6ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "otopi-java-0:1.1.0-1.el6ev.noarch",
"product": {
"name": "otopi-java-0:1.1.0-1.el6ev.noarch",
"product_id": "otopi-java-0:1.1.0-1.el6ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/otopi-java@1.1.0-1.el6ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-host-deploy-0:1.1.0-1.el6ev.noarch",
"product": {
"name": "ovirt-host-deploy-0:1.1.0-1.el6ev.noarch",
"product_id": "ovirt-host-deploy-0:1.1.0-1.el6ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-host-deploy@1.1.0-1.el6ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-host-deploy-java-0:1.1.0-1.el6ev.noarch",
"product": {
"name": "ovirt-host-deploy-java-0:1.1.0-1.el6ev.noarch",
"product_id": "ovirt-host-deploy-java-0:1.1.0-1.el6ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-host-deploy-java@1.1.0-1.el6ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-host-deploy-repolib-0:1.1.0-1.el6ev.noarch",
"product": {
"name": "ovirt-host-deploy-repolib-0:1.1.0-1.el6ev.noarch",
"product_id": "ovirt-host-deploy-repolib-0:1.1.0-1.el6ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-host-deploy-repolib@1.1.0-1.el6ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "redhat-access-plugin-storage-0:2.1.0-0.el6rhs.noarch",
"product": {
"name": "redhat-access-plugin-storage-0:2.1.0-0.el6rhs.noarch",
"product_id": "redhat-access-plugin-storage-0:2.1.0-0.el6rhs.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/redhat-access-plugin-storage@2.1.0-0.el6rhs?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "python-ply-0:3.3-7.el6ev.src",
"product": {
"name": "python-ply-0:3.3-7.el6ev.src",
"product_id": "python-ply-0:3.3-7.el6ev.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-ply@3.3-7.el6ev?arch=src"
}
}
},
{
"category": "product_version",
"name": "python-daemon-0:1.5.2-1.el6.src",
"product": {
"name": "python-daemon-0:1.5.2-1.el6.src",
"product_id": "python-daemon-0:1.5.2-1.el6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-daemon@1.5.2-1.el6?arch=src"
}
}
},
{
"category": "product_version",
"name": "python-kitchen-0:1.1.1-2.el6ev.src",
"product": {
"name": "python-kitchen-0:1.1.1-2.el6ev.src",
"product_id": "python-kitchen-0:1.1.1-2.el6ev.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-kitchen@1.1.1-2.el6ev?arch=src"
}
}
},
{
"category": "product_version",
"name": "rhsc-sdk-0:2.1.0.0-0.bb3a.el6rhs.src",
"product": {
"name": "rhsc-sdk-0:2.1.0.0-0.bb3a.el6rhs.src",
"product_id": "rhsc-sdk-0:2.1.0.0-0.bb3a.el6rhs.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhsc-sdk@2.1.0.0-0.bb3a.el6rhs?arch=src"
}
}
},
{
"category": "product_version",
"name": "rhsc-cli-0:2.1.0.0-0.bb3a.el6rhs.src",
"product": {
"name": "rhsc-cli-0:2.1.0.0-0.bb3a.el6rhs.src",
"product_id": "rhsc-cli-0:2.1.0.0-0.bb3a.el6rhs.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhsc-cli@2.1.0.0-0.bb3a.el6rhs?arch=src"
}
}
},
{
"category": "product_version",
"name": "rhsc-log-collector-0:2.1-0.1.el6rhs.src",
"product": {
"name": "rhsc-log-collector-0:2.1-0.1.el6rhs.src",
"product_id": "rhsc-log-collector-0:2.1-0.1.el6rhs.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhsc-log-collector@2.1-0.1.el6rhs?arch=src"
}
}
},
{
"category": "product_version",
"name": "python-lockfile-0:0.8-5.el6.src",
"product": {
"name": "python-lockfile-0:0.8-5.el6.src",
"product_id": "python-lockfile-0:0.8-5.el6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-lockfile@0.8-5.el6?arch=src"
}
}
},
{
"category": "product_version",
"name": "rhsc-0:2.1.0-0.bb10.el6rhs.src",
"product": {
"name": "rhsc-0:2.1.0-0.bb10.el6rhs.src",
"product_id": "rhsc-0:2.1.0-0.bb10.el6rhs.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhsc@2.1.0-0.bb10.el6rhs?arch=src"
}
}
},
{
"category": "product_version",
"name": "otopi-0:1.1.0-1.el6ev.src",
"product": {
"name": "otopi-0:1.1.0-1.el6ev.src",
"product_id": "otopi-0:1.1.0-1.el6ev.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/otopi@1.1.0-1.el6ev?arch=src"
}
}
},
{
"category": "product_version",
"name": "ovirt-host-deploy-0:1.1.0-1.el6ev.src",
"product": {
"name": "ovirt-host-deploy-0:1.1.0-1.el6ev.src",
"product_id": "ovirt-host-deploy-0:1.1.0-1.el6ev.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-host-deploy@1.1.0-1.el6ev?arch=src"
}
}
},
{
"category": "product_version",
"name": "redhat-access-plugin-storage-0:2.1.0-0.el6rhs.src",
"product": {
"name": "redhat-access-plugin-storage-0:2.1.0-0.el6rhs.src",
"product_id": "redhat-access-plugin-storage-0:2.1.0-0.el6rhs.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/redhat-access-plugin-storage@2.1.0-0.el6rhs?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "otopi-0:1.1.0-1.el6ev.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:otopi-0:1.1.0-1.el6ev.noarch"
},
"product_reference": "otopi-0:1.1.0-1.el6ev.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "otopi-0:1.1.0-1.el6ev.src as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:otopi-0:1.1.0-1.el6ev.src"
},
"product_reference": "otopi-0:1.1.0-1.el6ev.src",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "otopi-devel-0:1.1.0-1.el6ev.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:otopi-devel-0:1.1.0-1.el6ev.noarch"
},
"product_reference": "otopi-devel-0:1.1.0-1.el6ev.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "otopi-java-0:1.1.0-1.el6ev.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:otopi-java-0:1.1.0-1.el6ev.noarch"
},
"product_reference": "otopi-java-0:1.1.0-1.el6ev.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "otopi-repolib-0:1.1.0-1.el6ev.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:otopi-repolib-0:1.1.0-1.el6ev.noarch"
},
"product_reference": "otopi-repolib-0:1.1.0-1.el6ev.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-host-deploy-0:1.1.0-1.el6ev.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:ovirt-host-deploy-0:1.1.0-1.el6ev.noarch"
},
"product_reference": "ovirt-host-deploy-0:1.1.0-1.el6ev.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-host-deploy-0:1.1.0-1.el6ev.src as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:ovirt-host-deploy-0:1.1.0-1.el6ev.src"
},
"product_reference": "ovirt-host-deploy-0:1.1.0-1.el6ev.src",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-host-deploy-java-0:1.1.0-1.el6ev.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:ovirt-host-deploy-java-0:1.1.0-1.el6ev.noarch"
},
"product_reference": "ovirt-host-deploy-java-0:1.1.0-1.el6ev.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-host-deploy-repolib-0:1.1.0-1.el6ev.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:ovirt-host-deploy-repolib-0:1.1.0-1.el6ev.noarch"
},
"product_reference": "ovirt-host-deploy-repolib-0:1.1.0-1.el6ev.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-daemon-0:1.5.2-1.el6.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:python-daemon-0:1.5.2-1.el6.noarch"
},
"product_reference": "python-daemon-0:1.5.2-1.el6.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-daemon-0:1.5.2-1.el6.src as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:python-daemon-0:1.5.2-1.el6.src"
},
"product_reference": "python-daemon-0:1.5.2-1.el6.src",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-kitchen-0:1.1.1-2.el6ev.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:python-kitchen-0:1.1.1-2.el6ev.noarch"
},
"product_reference": "python-kitchen-0:1.1.1-2.el6ev.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-kitchen-0:1.1.1-2.el6ev.src as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:python-kitchen-0:1.1.1-2.el6ev.src"
},
"product_reference": "python-kitchen-0:1.1.1-2.el6ev.src",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-lockfile-0:0.8-5.el6.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:python-lockfile-0:0.8-5.el6.noarch"
},
"product_reference": "python-lockfile-0:0.8-5.el6.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-lockfile-0:0.8-5.el6.src as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:python-lockfile-0:0.8-5.el6.src"
},
"product_reference": "python-lockfile-0:0.8-5.el6.src",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-ply-0:3.3-7.el6ev.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:python-ply-0:3.3-7.el6ev.noarch"
},
"product_reference": "python-ply-0:3.3-7.el6ev.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-ply-0:3.3-7.el6ev.src as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:python-ply-0:3.3-7.el6ev.src"
},
"product_reference": "python-ply-0:3.3-7.el6ev.src",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "redhat-access-plugin-storage-0:2.1.0-0.el6rhs.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:redhat-access-plugin-storage-0:2.1.0-0.el6rhs.noarch"
},
"product_reference": "redhat-access-plugin-storage-0:2.1.0-0.el6rhs.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "redhat-access-plugin-storage-0:2.1.0-0.el6rhs.src as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:redhat-access-plugin-storage-0:2.1.0-0.el6rhs.src"
},
"product_reference": "redhat-access-plugin-storage-0:2.1.0-0.el6rhs.src",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhsc-0:2.1.0-0.bb10.el6rhs.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:rhsc-0:2.1.0-0.bb10.el6rhs.noarch"
},
"product_reference": "rhsc-0:2.1.0-0.bb10.el6rhs.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhsc-0:2.1.0-0.bb10.el6rhs.src as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:rhsc-0:2.1.0-0.bb10.el6rhs.src"
},
"product_reference": "rhsc-0:2.1.0-0.bb10.el6rhs.src",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhsc-backend-0:2.1.0-0.bb10.el6rhs.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:rhsc-backend-0:2.1.0-0.bb10.el6rhs.noarch"
},
"product_reference": "rhsc-backend-0:2.1.0-0.bb10.el6rhs.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhsc-cli-0:2.1.0.0-0.bb3a.el6rhs.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:rhsc-cli-0:2.1.0.0-0.bb3a.el6rhs.noarch"
},
"product_reference": "rhsc-cli-0:2.1.0.0-0.bb3a.el6rhs.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhsc-cli-0:2.1.0.0-0.bb3a.el6rhs.src as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:rhsc-cli-0:2.1.0.0-0.bb3a.el6rhs.src"
},
"product_reference": "rhsc-cli-0:2.1.0.0-0.bb3a.el6rhs.src",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhsc-dbscripts-0:2.1.0-0.bb10.el6rhs.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:rhsc-dbscripts-0:2.1.0-0.bb10.el6rhs.noarch"
},
"product_reference": "rhsc-dbscripts-0:2.1.0-0.bb10.el6rhs.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhsc-log-collector-0:2.1-0.1.el6rhs.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:rhsc-log-collector-0:2.1-0.1.el6rhs.noarch"
},
"product_reference": "rhsc-log-collector-0:2.1-0.1.el6rhs.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhsc-log-collector-0:2.1-0.1.el6rhs.src as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:rhsc-log-collector-0:2.1-0.1.el6rhs.src"
},
"product_reference": "rhsc-log-collector-0:2.1-0.1.el6rhs.src",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhsc-restapi-0:2.1.0-0.bb10.el6rhs.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:rhsc-restapi-0:2.1.0-0.bb10.el6rhs.noarch"
},
"product_reference": "rhsc-restapi-0:2.1.0-0.bb10.el6rhs.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhsc-sdk-0:2.1.0.0-0.bb3a.el6rhs.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:rhsc-sdk-0:2.1.0.0-0.bb3a.el6rhs.noarch"
},
"product_reference": "rhsc-sdk-0:2.1.0.0-0.bb3a.el6rhs.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhsc-sdk-0:2.1.0.0-0.bb3a.el6rhs.src as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:rhsc-sdk-0:2.1.0.0-0.bb3a.el6rhs.src"
},
"product_reference": "rhsc-sdk-0:2.1.0.0-0.bb3a.el6rhs.src",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhsc-setup-0:2.1.0-0.bb10.el6rhs.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:rhsc-setup-0:2.1.0-0.bb10.el6rhs.noarch"
},
"product_reference": "rhsc-setup-0:2.1.0-0.bb10.el6rhs.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhsc-tools-0:2.1.0-0.bb10.el6rhs.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:rhsc-tools-0:2.1.0-0.bb10.el6rhs.noarch"
},
"product_reference": "rhsc-tools-0:2.1.0-0.bb10.el6rhs.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhsc-webadmin-portal-0:2.1.0-0.bb10.el6rhs.noarch as a component of Red Hat Storage Console 2.1",
"product_id": "6Server-RHSC-2.1:rhsc-webadmin-portal-0:2.1.0-0.bb10.el6rhs.noarch"
},
"product_reference": "rhsc-webadmin-portal-0:2.1.0-0.bb10.el6rhs.noarch",
"relates_to_product_reference": "6Server-RHSC-2.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2012-0818",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2012-01-24T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "785631"
}
],
"notes": [
{
"category": "description",
"text": "RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document, aka an XML external entity (XXE) injection attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "RESTEasy: XML eXternal Entity (XXE) flaw",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RHSC-2.1:otopi-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:otopi-0:1.1.0-1.el6ev.src",
"6Server-RHSC-2.1:otopi-devel-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:otopi-java-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:otopi-repolib-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:ovirt-host-deploy-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:ovirt-host-deploy-0:1.1.0-1.el6ev.src",
"6Server-RHSC-2.1:ovirt-host-deploy-java-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:ovirt-host-deploy-repolib-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:python-daemon-0:1.5.2-1.el6.noarch",
"6Server-RHSC-2.1:python-daemon-0:1.5.2-1.el6.src",
"6Server-RHSC-2.1:python-kitchen-0:1.1.1-2.el6ev.noarch",
"6Server-RHSC-2.1:python-kitchen-0:1.1.1-2.el6ev.src",
"6Server-RHSC-2.1:python-lockfile-0:0.8-5.el6.noarch",
"6Server-RHSC-2.1:python-lockfile-0:0.8-5.el6.src",
"6Server-RHSC-2.1:python-ply-0:3.3-7.el6ev.noarch",
"6Server-RHSC-2.1:python-ply-0:3.3-7.el6ev.src",
"6Server-RHSC-2.1:redhat-access-plugin-storage-0:2.1.0-0.el6rhs.noarch",
"6Server-RHSC-2.1:redhat-access-plugin-storage-0:2.1.0-0.el6rhs.src",
"6Server-RHSC-2.1:rhsc-0:2.1.0-0.bb10.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-0:2.1.0-0.bb10.el6rhs.src",
"6Server-RHSC-2.1:rhsc-backend-0:2.1.0-0.bb10.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-cli-0:2.1.0.0-0.bb3a.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-cli-0:2.1.0.0-0.bb3a.el6rhs.src",
"6Server-RHSC-2.1:rhsc-dbscripts-0:2.1.0-0.bb10.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-log-collector-0:2.1-0.1.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-log-collector-0:2.1-0.1.el6rhs.src",
"6Server-RHSC-2.1:rhsc-restapi-0:2.1.0-0.bb10.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-sdk-0:2.1.0.0-0.bb3a.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-sdk-0:2.1.0.0-0.bb3a.el6rhs.src",
"6Server-RHSC-2.1:rhsc-setup-0:2.1.0-0.bb10.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-tools-0:2.1.0-0.bb10.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-webadmin-portal-0:2.1.0-0.bb10.el6rhs.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-0818"
},
{
"category": "external",
"summary": "RHBZ#785631",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=785631"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-0818",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-0818"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-0818",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-0818"
}
],
"release_date": "2011-12-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-09-16T03:07:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
"product_ids": [
"6Server-RHSC-2.1:otopi-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:otopi-0:1.1.0-1.el6ev.src",
"6Server-RHSC-2.1:otopi-devel-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:otopi-java-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:otopi-repolib-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:ovirt-host-deploy-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:ovirt-host-deploy-0:1.1.0-1.el6ev.src",
"6Server-RHSC-2.1:ovirt-host-deploy-java-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:ovirt-host-deploy-repolib-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:python-daemon-0:1.5.2-1.el6.noarch",
"6Server-RHSC-2.1:python-daemon-0:1.5.2-1.el6.src",
"6Server-RHSC-2.1:python-kitchen-0:1.1.1-2.el6ev.noarch",
"6Server-RHSC-2.1:python-kitchen-0:1.1.1-2.el6ev.src",
"6Server-RHSC-2.1:python-lockfile-0:0.8-5.el6.noarch",
"6Server-RHSC-2.1:python-lockfile-0:0.8-5.el6.src",
"6Server-RHSC-2.1:python-ply-0:3.3-7.el6ev.noarch",
"6Server-RHSC-2.1:python-ply-0:3.3-7.el6ev.src",
"6Server-RHSC-2.1:redhat-access-plugin-storage-0:2.1.0-0.el6rhs.noarch",
"6Server-RHSC-2.1:redhat-access-plugin-storage-0:2.1.0-0.el6rhs.src",
"6Server-RHSC-2.1:rhsc-0:2.1.0-0.bb10.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-0:2.1.0-0.bb10.el6rhs.src",
"6Server-RHSC-2.1:rhsc-backend-0:2.1.0-0.bb10.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-cli-0:2.1.0.0-0.bb3a.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-cli-0:2.1.0.0-0.bb3a.el6rhs.src",
"6Server-RHSC-2.1:rhsc-dbscripts-0:2.1.0-0.bb10.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-log-collector-0:2.1-0.1.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-log-collector-0:2.1-0.1.el6rhs.src",
"6Server-RHSC-2.1:rhsc-restapi-0:2.1.0-0.bb10.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-sdk-0:2.1.0.0-0.bb3a.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-sdk-0:2.1.0.0-0.bb3a.el6rhs.src",
"6Server-RHSC-2.1:rhsc-setup-0:2.1.0-0.bb10.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-tools-0:2.1.0-0.bb10.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-webadmin-portal-0:2.1.0-0.bb10.el6rhs.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1263"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"6Server-RHSC-2.1:otopi-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:otopi-0:1.1.0-1.el6ev.src",
"6Server-RHSC-2.1:otopi-devel-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:otopi-java-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:otopi-repolib-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:ovirt-host-deploy-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:ovirt-host-deploy-0:1.1.0-1.el6ev.src",
"6Server-RHSC-2.1:ovirt-host-deploy-java-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:ovirt-host-deploy-repolib-0:1.1.0-1.el6ev.noarch",
"6Server-RHSC-2.1:python-daemon-0:1.5.2-1.el6.noarch",
"6Server-RHSC-2.1:python-daemon-0:1.5.2-1.el6.src",
"6Server-RHSC-2.1:python-kitchen-0:1.1.1-2.el6ev.noarch",
"6Server-RHSC-2.1:python-kitchen-0:1.1.1-2.el6ev.src",
"6Server-RHSC-2.1:python-lockfile-0:0.8-5.el6.noarch",
"6Server-RHSC-2.1:python-lockfile-0:0.8-5.el6.src",
"6Server-RHSC-2.1:python-ply-0:3.3-7.el6ev.noarch",
"6Server-RHSC-2.1:python-ply-0:3.3-7.el6ev.src",
"6Server-RHSC-2.1:redhat-access-plugin-storage-0:2.1.0-0.el6rhs.noarch",
"6Server-RHSC-2.1:redhat-access-plugin-storage-0:2.1.0-0.el6rhs.src",
"6Server-RHSC-2.1:rhsc-0:2.1.0-0.bb10.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-0:2.1.0-0.bb10.el6rhs.src",
"6Server-RHSC-2.1:rhsc-backend-0:2.1.0-0.bb10.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-cli-0:2.1.0.0-0.bb3a.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-cli-0:2.1.0.0-0.bb3a.el6rhs.src",
"6Server-RHSC-2.1:rhsc-dbscripts-0:2.1.0-0.bb10.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-log-collector-0:2.1-0.1.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-log-collector-0:2.1-0.1.el6rhs.src",
"6Server-RHSC-2.1:rhsc-restapi-0:2.1.0-0.bb10.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-sdk-0:2.1.0.0-0.bb3a.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-sdk-0:2.1.0.0-0.bb3a.el6rhs.src",
"6Server-RHSC-2.1:rhsc-setup-0:2.1.0-0.bb10.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-tools-0:2.1.0-0.bb10.el6rhs.noarch",
"6Server-RHSC-2.1:rhsc-webadmin-portal-0:2.1.0-0.bb10.el6rhs.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "RESTEasy: XML eXternal Entity (XXE) flaw"
}
]
}
RHSA-2014:0371
Vulnerability from csaf_redhat - Published: 2014-04-03 21:19 - Updated: 2026-05-14 22:17Summary
Red Hat Security Advisory: Red Hat JBoss BPM Suite 6.0.1 update
Severity
Important
Notes
Topic: Red Hat JBoss BPM Suite 6.0.1, which fixes multiple security issues,
various bugs, and adds enhancements, is now available from the Red Hat
Customer Portal.
The Red Hat Security Response Team has rated this update as having
Important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Details: Red Hat JBoss BPM Suite is a business rules management system for the
management, storage, creation, modification, and deployment of JBoss rules.
This release of Red Hat JBoss BPM Suite 6.0.1 serves as a replacement for
Red Hat JBoss BPM Suite 6.0.0, and includes bug fixes and enhancements.
Refer to the Red Hat JBoss BPM Suite 6.0.1 Release Notes for information on
the most significant of these changes. The Release Notes will be available
at https://access.redhat.com/site/documentation/Red_Hat_JBoss_BPM_Suite/
The following security issues are fixed with this release:
It was discovered that JBoss BPM Suite allowed remote authenticated users
to submit arbitrary Java code in MVFLEX Expression Language (MVEL) or JBoss
Rules expressions, resulting in arbitrary code execution within the
security context of the application server. Refer to the Solution section
for details on the fix for this issue. (CVE-2013-6468)
It was found that XStream could deserialize arbitrary user-supplied XML
content, representing objects of any type. A remote attacker able to pass
XML to XStream could use this flaw to perform a variety of attacks,
including remote code execution in the context of the server running the
XStream application. (CVE-2013-7285)
It was found that the Apache Camel XSLT component allowed XSL stylesheets
to call external Java methods. A remote attacker able to submit messages to
a Camel route could use this flaw to perform arbitrary remote code
execution in the context of the Camel server process. (CVE-2014-0003)
It was found that RESTEasy was vulnerable to XML External Entity (XXE)
attacks. If a remote attacker submitted a request containing an external
XML entity to a RESTEasy endpoint, the entity would be resolved, allowing
the attacker to read files accessible to the user running the application
server. This flaw affected DOM (Document Object Model) Document and JAXB
(Java Architecture for XML Binding) input. (CVE-2011-5245, CVE-2012-0818)
It was discovered that bouncycastle leaked timing information when
decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites
were used. A remote attacker could possibly use this flaw to retrieve plain
text from the encrypted packets by using a TLS/SSL server as a padding
oracle. (CVE-2013-1624)
It was found that the Apache Camel XSLT component would resolve entities in
XML messages when transforming them using an XSLT route. A remote attacker
able to submit messages to an XSLT Camel route could use this flaw to read
files accessible to the user running the application server and,
potentially, perform other more advanced XML External Entity (XXE) attacks.
(CVE-2014-0002)
The CVE-2014-0002 and CVE-2014-0003 issues were discovered by David Jorm of
the Red Hat Security Response Team, and the CVE-2013-6468 issue was
discovered by Marc Schoenefeld of the Red Hat Security Response Team.
Red Hat would like to thank Grégory Draperi for independently reporting
CVE-2013-6468.
All users of Red Hat JBoss BPM Suite 6.0.0 as provided from the Red Hat
Customer Portal are advised to upgrade to Red Hat JBoss BPM Suite 6.0.1.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
The readFrom function in providers.jaxb.JAXBXmlTypeProvider in RESTEasy before 2.3.2 allows remote attackers to read arbitrary files via an external entity reference in a Java Architecture for XML Binding (JAXB) input, aka an XML external entity (XXE) injection attack, a similar vulnerability to CVE-2012-0818.
5.0 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BPMS 6.0
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_bpms:6.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document, aka an XML external entity (XXE) injection attack.
5.0 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BPMS 6.0
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_bpms:6.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
It was discovered that bouncycastle leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle.
5.1 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BPMS 6.0
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_bpms:6.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
JBoss Drools, Red Hat JBoss BRMS before 6.0.1, and Red Hat JBoss BPM Suite before 6.0.1 allows remote authenticated users to execute arbitrary Java code via a (1) MVFLEX Expression Language (MVEL) or (2) Drools expression.
6.5 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BPMS 6.0
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_bpms:6.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
It was found that XStream could deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application.
6.8 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BPMS 6.0
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_bpms:6.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3 allows remote attackers to read arbitrary files and possibly have other unspecified impact via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
5.0 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BPMS 6.0
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_bpms:6.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before 2.12.3, and possibly earlier versions allows remote attackers to execute arbitrary Java methods via a crafted message.
6.0 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BPMS 6.0
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_bpms:6.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
References
46 references
Acknowledgments
Red Hat
Marc Schoenefeld
Grégory Draperi
Red Hat Security Response Team
David Jorm
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat JBoss BPM Suite 6.0.1, which fixes multiple security issues,\nvarious bugs, and adds enhancements, is now available from the Red Hat\nCustomer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss BPM Suite is a business rules management system for the\nmanagement, storage, creation, modification, and deployment of JBoss rules.\n\nThis release of Red Hat JBoss BPM Suite 6.0.1 serves as a replacement for\nRed Hat JBoss BPM Suite 6.0.0, and includes bug fixes and enhancements.\nRefer to the Red Hat JBoss BPM Suite 6.0.1 Release Notes for information on\nthe most significant of these changes. The Release Notes will be available\nat https://access.redhat.com/site/documentation/Red_Hat_JBoss_BPM_Suite/\n\nThe following security issues are fixed with this release:\n\nIt was discovered that JBoss BPM Suite allowed remote authenticated users\nto submit arbitrary Java code in MVFLEX Expression Language (MVEL) or JBoss\nRules expressions, resulting in arbitrary code execution within the\nsecurity context of the application server. Refer to the Solution section\nfor details on the fix for this issue. (CVE-2013-6468)\n\nIt was found that XStream could deserialize arbitrary user-supplied XML\ncontent, representing objects of any type. A remote attacker able to pass\nXML to XStream could use this flaw to perform a variety of attacks,\nincluding remote code execution in the context of the server running the\nXStream application. (CVE-2013-7285)\n\nIt was found that the Apache Camel XSLT component allowed XSL stylesheets\nto call external Java methods. A remote attacker able to submit messages to\na Camel route could use this flaw to perform arbitrary remote code\nexecution in the context of the Camel server process. (CVE-2014-0003)\n\nIt was found that RESTEasy was vulnerable to XML External Entity (XXE)\nattacks. If a remote attacker submitted a request containing an external\nXML entity to a RESTEasy endpoint, the entity would be resolved, allowing\nthe attacker to read files accessible to the user running the application\nserver. This flaw affected DOM (Document Object Model) Document and JAXB\n(Java Architecture for XML Binding) input. (CVE-2011-5245, CVE-2012-0818)\n\nIt was discovered that bouncycastle leaked timing information when\ndecrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites\nwere used. A remote attacker could possibly use this flaw to retrieve plain\ntext from the encrypted packets by using a TLS/SSL server as a padding\noracle. (CVE-2013-1624)\n\nIt was found that the Apache Camel XSLT component would resolve entities in\nXML messages when transforming them using an XSLT route. A remote attacker\nable to submit messages to an XSLT Camel route could use this flaw to read\nfiles accessible to the user running the application server and,\npotentially, perform other more advanced XML External Entity (XXE) attacks.\n(CVE-2014-0002)\n\nThe CVE-2014-0002 and CVE-2014-0003 issues were discovered by David Jorm of\nthe Red Hat Security Response Team, and the CVE-2013-6468 issue was\ndiscovered by Marc Schoenefeld of the Red Hat Security Response Team.\n\nRed Hat would like to thank Gr\u00e9gory Draperi for independently reporting\nCVE-2013-6468.\n\nAll users of Red Hat JBoss BPM Suite 6.0.0 as provided from the Red Hat\nCustomer Portal are advised to upgrade to Red Hat JBoss BPM Suite 6.0.1.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2014:0371",
"url": "https://access.redhat.com/errata/RHSA-2014:0371"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite\u0026downloadType=distributions\u0026version=6.0.1",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite\u0026downloadType=distributions\u0026version=6.0.1"
},
{
"category": "external",
"summary": "https://access.redhat.com/site/documentation/Red_Hat_JBoss_BPM_Suite/",
"url": "https://access.redhat.com/site/documentation/Red_Hat_JBoss_BPM_Suite/"
},
{
"category": "external",
"summary": "785631",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=785631"
},
{
"category": "external",
"summary": "908428",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=908428"
},
{
"category": "external",
"summary": "1049675",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1049675"
},
{
"category": "external",
"summary": "1049692",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1049692"
},
{
"category": "external",
"summary": "1051261",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1051261"
},
{
"category": "external",
"summary": "1051277",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1051277"
},
{
"category": "external",
"summary": "1058457",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1058457"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0371.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss BPM Suite 6.0.1 update",
"tracking": {
"current_release_date": "2026-05-14T22:17:28+00:00",
"generator": {
"date": "2026-05-14T22:17:28+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2014:0371",
"initial_release_date": "2014-04-03T21:19:56+00:00",
"revision_history": [
{
"date": "2014-04-03T21:19:56+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-02-20T12:32:55+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-14T22:17:28+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss BPMS 6.0",
"product": {
"name": "Red Hat JBoss BPMS 6.0",
"product_id": "Red Hat JBoss BPMS 6.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_bpms:6.0"
}
}
}
],
"category": "product_family",
"name": "Red Hat Process Automation Manager"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2011-5245",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2012-01-24T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "785631"
}
],
"notes": [
{
"category": "description",
"text": "The readFrom function in providers.jaxb.JAXBXmlTypeProvider in RESTEasy before 2.3.2 allows remote attackers to read arbitrary files via an external entity reference in a Java Architecture for XML Binding (JAXB) input, aka an XML external entity (XXE) injection attack, a similar vulnerability to CVE-2012-0818.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "RESTEasy: XML eXternal Entity (XXE) flaw",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2011-5245"
},
{
"category": "external",
"summary": "RHBZ#785631",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=785631"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2011-5245",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-5245"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2011-5245",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-5245"
}
],
"release_date": "2011-12-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-03T21:19:56+00:00",
"details": "The References section of this erratum contains download links (you must\nlog in to download the updates). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server process.\n\nThe fix for CVE-2013-6468 enables the Java Security Manager (JSM) to\nsandbox the evaluation of MVEL expressions. This introduces performance\ndegradation in high load environments. The following ways of running Red\nHat JBoss BPM Suite are considered secure while mitigating performance\ndegradation:\n\n1. In high load environments where performance is critical, it is\nrecommended to only deploy applications that have been developed on other\nsystems and properly reviewed. It is also recommended not to create any\nusers with the Analyst role on such systems. If these safeguards are\nfollowed, it is safe to leave JSM disabled on these systems so it does not\nintroduce any performance degradation.\n\n2. In testing and development environments without high loads, or in\nenvironments where rule authoring is exposed to external networks, it is\nrecommended to have JSM enabled in order to achieve security benefits of\nproperly sandboxed evaluation of MVEL expressions.\n\nAllowing users with the Analyst role to log in to the Business Central\nconsole when JSM is disabled is not secure and not recommended.",
"product_ids": [
"Red Hat JBoss BPMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0371"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss BPMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "RESTEasy: XML eXternal Entity (XXE) flaw"
},
{
"cve": "CVE-2012-0818",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2012-01-24T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "785631"
}
],
"notes": [
{
"category": "description",
"text": "RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document, aka an XML external entity (XXE) injection attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "RESTEasy: XML eXternal Entity (XXE) flaw",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-0818"
},
{
"category": "external",
"summary": "RHBZ#785631",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=785631"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-0818",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-0818"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-0818",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-0818"
}
],
"release_date": "2011-12-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-03T21:19:56+00:00",
"details": "The References section of this erratum contains download links (you must\nlog in to download the updates). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server process.\n\nThe fix for CVE-2013-6468 enables the Java Security Manager (JSM) to\nsandbox the evaluation of MVEL expressions. This introduces performance\ndegradation in high load environments. The following ways of running Red\nHat JBoss BPM Suite are considered secure while mitigating performance\ndegradation:\n\n1. In high load environments where performance is critical, it is\nrecommended to only deploy applications that have been developed on other\nsystems and properly reviewed. It is also recommended not to create any\nusers with the Analyst role on such systems. If these safeguards are\nfollowed, it is safe to leave JSM disabled on these systems so it does not\nintroduce any performance degradation.\n\n2. In testing and development environments without high loads, or in\nenvironments where rule authoring is exposed to external networks, it is\nrecommended to have JSM enabled in order to achieve security benefits of\nproperly sandboxed evaluation of MVEL expressions.\n\nAllowing users with the Analyst role to log in to the Business Central\nconsole when JSM is disabled is not secure and not recommended.",
"product_ids": [
"Red Hat JBoss BPMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0371"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss BPMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "RESTEasy: XML eXternal Entity (XXE) flaw"
},
{
"cve": "CVE-2013-1624",
"cwe": {
"id": "CWE-385",
"name": "Covert Timing Channel"
},
"discovery_date": "2013-02-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "908428"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that bouncycastle leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bouncycastle: TLS CBC padding timing attack",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-1624"
},
{
"category": "external",
"summary": "RHBZ#908428",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=908428"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-1624",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-1624"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-1624",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1624"
},
{
"category": "external",
"summary": "http://www.isg.rhul.ac.uk/tls/",
"url": "http://www.isg.rhul.ac.uk/tls/"
},
{
"category": "external",
"summary": "http://www.isg.rhul.ac.uk/tls/TLStiming.pdf",
"url": "http://www.isg.rhul.ac.uk/tls/TLStiming.pdf"
}
],
"release_date": "2013-02-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-03T21:19:56+00:00",
"details": "The References section of this erratum contains download links (you must\nlog in to download the updates). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server process.\n\nThe fix for CVE-2013-6468 enables the Java Security Manager (JSM) to\nsandbox the evaluation of MVEL expressions. This introduces performance\ndegradation in high load environments. The following ways of running Red\nHat JBoss BPM Suite are considered secure while mitigating performance\ndegradation:\n\n1. In high load environments where performance is critical, it is\nrecommended to only deploy applications that have been developed on other\nsystems and properly reviewed. It is also recommended not to create any\nusers with the Analyst role on such systems. If these safeguards are\nfollowed, it is safe to leave JSM disabled on these systems so it does not\nintroduce any performance degradation.\n\n2. In testing and development environments without high loads, or in\nenvironments where rule authoring is exposed to external networks, it is\nrecommended to have JSM enabled in order to achieve security benefits of\nproperly sandboxed evaluation of MVEL expressions.\n\nAllowing users with the Analyst role to log in to the Business Central\nconsole when JSM is disabled is not secure and not recommended.",
"product_ids": [
"Red Hat JBoss BPMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0371"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss BPMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bouncycastle: TLS CBC padding timing attack"
},
{
"acknowledgments": [
{
"names": [
"Marc Schoenefeld"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
},
{
"names": [
"Gr\u00e9gory Draperi"
]
}
],
"cve": "CVE-2013-6468",
"discovery_date": "2013-08-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1051261"
}
],
"notes": [
{
"category": "description",
"text": "JBoss Drools, Red Hat JBoss BRMS before 6.0.1, and Red Hat JBoss BPM Suite before 6.0.1 allows remote authenticated users to execute arbitrary Java code via a (1) MVFLEX Expression Language (MVEL) or (2) Drools expression.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Drools: Remote Java Code Execution in MVEL",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-6468"
},
{
"category": "external",
"summary": "RHBZ#1051261",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1051261"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-6468",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-6468"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6468",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6468"
}
],
"release_date": "2014-04-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-03T21:19:56+00:00",
"details": "The References section of this erratum contains download links (you must\nlog in to download the updates). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server process.\n\nThe fix for CVE-2013-6468 enables the Java Security Manager (JSM) to\nsandbox the evaluation of MVEL expressions. This introduces performance\ndegradation in high load environments. The following ways of running Red\nHat JBoss BPM Suite are considered secure while mitigating performance\ndegradation:\n\n1. In high load environments where performance is critical, it is\nrecommended to only deploy applications that have been developed on other\nsystems and properly reviewed. It is also recommended not to create any\nusers with the Analyst role on such systems. If these safeguards are\nfollowed, it is safe to leave JSM disabled on these systems so it does not\nintroduce any performance degradation.\n\n2. In testing and development environments without high loads, or in\nenvironments where rule authoring is exposed to external networks, it is\nrecommended to have JSM enabled in order to achieve security benefits of\nproperly sandboxed evaluation of MVEL expressions.\n\nAllowing users with the Analyst role to log in to the Business Central\nconsole when JSM is disabled is not secure and not recommended.",
"product_ids": [
"Red Hat JBoss BPMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0371"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss BPMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Drools: Remote Java Code Execution in MVEL"
},
{
"cve": "CVE-2013-7285",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"discovery_date": "2013-12-22T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1051277"
}
],
"notes": [
{
"category": "description",
"text": "It was found that XStream could deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "XStream: remote code execution due to insecure XML deserialization",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-7285"
},
{
"category": "external",
"summary": "RHBZ#1051277",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1051277"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-7285",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-7285"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-7285",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-7285"
},
{
"category": "external",
"summary": "http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html",
"url": "http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html"
},
{
"category": "external",
"summary": "http://xstream.codehaus.org/security.html",
"url": "http://xstream.codehaus.org/security.html"
},
{
"category": "external",
"summary": "https://securityblog.redhat.com/2014/01/23/java-deserialization-flaws-part-2-xml-deserialization/",
"url": "https://securityblog.redhat.com/2014/01/23/java-deserialization-flaws-part-2-xml-deserialization/"
}
],
"release_date": "2013-12-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-03T21:19:56+00:00",
"details": "The References section of this erratum contains download links (you must\nlog in to download the updates). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server process.\n\nThe fix for CVE-2013-6468 enables the Java Security Manager (JSM) to\nsandbox the evaluation of MVEL expressions. This introduces performance\ndegradation in high load environments. The following ways of running Red\nHat JBoss BPM Suite are considered secure while mitigating performance\ndegradation:\n\n1. In high load environments where performance is critical, it is\nrecommended to only deploy applications that have been developed on other\nsystems and properly reviewed. It is also recommended not to create any\nusers with the Analyst role on such systems. If these safeguards are\nfollowed, it is safe to leave JSM disabled on these systems so it does not\nintroduce any performance degradation.\n\n2. In testing and development environments without high loads, or in\nenvironments where rule authoring is exposed to external networks, it is\nrecommended to have JSM enabled in order to achieve security benefits of\nproperly sandboxed evaluation of MVEL expressions.\n\nAllowing users with the Analyst role to log in to the Business Central\nconsole when JSM is disabled is not secure and not recommended.",
"product_ids": [
"Red Hat JBoss BPMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0371"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss BPMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "XStream: remote code execution due to insecure XML deserialization"
},
{
"acknowledgments": [
{
"names": [
"David Jorm"
],
"organization": "Red Hat Security Response Team",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2014-0002",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2014-01-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1049675"
}
],
"notes": [
{
"category": "description",
"text": "The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3 allows remote attackers to read arbitrary files and possibly have other unspecified impact via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Camel: XML eXternal Entity (XXE) flaw in XSLT component",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-0002"
},
{
"category": "external",
"summary": "RHBZ#1049675",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1049675"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-0002",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-0002"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0002",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0002"
},
{
"category": "external",
"summary": "http://camel.apache.org/security-advisories.data/CVE-2014-0002.txt.asc",
"url": "http://camel.apache.org/security-advisories.data/CVE-2014-0002.txt.asc"
}
],
"release_date": "2014-02-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-03T21:19:56+00:00",
"details": "The References section of this erratum contains download links (you must\nlog in to download the updates). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server process.\n\nThe fix for CVE-2013-6468 enables the Java Security Manager (JSM) to\nsandbox the evaluation of MVEL expressions. This introduces performance\ndegradation in high load environments. The following ways of running Red\nHat JBoss BPM Suite are considered secure while mitigating performance\ndegradation:\n\n1. In high load environments where performance is critical, it is\nrecommended to only deploy applications that have been developed on other\nsystems and properly reviewed. It is also recommended not to create any\nusers with the Analyst role on such systems. If these safeguards are\nfollowed, it is safe to leave JSM disabled on these systems so it does not\nintroduce any performance degradation.\n\n2. In testing and development environments without high loads, or in\nenvironments where rule authoring is exposed to external networks, it is\nrecommended to have JSM enabled in order to achieve security benefits of\nproperly sandboxed evaluation of MVEL expressions.\n\nAllowing users with the Analyst role to log in to the Business Central\nconsole when JSM is disabled is not secure and not recommended.",
"product_ids": [
"Red Hat JBoss BPMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0371"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss BPMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Camel: XML eXternal Entity (XXE) flaw in XSLT component"
},
{
"acknowledgments": [
{
"names": [
"David Jorm"
],
"organization": "Red Hat Security Response Team",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2014-0003",
"discovery_date": "2014-01-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1049692"
}
],
"notes": [
{
"category": "description",
"text": "The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before 2.12.3, and possibly earlier versions allows remote attackers to execute arbitrary Java methods via a crafted message.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Camel: remote code execution via XSL",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-0003"
},
{
"category": "external",
"summary": "RHBZ#1049692",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1049692"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-0003",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-0003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0003"
},
{
"category": "external",
"summary": "http://camel.apache.org/security-advisories.data/CVE-2014-0003.txt.asc",
"url": "http://camel.apache.org/security-advisories.data/CVE-2014-0003.txt.asc"
}
],
"release_date": "2014-02-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-03T21:19:56+00:00",
"details": "The References section of this erratum contains download links (you must\nlog in to download the updates). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server process.\n\nThe fix for CVE-2013-6468 enables the Java Security Manager (JSM) to\nsandbox the evaluation of MVEL expressions. This introduces performance\ndegradation in high load environments. The following ways of running Red\nHat JBoss BPM Suite are considered secure while mitigating performance\ndegradation:\n\n1. In high load environments where performance is critical, it is\nrecommended to only deploy applications that have been developed on other\nsystems and properly reviewed. It is also recommended not to create any\nusers with the Analyst role on such systems. If these safeguards are\nfollowed, it is safe to leave JSM disabled on these systems so it does not\nintroduce any performance degradation.\n\n2. In testing and development environments without high loads, or in\nenvironments where rule authoring is exposed to external networks, it is\nrecommended to have JSM enabled in order to achieve security benefits of\nproperly sandboxed evaluation of MVEL expressions.\n\nAllowing users with the Analyst role to log in to the Business Central\nconsole when JSM is disabled is not secure and not recommended.",
"product_ids": [
"Red Hat JBoss BPMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0371"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss BPMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Camel: remote code execution via XSL"
}
]
}
RHSA-2014:0372
Vulnerability from csaf_redhat - Published: 2014-04-03 21:30 - Updated: 2026-05-14 22:17Summary
Red Hat Security Advisory: Red Hat JBoss BRMS 6.0.1 update
Severity
Important
Notes
Topic: Red Hat JBoss BRMS 6.0.1, which fixes multiple security issues, various
bugs, and adds enhancements, is now available from the Red Hat Customer
Portal.
The Red Hat Security Response Team has rated this update as having
Important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Details: Red Hat JBoss BRMS is a business rules management system for the
management, storage, creation, modification, and deployment of JBoss Rules.
This release of Red Hat JBoss BRMS 6.0.1 serves as a replacement for Red
Hat JBoss BRMS 6.0.0, and includes bug fixes and enhancements. Refer to the
Red Hat JBoss BRMS 6.0.1 Release Notes for information on the most
significant of these changes. The Release Notes will be available shortly
at https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_BRMS/
The following security issues are fixed with this release:
It was discovered that JBoss BRMS allowed remote authenticated users to
submit arbitrary Java code in MVFLEX Expression Language (MVEL) or JBoss
Rules expressions, resulting in arbitrary code execution within the
security context of the application server. Refer to the Solution section
for details on the fix for this issue. (CVE-2013-6468)
It was found that XStream could deserialize arbitrary user-supplied XML
content, representing objects of any type. A remote attacker able to pass
XML to XStream could use this flaw to perform a variety of attacks,
including remote code execution in the context of the server running the
XStream application. (CVE-2013-7285)
It was found that the Apache Camel XSLT component allowed XSL stylesheets
to call external Java methods. A remote attacker able to submit messages to
a Camel route could use this flaw to perform arbitrary remote code
execution in the context of the Camel server process. (CVE-2014-0003)
It was found that RESTEasy was vulnerable to XML External Entity (XXE)
attacks. If a remote attacker submitted a request containing an external
XML entity to a RESTEasy endpoint, the entity would be resolved, allowing
the attacker to read files accessible to the user running the application
server. This flaw affected DOM (Document Object Model) Document and JAXB
(Java Architecture for XML Binding) input. (CVE-2011-5245, CVE-2012-0818)
It was discovered that bouncycastle leaked timing information when
decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites
were used. A remote attacker could possibly use this flaw to retrieve plain
text from the encrypted packets by using a TLS/SSL server as a padding
oracle. (CVE-2013-1624)
It was found that the Apache Camel XSLT component would resolve entities in
XML messages when transforming them using an XSLT route. A remote attacker
able to submit messages to an XSLT Camel route could use this flaw to read
files accessible to the user running the application server and,
potentially, perform other more advanced XML External Entity (XXE) attacks.
(CVE-2014-0002)
The CVE-2014-0002 and CVE-2014-0003 issues were discovered by David Jorm of
the Red Hat Security Response Team, and the CVE-2013-6468 issue was
discovered by Marc Schoenefeld of the Red Hat Security Response Team.
Red Hat would like to thank Grégory Draperi for independently reporting
CVE-2013-6468.
All users of Red Hat JBoss BRMS 6.0.0 as provided from the Red Hat Customer
Portal are advised to upgrade to Red Hat JBoss BRMS 6.0.1.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
The readFrom function in providers.jaxb.JAXBXmlTypeProvider in RESTEasy before 2.3.2 allows remote attackers to read arbitrary files via an external entity reference in a Java Architecture for XML Binding (JAXB) input, aka an XML external entity (XXE) injection attack, a similar vulnerability to CVE-2012-0818.
5.0 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BRMS 6.0
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_brms:6.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document, aka an XML external entity (XXE) injection attack.
5.0 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BRMS 6.0
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_brms:6.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
It was discovered that bouncycastle leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle.
5.1 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BRMS 6.0
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_brms:6.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
JBoss Drools, Red Hat JBoss BRMS before 6.0.1, and Red Hat JBoss BPM Suite before 6.0.1 allows remote authenticated users to execute arbitrary Java code via a (1) MVFLEX Expression Language (MVEL) or (2) Drools expression.
6.5 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BRMS 6.0
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_brms:6.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
It was found that XStream could deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application.
6.8 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BRMS 6.0
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_brms:6.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3 allows remote attackers to read arbitrary files and possibly have other unspecified impact via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
5.0 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BRMS 6.0
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_brms:6.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before 2.12.3, and possibly earlier versions allows remote attackers to execute arbitrary Java methods via a crafted message.
6.0 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BRMS 6.0
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_brms:6.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
References
45 references
Acknowledgments
Red Hat
Marc Schoenefeld
Grégory Draperi
Red Hat Security Response Team
David Jorm
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat JBoss BRMS 6.0.1, which fixes multiple security issues, various\nbugs, and adds enhancements, is now available from the Red Hat Customer\nPortal.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss BRMS is a business rules management system for the\nmanagement, storage, creation, modification, and deployment of JBoss Rules.\n\nThis release of Red Hat JBoss BRMS 6.0.1 serves as a replacement for Red\nHat JBoss BRMS 6.0.0, and includes bug fixes and enhancements. Refer to the\nRed Hat JBoss BRMS 6.0.1 Release Notes for information on the most\nsignificant of these changes. The Release Notes will be available shortly\nat https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_BRMS/\n\nThe following security issues are fixed with this release:\n\nIt was discovered that JBoss BRMS allowed remote authenticated users to\nsubmit arbitrary Java code in MVFLEX Expression Language (MVEL) or JBoss\nRules expressions, resulting in arbitrary code execution within the\nsecurity context of the application server. Refer to the Solution section\nfor details on the fix for this issue. (CVE-2013-6468)\n\nIt was found that XStream could deserialize arbitrary user-supplied XML\ncontent, representing objects of any type. A remote attacker able to pass\nXML to XStream could use this flaw to perform a variety of attacks,\nincluding remote code execution in the context of the server running the\nXStream application. (CVE-2013-7285)\n\nIt was found that the Apache Camel XSLT component allowed XSL stylesheets\nto call external Java methods. A remote attacker able to submit messages to\na Camel route could use this flaw to perform arbitrary remote code\nexecution in the context of the Camel server process. (CVE-2014-0003)\n\nIt was found that RESTEasy was vulnerable to XML External Entity (XXE)\nattacks. If a remote attacker submitted a request containing an external\nXML entity to a RESTEasy endpoint, the entity would be resolved, allowing\nthe attacker to read files accessible to the user running the application\nserver. This flaw affected DOM (Document Object Model) Document and JAXB\n(Java Architecture for XML Binding) input. (CVE-2011-5245, CVE-2012-0818)\n\nIt was discovered that bouncycastle leaked timing information when\ndecrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites\nwere used. A remote attacker could possibly use this flaw to retrieve plain\ntext from the encrypted packets by using a TLS/SSL server as a padding\noracle. (CVE-2013-1624)\n\nIt was found that the Apache Camel XSLT component would resolve entities in\nXML messages when transforming them using an XSLT route. A remote attacker\nable to submit messages to an XSLT Camel route could use this flaw to read\nfiles accessible to the user running the application server and,\npotentially, perform other more advanced XML External Entity (XXE) attacks.\n(CVE-2014-0002)\n\nThe CVE-2014-0002 and CVE-2014-0003 issues were discovered by David Jorm of\nthe Red Hat Security Response Team, and the CVE-2013-6468 issue was\ndiscovered by Marc Schoenefeld of the Red Hat Security Response Team.\n\nRed Hat would like to thank Gr\u00e9gory Draperi for independently reporting\nCVE-2013-6468.\n\nAll users of Red Hat JBoss BRMS 6.0.0 as provided from the Red Hat Customer\nPortal are advised to upgrade to Red Hat JBoss BRMS 6.0.1.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2014:0372",
"url": "https://access.redhat.com/errata/RHSA-2014:0372"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms\u0026downloadType=distributions\u0026version=6.0.1",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms\u0026downloadType=distributions\u0026version=6.0.1"
},
{
"category": "external",
"summary": "https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_BRMS/",
"url": "https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_BRMS/"
},
{
"category": "external",
"summary": "785631",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=785631"
},
{
"category": "external",
"summary": "908428",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=908428"
},
{
"category": "external",
"summary": "1049675",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1049675"
},
{
"category": "external",
"summary": "1049692",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1049692"
},
{
"category": "external",
"summary": "1051261",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1051261"
},
{
"category": "external",
"summary": "1051277",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1051277"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0372.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss BRMS 6.0.1 update",
"tracking": {
"current_release_date": "2026-05-14T22:17:28+00:00",
"generator": {
"date": "2026-05-14T22:17:28+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2014:0372",
"initial_release_date": "2014-04-03T21:30:03+00:00",
"revision_history": [
{
"date": "2014-04-03T21:30:03+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-02-20T12:32:57+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-14T22:17:28+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss BRMS 6.0",
"product": {
"name": "Red Hat JBoss BRMS 6.0",
"product_id": "Red Hat JBoss BRMS 6.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_brms:6.0"
}
}
}
],
"category": "product_family",
"name": "Red Hat Decision Manager"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2011-5245",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2012-01-24T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "785631"
}
],
"notes": [
{
"category": "description",
"text": "The readFrom function in providers.jaxb.JAXBXmlTypeProvider in RESTEasy before 2.3.2 allows remote attackers to read arbitrary files via an external entity reference in a Java Architecture for XML Binding (JAXB) input, aka an XML external entity (XXE) injection attack, a similar vulnerability to CVE-2012-0818.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "RESTEasy: XML eXternal Entity (XXE) flaw",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2011-5245"
},
{
"category": "external",
"summary": "RHBZ#785631",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=785631"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2011-5245",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-5245"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2011-5245",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-5245"
}
],
"release_date": "2011-12-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-03T21:30:03+00:00",
"details": "The References section of this erratum contains download links (you must\nlog in to download the updates). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server process.\n\nThe fix for CVE-2013-6468 enables the Java Security Manager (JSM) to\nsandbox the evaluation of MVEL expressions. This introduces performance\ndegradation in high load environments. The following ways of running Red\nHat JBoss BRMS are considered secure while mitigating performance\ndegradation:\n\n1. In high load environments where performance is critical, it is\nrecommended to only deploy applications that have been developed on other\nsystems and properly reviewed. It is also recommended not to create any\nusers with the Analyst role on such systems. If these safeguards are\nfollowed, it is safe to leave JSM disabled on these systems so it does not\nintroduce any performance degradation.\n\n2. In testing and development environments without high loads, or in\nenvironments where rule authoring is exposed to external networks, it is\nrecommended to have JSM enabled in order to achieve security benefits of\nproperly sandboxed evaluation of MVEL expressions.\n\nAllowing users with the Analyst role to log in to the Business Central\nconsole when JSM is disabled is not secure and not recommended.",
"product_ids": [
"Red Hat JBoss BRMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0372"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss BRMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "RESTEasy: XML eXternal Entity (XXE) flaw"
},
{
"cve": "CVE-2012-0818",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2012-01-24T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "785631"
}
],
"notes": [
{
"category": "description",
"text": "RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document, aka an XML external entity (XXE) injection attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "RESTEasy: XML eXternal Entity (XXE) flaw",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-0818"
},
{
"category": "external",
"summary": "RHBZ#785631",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=785631"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-0818",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-0818"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-0818",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-0818"
}
],
"release_date": "2011-12-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-03T21:30:03+00:00",
"details": "The References section of this erratum contains download links (you must\nlog in to download the updates). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server process.\n\nThe fix for CVE-2013-6468 enables the Java Security Manager (JSM) to\nsandbox the evaluation of MVEL expressions. This introduces performance\ndegradation in high load environments. The following ways of running Red\nHat JBoss BRMS are considered secure while mitigating performance\ndegradation:\n\n1. In high load environments where performance is critical, it is\nrecommended to only deploy applications that have been developed on other\nsystems and properly reviewed. It is also recommended not to create any\nusers with the Analyst role on such systems. If these safeguards are\nfollowed, it is safe to leave JSM disabled on these systems so it does not\nintroduce any performance degradation.\n\n2. In testing and development environments without high loads, or in\nenvironments where rule authoring is exposed to external networks, it is\nrecommended to have JSM enabled in order to achieve security benefits of\nproperly sandboxed evaluation of MVEL expressions.\n\nAllowing users with the Analyst role to log in to the Business Central\nconsole when JSM is disabled is not secure and not recommended.",
"product_ids": [
"Red Hat JBoss BRMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0372"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss BRMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "RESTEasy: XML eXternal Entity (XXE) flaw"
},
{
"cve": "CVE-2013-1624",
"cwe": {
"id": "CWE-385",
"name": "Covert Timing Channel"
},
"discovery_date": "2013-02-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "908428"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that bouncycastle leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bouncycastle: TLS CBC padding timing attack",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-1624"
},
{
"category": "external",
"summary": "RHBZ#908428",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=908428"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-1624",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-1624"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-1624",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1624"
},
{
"category": "external",
"summary": "http://www.isg.rhul.ac.uk/tls/",
"url": "http://www.isg.rhul.ac.uk/tls/"
},
{
"category": "external",
"summary": "http://www.isg.rhul.ac.uk/tls/TLStiming.pdf",
"url": "http://www.isg.rhul.ac.uk/tls/TLStiming.pdf"
}
],
"release_date": "2013-02-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-03T21:30:03+00:00",
"details": "The References section of this erratum contains download links (you must\nlog in to download the updates). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server process.\n\nThe fix for CVE-2013-6468 enables the Java Security Manager (JSM) to\nsandbox the evaluation of MVEL expressions. This introduces performance\ndegradation in high load environments. The following ways of running Red\nHat JBoss BRMS are considered secure while mitigating performance\ndegradation:\n\n1. In high load environments where performance is critical, it is\nrecommended to only deploy applications that have been developed on other\nsystems and properly reviewed. It is also recommended not to create any\nusers with the Analyst role on such systems. If these safeguards are\nfollowed, it is safe to leave JSM disabled on these systems so it does not\nintroduce any performance degradation.\n\n2. In testing and development environments without high loads, or in\nenvironments where rule authoring is exposed to external networks, it is\nrecommended to have JSM enabled in order to achieve security benefits of\nproperly sandboxed evaluation of MVEL expressions.\n\nAllowing users with the Analyst role to log in to the Business Central\nconsole when JSM is disabled is not secure and not recommended.",
"product_ids": [
"Red Hat JBoss BRMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0372"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss BRMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bouncycastle: TLS CBC padding timing attack"
},
{
"acknowledgments": [
{
"names": [
"Marc Schoenefeld"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
},
{
"names": [
"Gr\u00e9gory Draperi"
]
}
],
"cve": "CVE-2013-6468",
"discovery_date": "2013-08-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1051261"
}
],
"notes": [
{
"category": "description",
"text": "JBoss Drools, Red Hat JBoss BRMS before 6.0.1, and Red Hat JBoss BPM Suite before 6.0.1 allows remote authenticated users to execute arbitrary Java code via a (1) MVFLEX Expression Language (MVEL) or (2) Drools expression.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Drools: Remote Java Code Execution in MVEL",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-6468"
},
{
"category": "external",
"summary": "RHBZ#1051261",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1051261"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-6468",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-6468"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6468",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6468"
}
],
"release_date": "2014-04-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-03T21:30:03+00:00",
"details": "The References section of this erratum contains download links (you must\nlog in to download the updates). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server process.\n\nThe fix for CVE-2013-6468 enables the Java Security Manager (JSM) to\nsandbox the evaluation of MVEL expressions. This introduces performance\ndegradation in high load environments. The following ways of running Red\nHat JBoss BRMS are considered secure while mitigating performance\ndegradation:\n\n1. In high load environments where performance is critical, it is\nrecommended to only deploy applications that have been developed on other\nsystems and properly reviewed. It is also recommended not to create any\nusers with the Analyst role on such systems. If these safeguards are\nfollowed, it is safe to leave JSM disabled on these systems so it does not\nintroduce any performance degradation.\n\n2. In testing and development environments without high loads, or in\nenvironments where rule authoring is exposed to external networks, it is\nrecommended to have JSM enabled in order to achieve security benefits of\nproperly sandboxed evaluation of MVEL expressions.\n\nAllowing users with the Analyst role to log in to the Business Central\nconsole when JSM is disabled is not secure and not recommended.",
"product_ids": [
"Red Hat JBoss BRMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0372"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss BRMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Drools: Remote Java Code Execution in MVEL"
},
{
"cve": "CVE-2013-7285",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"discovery_date": "2013-12-22T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1051277"
}
],
"notes": [
{
"category": "description",
"text": "It was found that XStream could deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "XStream: remote code execution due to insecure XML deserialization",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-7285"
},
{
"category": "external",
"summary": "RHBZ#1051277",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1051277"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-7285",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-7285"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-7285",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-7285"
},
{
"category": "external",
"summary": "http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html",
"url": "http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html"
},
{
"category": "external",
"summary": "http://xstream.codehaus.org/security.html",
"url": "http://xstream.codehaus.org/security.html"
},
{
"category": "external",
"summary": "https://securityblog.redhat.com/2014/01/23/java-deserialization-flaws-part-2-xml-deserialization/",
"url": "https://securityblog.redhat.com/2014/01/23/java-deserialization-flaws-part-2-xml-deserialization/"
}
],
"release_date": "2013-12-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-03T21:30:03+00:00",
"details": "The References section of this erratum contains download links (you must\nlog in to download the updates). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server process.\n\nThe fix for CVE-2013-6468 enables the Java Security Manager (JSM) to\nsandbox the evaluation of MVEL expressions. This introduces performance\ndegradation in high load environments. The following ways of running Red\nHat JBoss BRMS are considered secure while mitigating performance\ndegradation:\n\n1. In high load environments where performance is critical, it is\nrecommended to only deploy applications that have been developed on other\nsystems and properly reviewed. It is also recommended not to create any\nusers with the Analyst role on such systems. If these safeguards are\nfollowed, it is safe to leave JSM disabled on these systems so it does not\nintroduce any performance degradation.\n\n2. In testing and development environments without high loads, or in\nenvironments where rule authoring is exposed to external networks, it is\nrecommended to have JSM enabled in order to achieve security benefits of\nproperly sandboxed evaluation of MVEL expressions.\n\nAllowing users with the Analyst role to log in to the Business Central\nconsole when JSM is disabled is not secure and not recommended.",
"product_ids": [
"Red Hat JBoss BRMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0372"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss BRMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "XStream: remote code execution due to insecure XML deserialization"
},
{
"acknowledgments": [
{
"names": [
"David Jorm"
],
"organization": "Red Hat Security Response Team",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2014-0002",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2014-01-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1049675"
}
],
"notes": [
{
"category": "description",
"text": "The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3 allows remote attackers to read arbitrary files and possibly have other unspecified impact via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Camel: XML eXternal Entity (XXE) flaw in XSLT component",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-0002"
},
{
"category": "external",
"summary": "RHBZ#1049675",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1049675"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-0002",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-0002"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0002",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0002"
},
{
"category": "external",
"summary": "http://camel.apache.org/security-advisories.data/CVE-2014-0002.txt.asc",
"url": "http://camel.apache.org/security-advisories.data/CVE-2014-0002.txt.asc"
}
],
"release_date": "2014-02-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-03T21:30:03+00:00",
"details": "The References section of this erratum contains download links (you must\nlog in to download the updates). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server process.\n\nThe fix for CVE-2013-6468 enables the Java Security Manager (JSM) to\nsandbox the evaluation of MVEL expressions. This introduces performance\ndegradation in high load environments. The following ways of running Red\nHat JBoss BRMS are considered secure while mitigating performance\ndegradation:\n\n1. In high load environments where performance is critical, it is\nrecommended to only deploy applications that have been developed on other\nsystems and properly reviewed. It is also recommended not to create any\nusers with the Analyst role on such systems. If these safeguards are\nfollowed, it is safe to leave JSM disabled on these systems so it does not\nintroduce any performance degradation.\n\n2. In testing and development environments without high loads, or in\nenvironments where rule authoring is exposed to external networks, it is\nrecommended to have JSM enabled in order to achieve security benefits of\nproperly sandboxed evaluation of MVEL expressions.\n\nAllowing users with the Analyst role to log in to the Business Central\nconsole when JSM is disabled is not secure and not recommended.",
"product_ids": [
"Red Hat JBoss BRMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0372"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss BRMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Camel: XML eXternal Entity (XXE) flaw in XSLT component"
},
{
"acknowledgments": [
{
"names": [
"David Jorm"
],
"organization": "Red Hat Security Response Team",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2014-0003",
"discovery_date": "2014-01-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1049692"
}
],
"notes": [
{
"category": "description",
"text": "The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before 2.12.3, and possibly earlier versions allows remote attackers to execute arbitrary Java methods via a crafted message.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Camel: remote code execution via XSL",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-0003"
},
{
"category": "external",
"summary": "RHBZ#1049692",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1049692"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-0003",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-0003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0003"
},
{
"category": "external",
"summary": "http://camel.apache.org/security-advisories.data/CVE-2014-0003.txt.asc",
"url": "http://camel.apache.org/security-advisories.data/CVE-2014-0003.txt.asc"
}
],
"release_date": "2014-02-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-03T21:30:03+00:00",
"details": "The References section of this erratum contains download links (you must\nlog in to download the updates). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server process.\n\nThe fix for CVE-2013-6468 enables the Java Security Manager (JSM) to\nsandbox the evaluation of MVEL expressions. This introduces performance\ndegradation in high load environments. The following ways of running Red\nHat JBoss BRMS are considered secure while mitigating performance\ndegradation:\n\n1. In high load environments where performance is critical, it is\nrecommended to only deploy applications that have been developed on other\nsystems and properly reviewed. It is also recommended not to create any\nusers with the Analyst role on such systems. If these safeguards are\nfollowed, it is safe to leave JSM disabled on these systems so it does not\nintroduce any performance degradation.\n\n2. In testing and development environments without high loads, or in\nenvironments where rule authoring is exposed to external networks, it is\nrecommended to have JSM enabled in order to achieve security benefits of\nproperly sandboxed evaluation of MVEL expressions.\n\nAllowing users with the Analyst role to log in to the Business Central\nconsole when JSM is disabled is not secure and not recommended.",
"product_ids": [
"Red Hat JBoss BRMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0372"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss BRMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Camel: remote code execution via XSL"
}
]
}
RHSA-2014_0371
Vulnerability from csaf_redhat - Published: 2014-04-03 21:19 - Updated: 2024-11-22 08:11Summary
Red Hat Security Advisory: Red Hat JBoss BPM Suite 6.0.1 update
Severity
Important
Notes
Topic: Red Hat JBoss BPM Suite 6.0.1, which fixes multiple security issues,
various bugs, and adds enhancements, is now available from the Red Hat
Customer Portal.
The Red Hat Security Response Team has rated this update as having
Important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Details: Red Hat JBoss BPM Suite is a business rules management system for the
management, storage, creation, modification, and deployment of JBoss rules.
This release of Red Hat JBoss BPM Suite 6.0.1 serves as a replacement for
Red Hat JBoss BPM Suite 6.0.0, and includes bug fixes and enhancements.
Refer to the Red Hat JBoss BPM Suite 6.0.1 Release Notes for information on
the most significant of these changes. The Release Notes will be available
at https://access.redhat.com/site/documentation/Red_Hat_JBoss_BPM_Suite/
The following security issues are fixed with this release:
It was discovered that JBoss BPM Suite allowed remote authenticated users
to submit arbitrary Java code in MVFLEX Expression Language (MVEL) or JBoss
Rules expressions, resulting in arbitrary code execution within the
security context of the application server. Refer to the Solution section
for details on the fix for this issue. (CVE-2013-6468)
It was found that XStream could deserialize arbitrary user-supplied XML
content, representing objects of any type. A remote attacker able to pass
XML to XStream could use this flaw to perform a variety of attacks,
including remote code execution in the context of the server running the
XStream application. (CVE-2013-7285)
It was found that the Apache Camel XSLT component allowed XSL stylesheets
to call external Java methods. A remote attacker able to submit messages to
a Camel route could use this flaw to perform arbitrary remote code
execution in the context of the Camel server process. (CVE-2014-0003)
It was found that RESTEasy was vulnerable to XML External Entity (XXE)
attacks. If a remote attacker submitted a request containing an external
XML entity to a RESTEasy endpoint, the entity would be resolved, allowing
the attacker to read files accessible to the user running the application
server. This flaw affected DOM (Document Object Model) Document and JAXB
(Java Architecture for XML Binding) input. (CVE-2011-5245, CVE-2012-0818)
It was discovered that bouncycastle leaked timing information when
decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites
were used. A remote attacker could possibly use this flaw to retrieve plain
text from the encrypted packets by using a TLS/SSL server as a padding
oracle. (CVE-2013-1624)
It was found that the Apache Camel XSLT component would resolve entities in
XML messages when transforming them using an XSLT route. A remote attacker
able to submit messages to an XSLT Camel route could use this flaw to read
files accessible to the user running the application server and,
potentially, perform other more advanced XML External Entity (XXE) attacks.
(CVE-2014-0002)
The CVE-2014-0002 and CVE-2014-0003 issues were discovered by David Jorm of
the Red Hat Security Response Team, and the CVE-2013-6468 issue was
discovered by Marc Schoenefeld of the Red Hat Security Response Team.
Red Hat would like to thank Grégory Draperi for independently reporting
CVE-2013-6468.
All users of Red Hat JBoss BPM Suite 6.0.0 as provided from the Red Hat
Customer Portal are advised to upgrade to Red Hat JBoss BPM Suite 6.0.1.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
The readFrom function in providers.jaxb.JAXBXmlTypeProvider in RESTEasy before 2.3.2 allows remote attackers to read arbitrary files via an external entity reference in a Java Architecture for XML Binding (JAXB) input, aka an XML external entity (XXE) injection attack, a similar vulnerability to CVE-2012-0818.
5.0 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BPMS 6.0
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_bpms:6.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document, aka an XML external entity (XXE) injection attack.
5.0 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BPMS 6.0
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_bpms:6.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
It was discovered that bouncycastle leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle.
5.1 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BPMS 6.0
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_bpms:6.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
JBoss Drools, Red Hat JBoss BRMS before 6.0.1, and Red Hat JBoss BPM Suite before 6.0.1 allows remote authenticated users to execute arbitrary Java code via a (1) MVFLEX Expression Language (MVEL) or (2) Drools expression.
6.5 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BPMS 6.0
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_bpms:6.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
It was found that XStream could deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application.
6.8 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BPMS 6.0
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_bpms:6.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3 allows remote attackers to read arbitrary files and possibly have other unspecified impact via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
5.0 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BPMS 6.0
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_bpms:6.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before 2.12.3, and possibly earlier versions allows remote attackers to execute arbitrary Java methods via a crafted message.
6.0 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BPMS 6.0
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_bpms:6.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
References
46 references
Acknowledgments
Red Hat
Marc Schoenefeld
Grégory Draperi
Red Hat Security Response Team
David Jorm
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat JBoss BPM Suite 6.0.1, which fixes multiple security issues,\nvarious bugs, and adds enhancements, is now available from the Red Hat\nCustomer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss BPM Suite is a business rules management system for the\nmanagement, storage, creation, modification, and deployment of JBoss rules.\n\nThis release of Red Hat JBoss BPM Suite 6.0.1 serves as a replacement for\nRed Hat JBoss BPM Suite 6.0.0, and includes bug fixes and enhancements.\nRefer to the Red Hat JBoss BPM Suite 6.0.1 Release Notes for information on\nthe most significant of these changes. The Release Notes will be available\nat https://access.redhat.com/site/documentation/Red_Hat_JBoss_BPM_Suite/\n\nThe following security issues are fixed with this release:\n\nIt was discovered that JBoss BPM Suite allowed remote authenticated users\nto submit arbitrary Java code in MVFLEX Expression Language (MVEL) or JBoss\nRules expressions, resulting in arbitrary code execution within the\nsecurity context of the application server. Refer to the Solution section\nfor details on the fix for this issue. (CVE-2013-6468)\n\nIt was found that XStream could deserialize arbitrary user-supplied XML\ncontent, representing objects of any type. A remote attacker able to pass\nXML to XStream could use this flaw to perform a variety of attacks,\nincluding remote code execution in the context of the server running the\nXStream application. (CVE-2013-7285)\n\nIt was found that the Apache Camel XSLT component allowed XSL stylesheets\nto call external Java methods. A remote attacker able to submit messages to\na Camel route could use this flaw to perform arbitrary remote code\nexecution in the context of the Camel server process. (CVE-2014-0003)\n\nIt was found that RESTEasy was vulnerable to XML External Entity (XXE)\nattacks. If a remote attacker submitted a request containing an external\nXML entity to a RESTEasy endpoint, the entity would be resolved, allowing\nthe attacker to read files accessible to the user running the application\nserver. This flaw affected DOM (Document Object Model) Document and JAXB\n(Java Architecture for XML Binding) input. (CVE-2011-5245, CVE-2012-0818)\n\nIt was discovered that bouncycastle leaked timing information when\ndecrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites\nwere used. A remote attacker could possibly use this flaw to retrieve plain\ntext from the encrypted packets by using a TLS/SSL server as a padding\noracle. (CVE-2013-1624)\n\nIt was found that the Apache Camel XSLT component would resolve entities in\nXML messages when transforming them using an XSLT route. A remote attacker\nable to submit messages to an XSLT Camel route could use this flaw to read\nfiles accessible to the user running the application server and,\npotentially, perform other more advanced XML External Entity (XXE) attacks.\n(CVE-2014-0002)\n\nThe CVE-2014-0002 and CVE-2014-0003 issues were discovered by David Jorm of\nthe Red Hat Security Response Team, and the CVE-2013-6468 issue was\ndiscovered by Marc Schoenefeld of the Red Hat Security Response Team.\n\nRed Hat would like to thank Gr\u00e9gory Draperi for independently reporting\nCVE-2013-6468.\n\nAll users of Red Hat JBoss BPM Suite 6.0.0 as provided from the Red Hat\nCustomer Portal are advised to upgrade to Red Hat JBoss BPM Suite 6.0.1.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2014:0371",
"url": "https://access.redhat.com/errata/RHSA-2014:0371"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite\u0026downloadType=distributions\u0026version=6.0.1",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite\u0026downloadType=distributions\u0026version=6.0.1"
},
{
"category": "external",
"summary": "https://access.redhat.com/site/documentation/Red_Hat_JBoss_BPM_Suite/",
"url": "https://access.redhat.com/site/documentation/Red_Hat_JBoss_BPM_Suite/"
},
{
"category": "external",
"summary": "785631",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=785631"
},
{
"category": "external",
"summary": "908428",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=908428"
},
{
"category": "external",
"summary": "1049675",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1049675"
},
{
"category": "external",
"summary": "1049692",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1049692"
},
{
"category": "external",
"summary": "1051261",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1051261"
},
{
"category": "external",
"summary": "1051277",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1051277"
},
{
"category": "external",
"summary": "1058457",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1058457"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0371.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss BPM Suite 6.0.1 update",
"tracking": {
"current_release_date": "2024-11-22T08:11:52+00:00",
"generator": {
"date": "2024-11-22T08:11:52+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2014:0371",
"initial_release_date": "2014-04-03T21:19:56+00:00",
"revision_history": [
{
"date": "2014-04-03T21:19:56+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-02-20T12:32:55+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T08:11:52+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss BPMS 6.0",
"product": {
"name": "Red Hat JBoss BPMS 6.0",
"product_id": "Red Hat JBoss BPMS 6.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_bpms:6.0"
}
}
}
],
"category": "product_family",
"name": "Red Hat Process Automation Manager"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2011-5245",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2012-01-24T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "785631"
}
],
"notes": [
{
"category": "description",
"text": "The readFrom function in providers.jaxb.JAXBXmlTypeProvider in RESTEasy before 2.3.2 allows remote attackers to read arbitrary files via an external entity reference in a Java Architecture for XML Binding (JAXB) input, aka an XML external entity (XXE) injection attack, a similar vulnerability to CVE-2012-0818.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "RESTEasy: XML eXternal Entity (XXE) flaw",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2011-5245"
},
{
"category": "external",
"summary": "RHBZ#785631",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=785631"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2011-5245",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-5245"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2011-5245",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-5245"
}
],
"release_date": "2011-12-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-03T21:19:56+00:00",
"details": "The References section of this erratum contains download links (you must\nlog in to download the updates). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server process.\n\nThe fix for CVE-2013-6468 enables the Java Security Manager (JSM) to\nsandbox the evaluation of MVEL expressions. This introduces performance\ndegradation in high load environments. The following ways of running Red\nHat JBoss BPM Suite are considered secure while mitigating performance\ndegradation:\n\n1. In high load environments where performance is critical, it is\nrecommended to only deploy applications that have been developed on other\nsystems and properly reviewed. It is also recommended not to create any\nusers with the Analyst role on such systems. If these safeguards are\nfollowed, it is safe to leave JSM disabled on these systems so it does not\nintroduce any performance degradation.\n\n2. In testing and development environments without high loads, or in\nenvironments where rule authoring is exposed to external networks, it is\nrecommended to have JSM enabled in order to achieve security benefits of\nproperly sandboxed evaluation of MVEL expressions.\n\nAllowing users with the Analyst role to log in to the Business Central\nconsole when JSM is disabled is not secure and not recommended.",
"product_ids": [
"Red Hat JBoss BPMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0371"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss BPMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "RESTEasy: XML eXternal Entity (XXE) flaw"
},
{
"cve": "CVE-2012-0818",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2012-01-24T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "785631"
}
],
"notes": [
{
"category": "description",
"text": "RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document, aka an XML external entity (XXE) injection attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "RESTEasy: XML eXternal Entity (XXE) flaw",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-0818"
},
{
"category": "external",
"summary": "RHBZ#785631",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=785631"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-0818",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-0818"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-0818",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-0818"
}
],
"release_date": "2011-12-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-03T21:19:56+00:00",
"details": "The References section of this erratum contains download links (you must\nlog in to download the updates). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server process.\n\nThe fix for CVE-2013-6468 enables the Java Security Manager (JSM) to\nsandbox the evaluation of MVEL expressions. This introduces performance\ndegradation in high load environments. The following ways of running Red\nHat JBoss BPM Suite are considered secure while mitigating performance\ndegradation:\n\n1. In high load environments where performance is critical, it is\nrecommended to only deploy applications that have been developed on other\nsystems and properly reviewed. It is also recommended not to create any\nusers with the Analyst role on such systems. If these safeguards are\nfollowed, it is safe to leave JSM disabled on these systems so it does not\nintroduce any performance degradation.\n\n2. In testing and development environments without high loads, or in\nenvironments where rule authoring is exposed to external networks, it is\nrecommended to have JSM enabled in order to achieve security benefits of\nproperly sandboxed evaluation of MVEL expressions.\n\nAllowing users with the Analyst role to log in to the Business Central\nconsole when JSM is disabled is not secure and not recommended.",
"product_ids": [
"Red Hat JBoss BPMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0371"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss BPMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "RESTEasy: XML eXternal Entity (XXE) flaw"
},
{
"cve": "CVE-2013-1624",
"cwe": {
"id": "CWE-385",
"name": "Covert Timing Channel"
},
"discovery_date": "2013-02-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "908428"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that bouncycastle leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bouncycastle: TLS CBC padding timing attack",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-1624"
},
{
"category": "external",
"summary": "RHBZ#908428",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=908428"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-1624",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-1624"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-1624",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1624"
},
{
"category": "external",
"summary": "http://www.isg.rhul.ac.uk/tls/",
"url": "http://www.isg.rhul.ac.uk/tls/"
},
{
"category": "external",
"summary": "http://www.isg.rhul.ac.uk/tls/TLStiming.pdf",
"url": "http://www.isg.rhul.ac.uk/tls/TLStiming.pdf"
}
],
"release_date": "2013-02-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-03T21:19:56+00:00",
"details": "The References section of this erratum contains download links (you must\nlog in to download the updates). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server process.\n\nThe fix for CVE-2013-6468 enables the Java Security Manager (JSM) to\nsandbox the evaluation of MVEL expressions. This introduces performance\ndegradation in high load environments. The following ways of running Red\nHat JBoss BPM Suite are considered secure while mitigating performance\ndegradation:\n\n1. In high load environments where performance is critical, it is\nrecommended to only deploy applications that have been developed on other\nsystems and properly reviewed. It is also recommended not to create any\nusers with the Analyst role on such systems. If these safeguards are\nfollowed, it is safe to leave JSM disabled on these systems so it does not\nintroduce any performance degradation.\n\n2. In testing and development environments without high loads, or in\nenvironments where rule authoring is exposed to external networks, it is\nrecommended to have JSM enabled in order to achieve security benefits of\nproperly sandboxed evaluation of MVEL expressions.\n\nAllowing users with the Analyst role to log in to the Business Central\nconsole when JSM is disabled is not secure and not recommended.",
"product_ids": [
"Red Hat JBoss BPMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0371"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss BPMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bouncycastle: TLS CBC padding timing attack"
},
{
"acknowledgments": [
{
"names": [
"Marc Schoenefeld"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
},
{
"names": [
"Gr\u00e9gory Draperi"
]
}
],
"cve": "CVE-2013-6468",
"discovery_date": "2013-08-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1051261"
}
],
"notes": [
{
"category": "description",
"text": "JBoss Drools, Red Hat JBoss BRMS before 6.0.1, and Red Hat JBoss BPM Suite before 6.0.1 allows remote authenticated users to execute arbitrary Java code via a (1) MVFLEX Expression Language (MVEL) or (2) Drools expression.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Drools: Remote Java Code Execution in MVEL",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-6468"
},
{
"category": "external",
"summary": "RHBZ#1051261",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1051261"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-6468",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-6468"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6468",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6468"
}
],
"release_date": "2014-04-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-03T21:19:56+00:00",
"details": "The References section of this erratum contains download links (you must\nlog in to download the updates). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server process.\n\nThe fix for CVE-2013-6468 enables the Java Security Manager (JSM) to\nsandbox the evaluation of MVEL expressions. This introduces performance\ndegradation in high load environments. The following ways of running Red\nHat JBoss BPM Suite are considered secure while mitigating performance\ndegradation:\n\n1. In high load environments where performance is critical, it is\nrecommended to only deploy applications that have been developed on other\nsystems and properly reviewed. It is also recommended not to create any\nusers with the Analyst role on such systems. If these safeguards are\nfollowed, it is safe to leave JSM disabled on these systems so it does not\nintroduce any performance degradation.\n\n2. In testing and development environments without high loads, or in\nenvironments where rule authoring is exposed to external networks, it is\nrecommended to have JSM enabled in order to achieve security benefits of\nproperly sandboxed evaluation of MVEL expressions.\n\nAllowing users with the Analyst role to log in to the Business Central\nconsole when JSM is disabled is not secure and not recommended.",
"product_ids": [
"Red Hat JBoss BPMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0371"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss BPMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Drools: Remote Java Code Execution in MVEL"
},
{
"cve": "CVE-2013-7285",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"discovery_date": "2013-12-22T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1051277"
}
],
"notes": [
{
"category": "description",
"text": "It was found that XStream could deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "XStream: remote code execution due to insecure XML deserialization",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-7285"
},
{
"category": "external",
"summary": "RHBZ#1051277",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1051277"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-7285",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-7285"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-7285",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-7285"
},
{
"category": "external",
"summary": "http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html",
"url": "http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html"
},
{
"category": "external",
"summary": "http://xstream.codehaus.org/security.html",
"url": "http://xstream.codehaus.org/security.html"
},
{
"category": "external",
"summary": "https://securityblog.redhat.com/2014/01/23/java-deserialization-flaws-part-2-xml-deserialization/",
"url": "https://securityblog.redhat.com/2014/01/23/java-deserialization-flaws-part-2-xml-deserialization/"
}
],
"release_date": "2013-12-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-03T21:19:56+00:00",
"details": "The References section of this erratum contains download links (you must\nlog in to download the updates). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server process.\n\nThe fix for CVE-2013-6468 enables the Java Security Manager (JSM) to\nsandbox the evaluation of MVEL expressions. This introduces performance\ndegradation in high load environments. The following ways of running Red\nHat JBoss BPM Suite are considered secure while mitigating performance\ndegradation:\n\n1. In high load environments where performance is critical, it is\nrecommended to only deploy applications that have been developed on other\nsystems and properly reviewed. It is also recommended not to create any\nusers with the Analyst role on such systems. If these safeguards are\nfollowed, it is safe to leave JSM disabled on these systems so it does not\nintroduce any performance degradation.\n\n2. In testing and development environments without high loads, or in\nenvironments where rule authoring is exposed to external networks, it is\nrecommended to have JSM enabled in order to achieve security benefits of\nproperly sandboxed evaluation of MVEL expressions.\n\nAllowing users with the Analyst role to log in to the Business Central\nconsole when JSM is disabled is not secure and not recommended.",
"product_ids": [
"Red Hat JBoss BPMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0371"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss BPMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "XStream: remote code execution due to insecure XML deserialization"
},
{
"acknowledgments": [
{
"names": [
"David Jorm"
],
"organization": "Red Hat Security Response Team",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2014-0002",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2014-01-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1049675"
}
],
"notes": [
{
"category": "description",
"text": "The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3 allows remote attackers to read arbitrary files and possibly have other unspecified impact via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Camel: XML eXternal Entity (XXE) flaw in XSLT component",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-0002"
},
{
"category": "external",
"summary": "RHBZ#1049675",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1049675"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-0002",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-0002"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0002",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0002"
},
{
"category": "external",
"summary": "http://camel.apache.org/security-advisories.data/CVE-2014-0002.txt.asc",
"url": "http://camel.apache.org/security-advisories.data/CVE-2014-0002.txt.asc"
}
],
"release_date": "2014-02-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-03T21:19:56+00:00",
"details": "The References section of this erratum contains download links (you must\nlog in to download the updates). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server process.\n\nThe fix for CVE-2013-6468 enables the Java Security Manager (JSM) to\nsandbox the evaluation of MVEL expressions. This introduces performance\ndegradation in high load environments. The following ways of running Red\nHat JBoss BPM Suite are considered secure while mitigating performance\ndegradation:\n\n1. In high load environments where performance is critical, it is\nrecommended to only deploy applications that have been developed on other\nsystems and properly reviewed. It is also recommended not to create any\nusers with the Analyst role on such systems. If these safeguards are\nfollowed, it is safe to leave JSM disabled on these systems so it does not\nintroduce any performance degradation.\n\n2. In testing and development environments without high loads, or in\nenvironments where rule authoring is exposed to external networks, it is\nrecommended to have JSM enabled in order to achieve security benefits of\nproperly sandboxed evaluation of MVEL expressions.\n\nAllowing users with the Analyst role to log in to the Business Central\nconsole when JSM is disabled is not secure and not recommended.",
"product_ids": [
"Red Hat JBoss BPMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0371"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss BPMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Camel: XML eXternal Entity (XXE) flaw in XSLT component"
},
{
"acknowledgments": [
{
"names": [
"David Jorm"
],
"organization": "Red Hat Security Response Team",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2014-0003",
"discovery_date": "2014-01-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1049692"
}
],
"notes": [
{
"category": "description",
"text": "The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before 2.12.3, and possibly earlier versions allows remote attackers to execute arbitrary Java methods via a crafted message.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Camel: remote code execution via XSL",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-0003"
},
{
"category": "external",
"summary": "RHBZ#1049692",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1049692"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-0003",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-0003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0003"
},
{
"category": "external",
"summary": "http://camel.apache.org/security-advisories.data/CVE-2014-0003.txt.asc",
"url": "http://camel.apache.org/security-advisories.data/CVE-2014-0003.txt.asc"
}
],
"release_date": "2014-02-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-03T21:19:56+00:00",
"details": "The References section of this erratum contains download links (you must\nlog in to download the updates). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server process.\n\nThe fix for CVE-2013-6468 enables the Java Security Manager (JSM) to\nsandbox the evaluation of MVEL expressions. This introduces performance\ndegradation in high load environments. The following ways of running Red\nHat JBoss BPM Suite are considered secure while mitigating performance\ndegradation:\n\n1. In high load environments where performance is critical, it is\nrecommended to only deploy applications that have been developed on other\nsystems and properly reviewed. It is also recommended not to create any\nusers with the Analyst role on such systems. If these safeguards are\nfollowed, it is safe to leave JSM disabled on these systems so it does not\nintroduce any performance degradation.\n\n2. In testing and development environments without high loads, or in\nenvironments where rule authoring is exposed to external networks, it is\nrecommended to have JSM enabled in order to achieve security benefits of\nproperly sandboxed evaluation of MVEL expressions.\n\nAllowing users with the Analyst role to log in to the Business Central\nconsole when JSM is disabled is not secure and not recommended.",
"product_ids": [
"Red Hat JBoss BPMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0371"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss BPMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Camel: remote code execution via XSL"
}
]
}
RHSA-2014_0372
Vulnerability from csaf_redhat - Published: 2014-04-03 21:30 - Updated: 2024-11-22 08:11Summary
Red Hat Security Advisory: Red Hat JBoss BRMS 6.0.1 update
Severity
Important
Notes
Topic: Red Hat JBoss BRMS 6.0.1, which fixes multiple security issues, various
bugs, and adds enhancements, is now available from the Red Hat Customer
Portal.
The Red Hat Security Response Team has rated this update as having
Important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Details: Red Hat JBoss BRMS is a business rules management system for the
management, storage, creation, modification, and deployment of JBoss Rules.
This release of Red Hat JBoss BRMS 6.0.1 serves as a replacement for Red
Hat JBoss BRMS 6.0.0, and includes bug fixes and enhancements. Refer to the
Red Hat JBoss BRMS 6.0.1 Release Notes for information on the most
significant of these changes. The Release Notes will be available shortly
at https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_BRMS/
The following security issues are fixed with this release:
It was discovered that JBoss BRMS allowed remote authenticated users to
submit arbitrary Java code in MVFLEX Expression Language (MVEL) or JBoss
Rules expressions, resulting in arbitrary code execution within the
security context of the application server. Refer to the Solution section
for details on the fix for this issue. (CVE-2013-6468)
It was found that XStream could deserialize arbitrary user-supplied XML
content, representing objects of any type. A remote attacker able to pass
XML to XStream could use this flaw to perform a variety of attacks,
including remote code execution in the context of the server running the
XStream application. (CVE-2013-7285)
It was found that the Apache Camel XSLT component allowed XSL stylesheets
to call external Java methods. A remote attacker able to submit messages to
a Camel route could use this flaw to perform arbitrary remote code
execution in the context of the Camel server process. (CVE-2014-0003)
It was found that RESTEasy was vulnerable to XML External Entity (XXE)
attacks. If a remote attacker submitted a request containing an external
XML entity to a RESTEasy endpoint, the entity would be resolved, allowing
the attacker to read files accessible to the user running the application
server. This flaw affected DOM (Document Object Model) Document and JAXB
(Java Architecture for XML Binding) input. (CVE-2011-5245, CVE-2012-0818)
It was discovered that bouncycastle leaked timing information when
decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites
were used. A remote attacker could possibly use this flaw to retrieve plain
text from the encrypted packets by using a TLS/SSL server as a padding
oracle. (CVE-2013-1624)
It was found that the Apache Camel XSLT component would resolve entities in
XML messages when transforming them using an XSLT route. A remote attacker
able to submit messages to an XSLT Camel route could use this flaw to read
files accessible to the user running the application server and,
potentially, perform other more advanced XML External Entity (XXE) attacks.
(CVE-2014-0002)
The CVE-2014-0002 and CVE-2014-0003 issues were discovered by David Jorm of
the Red Hat Security Response Team, and the CVE-2013-6468 issue was
discovered by Marc Schoenefeld of the Red Hat Security Response Team.
Red Hat would like to thank Grégory Draperi for independently reporting
CVE-2013-6468.
All users of Red Hat JBoss BRMS 6.0.0 as provided from the Red Hat Customer
Portal are advised to upgrade to Red Hat JBoss BRMS 6.0.1.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
The readFrom function in providers.jaxb.JAXBXmlTypeProvider in RESTEasy before 2.3.2 allows remote attackers to read arbitrary files via an external entity reference in a Java Architecture for XML Binding (JAXB) input, aka an XML external entity (XXE) injection attack, a similar vulnerability to CVE-2012-0818.
5.0 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BRMS 6.0
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_brms:6.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document, aka an XML external entity (XXE) injection attack.
5.0 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BRMS 6.0
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_brms:6.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
It was discovered that bouncycastle leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle.
5.1 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BRMS 6.0
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_brms:6.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
JBoss Drools, Red Hat JBoss BRMS before 6.0.1, and Red Hat JBoss BPM Suite before 6.0.1 allows remote authenticated users to execute arbitrary Java code via a (1) MVFLEX Expression Language (MVEL) or (2) Drools expression.
6.5 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BRMS 6.0
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_brms:6.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
It was found that XStream could deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application.
6.8 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BRMS 6.0
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_brms:6.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3 allows remote attackers to read arbitrary files and possibly have other unspecified impact via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
5.0 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BRMS 6.0
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_brms:6.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before 2.12.3, and possibly earlier versions allows remote attackers to execute arbitrary Java methods via a crafted message.
6.0 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BRMS 6.0
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_brms:6.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
References
45 references
Acknowledgments
Red Hat
Marc Schoenefeld
Grégory Draperi
Red Hat Security Response Team
David Jorm
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat JBoss BRMS 6.0.1, which fixes multiple security issues, various\nbugs, and adds enhancements, is now available from the Red Hat Customer\nPortal.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss BRMS is a business rules management system for the\nmanagement, storage, creation, modification, and deployment of JBoss Rules.\n\nThis release of Red Hat JBoss BRMS 6.0.1 serves as a replacement for Red\nHat JBoss BRMS 6.0.0, and includes bug fixes and enhancements. Refer to the\nRed Hat JBoss BRMS 6.0.1 Release Notes for information on the most\nsignificant of these changes. The Release Notes will be available shortly\nat https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_BRMS/\n\nThe following security issues are fixed with this release:\n\nIt was discovered that JBoss BRMS allowed remote authenticated users to\nsubmit arbitrary Java code in MVFLEX Expression Language (MVEL) or JBoss\nRules expressions, resulting in arbitrary code execution within the\nsecurity context of the application server. Refer to the Solution section\nfor details on the fix for this issue. (CVE-2013-6468)\n\nIt was found that XStream could deserialize arbitrary user-supplied XML\ncontent, representing objects of any type. A remote attacker able to pass\nXML to XStream could use this flaw to perform a variety of attacks,\nincluding remote code execution in the context of the server running the\nXStream application. (CVE-2013-7285)\n\nIt was found that the Apache Camel XSLT component allowed XSL stylesheets\nto call external Java methods. A remote attacker able to submit messages to\na Camel route could use this flaw to perform arbitrary remote code\nexecution in the context of the Camel server process. (CVE-2014-0003)\n\nIt was found that RESTEasy was vulnerable to XML External Entity (XXE)\nattacks. If a remote attacker submitted a request containing an external\nXML entity to a RESTEasy endpoint, the entity would be resolved, allowing\nthe attacker to read files accessible to the user running the application\nserver. This flaw affected DOM (Document Object Model) Document and JAXB\n(Java Architecture for XML Binding) input. (CVE-2011-5245, CVE-2012-0818)\n\nIt was discovered that bouncycastle leaked timing information when\ndecrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites\nwere used. A remote attacker could possibly use this flaw to retrieve plain\ntext from the encrypted packets by using a TLS/SSL server as a padding\noracle. (CVE-2013-1624)\n\nIt was found that the Apache Camel XSLT component would resolve entities in\nXML messages when transforming them using an XSLT route. A remote attacker\nable to submit messages to an XSLT Camel route could use this flaw to read\nfiles accessible to the user running the application server and,\npotentially, perform other more advanced XML External Entity (XXE) attacks.\n(CVE-2014-0002)\n\nThe CVE-2014-0002 and CVE-2014-0003 issues were discovered by David Jorm of\nthe Red Hat Security Response Team, and the CVE-2013-6468 issue was\ndiscovered by Marc Schoenefeld of the Red Hat Security Response Team.\n\nRed Hat would like to thank Gr\u00e9gory Draperi for independently reporting\nCVE-2013-6468.\n\nAll users of Red Hat JBoss BRMS 6.0.0 as provided from the Red Hat Customer\nPortal are advised to upgrade to Red Hat JBoss BRMS 6.0.1.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2014:0372",
"url": "https://access.redhat.com/errata/RHSA-2014:0372"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms\u0026downloadType=distributions\u0026version=6.0.1",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms\u0026downloadType=distributions\u0026version=6.0.1"
},
{
"category": "external",
"summary": "https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_BRMS/",
"url": "https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_BRMS/"
},
{
"category": "external",
"summary": "785631",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=785631"
},
{
"category": "external",
"summary": "908428",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=908428"
},
{
"category": "external",
"summary": "1049675",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1049675"
},
{
"category": "external",
"summary": "1049692",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1049692"
},
{
"category": "external",
"summary": "1051261",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1051261"
},
{
"category": "external",
"summary": "1051277",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1051277"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0372.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss BRMS 6.0.1 update",
"tracking": {
"current_release_date": "2024-11-22T08:11:47+00:00",
"generator": {
"date": "2024-11-22T08:11:47+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2014:0372",
"initial_release_date": "2014-04-03T21:30:03+00:00",
"revision_history": [
{
"date": "2014-04-03T21:30:03+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-02-20T12:32:57+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T08:11:47+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss BRMS 6.0",
"product": {
"name": "Red Hat JBoss BRMS 6.0",
"product_id": "Red Hat JBoss BRMS 6.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_brms:6.0"
}
}
}
],
"category": "product_family",
"name": "Red Hat Decision Manager"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2011-5245",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2012-01-24T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "785631"
}
],
"notes": [
{
"category": "description",
"text": "The readFrom function in providers.jaxb.JAXBXmlTypeProvider in RESTEasy before 2.3.2 allows remote attackers to read arbitrary files via an external entity reference in a Java Architecture for XML Binding (JAXB) input, aka an XML external entity (XXE) injection attack, a similar vulnerability to CVE-2012-0818.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "RESTEasy: XML eXternal Entity (XXE) flaw",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2011-5245"
},
{
"category": "external",
"summary": "RHBZ#785631",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=785631"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2011-5245",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-5245"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2011-5245",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-5245"
}
],
"release_date": "2011-12-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-03T21:30:03+00:00",
"details": "The References section of this erratum contains download links (you must\nlog in to download the updates). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server process.\n\nThe fix for CVE-2013-6468 enables the Java Security Manager (JSM) to\nsandbox the evaluation of MVEL expressions. This introduces performance\ndegradation in high load environments. The following ways of running Red\nHat JBoss BRMS are considered secure while mitigating performance\ndegradation:\n\n1. In high load environments where performance is critical, it is\nrecommended to only deploy applications that have been developed on other\nsystems and properly reviewed. It is also recommended not to create any\nusers with the Analyst role on such systems. If these safeguards are\nfollowed, it is safe to leave JSM disabled on these systems so it does not\nintroduce any performance degradation.\n\n2. In testing and development environments without high loads, or in\nenvironments where rule authoring is exposed to external networks, it is\nrecommended to have JSM enabled in order to achieve security benefits of\nproperly sandboxed evaluation of MVEL expressions.\n\nAllowing users with the Analyst role to log in to the Business Central\nconsole when JSM is disabled is not secure and not recommended.",
"product_ids": [
"Red Hat JBoss BRMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0372"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss BRMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "RESTEasy: XML eXternal Entity (XXE) flaw"
},
{
"cve": "CVE-2012-0818",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2012-01-24T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "785631"
}
],
"notes": [
{
"category": "description",
"text": "RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document, aka an XML external entity (XXE) injection attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "RESTEasy: XML eXternal Entity (XXE) flaw",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-0818"
},
{
"category": "external",
"summary": "RHBZ#785631",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=785631"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-0818",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-0818"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-0818",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-0818"
}
],
"release_date": "2011-12-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-03T21:30:03+00:00",
"details": "The References section of this erratum contains download links (you must\nlog in to download the updates). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server process.\n\nThe fix for CVE-2013-6468 enables the Java Security Manager (JSM) to\nsandbox the evaluation of MVEL expressions. This introduces performance\ndegradation in high load environments. The following ways of running Red\nHat JBoss BRMS are considered secure while mitigating performance\ndegradation:\n\n1. In high load environments where performance is critical, it is\nrecommended to only deploy applications that have been developed on other\nsystems and properly reviewed. It is also recommended not to create any\nusers with the Analyst role on such systems. If these safeguards are\nfollowed, it is safe to leave JSM disabled on these systems so it does not\nintroduce any performance degradation.\n\n2. In testing and development environments without high loads, or in\nenvironments where rule authoring is exposed to external networks, it is\nrecommended to have JSM enabled in order to achieve security benefits of\nproperly sandboxed evaluation of MVEL expressions.\n\nAllowing users with the Analyst role to log in to the Business Central\nconsole when JSM is disabled is not secure and not recommended.",
"product_ids": [
"Red Hat JBoss BRMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0372"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss BRMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "RESTEasy: XML eXternal Entity (XXE) flaw"
},
{
"cve": "CVE-2013-1624",
"cwe": {
"id": "CWE-385",
"name": "Covert Timing Channel"
},
"discovery_date": "2013-02-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "908428"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that bouncycastle leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bouncycastle: TLS CBC padding timing attack",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-1624"
},
{
"category": "external",
"summary": "RHBZ#908428",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=908428"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-1624",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-1624"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-1624",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1624"
},
{
"category": "external",
"summary": "http://www.isg.rhul.ac.uk/tls/",
"url": "http://www.isg.rhul.ac.uk/tls/"
},
{
"category": "external",
"summary": "http://www.isg.rhul.ac.uk/tls/TLStiming.pdf",
"url": "http://www.isg.rhul.ac.uk/tls/TLStiming.pdf"
}
],
"release_date": "2013-02-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-03T21:30:03+00:00",
"details": "The References section of this erratum contains download links (you must\nlog in to download the updates). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server process.\n\nThe fix for CVE-2013-6468 enables the Java Security Manager (JSM) to\nsandbox the evaluation of MVEL expressions. This introduces performance\ndegradation in high load environments. The following ways of running Red\nHat JBoss BRMS are considered secure while mitigating performance\ndegradation:\n\n1. In high load environments where performance is critical, it is\nrecommended to only deploy applications that have been developed on other\nsystems and properly reviewed. It is also recommended not to create any\nusers with the Analyst role on such systems. If these safeguards are\nfollowed, it is safe to leave JSM disabled on these systems so it does not\nintroduce any performance degradation.\n\n2. In testing and development environments without high loads, or in\nenvironments where rule authoring is exposed to external networks, it is\nrecommended to have JSM enabled in order to achieve security benefits of\nproperly sandboxed evaluation of MVEL expressions.\n\nAllowing users with the Analyst role to log in to the Business Central\nconsole when JSM is disabled is not secure and not recommended.",
"product_ids": [
"Red Hat JBoss BRMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0372"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss BRMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bouncycastle: TLS CBC padding timing attack"
},
{
"acknowledgments": [
{
"names": [
"Marc Schoenefeld"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
},
{
"names": [
"Gr\u00e9gory Draperi"
]
}
],
"cve": "CVE-2013-6468",
"discovery_date": "2013-08-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1051261"
}
],
"notes": [
{
"category": "description",
"text": "JBoss Drools, Red Hat JBoss BRMS before 6.0.1, and Red Hat JBoss BPM Suite before 6.0.1 allows remote authenticated users to execute arbitrary Java code via a (1) MVFLEX Expression Language (MVEL) or (2) Drools expression.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Drools: Remote Java Code Execution in MVEL",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-6468"
},
{
"category": "external",
"summary": "RHBZ#1051261",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1051261"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-6468",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-6468"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6468",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6468"
}
],
"release_date": "2014-04-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-03T21:30:03+00:00",
"details": "The References section of this erratum contains download links (you must\nlog in to download the updates). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server process.\n\nThe fix for CVE-2013-6468 enables the Java Security Manager (JSM) to\nsandbox the evaluation of MVEL expressions. This introduces performance\ndegradation in high load environments. The following ways of running Red\nHat JBoss BRMS are considered secure while mitigating performance\ndegradation:\n\n1. In high load environments where performance is critical, it is\nrecommended to only deploy applications that have been developed on other\nsystems and properly reviewed. It is also recommended not to create any\nusers with the Analyst role on such systems. If these safeguards are\nfollowed, it is safe to leave JSM disabled on these systems so it does not\nintroduce any performance degradation.\n\n2. In testing and development environments without high loads, or in\nenvironments where rule authoring is exposed to external networks, it is\nrecommended to have JSM enabled in order to achieve security benefits of\nproperly sandboxed evaluation of MVEL expressions.\n\nAllowing users with the Analyst role to log in to the Business Central\nconsole when JSM is disabled is not secure and not recommended.",
"product_ids": [
"Red Hat JBoss BRMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0372"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss BRMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Drools: Remote Java Code Execution in MVEL"
},
{
"cve": "CVE-2013-7285",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"discovery_date": "2013-12-22T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1051277"
}
],
"notes": [
{
"category": "description",
"text": "It was found that XStream could deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "XStream: remote code execution due to insecure XML deserialization",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-7285"
},
{
"category": "external",
"summary": "RHBZ#1051277",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1051277"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-7285",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-7285"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-7285",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-7285"
},
{
"category": "external",
"summary": "http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html",
"url": "http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html"
},
{
"category": "external",
"summary": "http://xstream.codehaus.org/security.html",
"url": "http://xstream.codehaus.org/security.html"
},
{
"category": "external",
"summary": "https://securityblog.redhat.com/2014/01/23/java-deserialization-flaws-part-2-xml-deserialization/",
"url": "https://securityblog.redhat.com/2014/01/23/java-deserialization-flaws-part-2-xml-deserialization/"
}
],
"release_date": "2013-12-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-03T21:30:03+00:00",
"details": "The References section of this erratum contains download links (you must\nlog in to download the updates). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server process.\n\nThe fix for CVE-2013-6468 enables the Java Security Manager (JSM) to\nsandbox the evaluation of MVEL expressions. This introduces performance\ndegradation in high load environments. The following ways of running Red\nHat JBoss BRMS are considered secure while mitigating performance\ndegradation:\n\n1. In high load environments where performance is critical, it is\nrecommended to only deploy applications that have been developed on other\nsystems and properly reviewed. It is also recommended not to create any\nusers with the Analyst role on such systems. If these safeguards are\nfollowed, it is safe to leave JSM disabled on these systems so it does not\nintroduce any performance degradation.\n\n2. In testing and development environments without high loads, or in\nenvironments where rule authoring is exposed to external networks, it is\nrecommended to have JSM enabled in order to achieve security benefits of\nproperly sandboxed evaluation of MVEL expressions.\n\nAllowing users with the Analyst role to log in to the Business Central\nconsole when JSM is disabled is not secure and not recommended.",
"product_ids": [
"Red Hat JBoss BRMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0372"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss BRMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "XStream: remote code execution due to insecure XML deserialization"
},
{
"acknowledgments": [
{
"names": [
"David Jorm"
],
"organization": "Red Hat Security Response Team",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2014-0002",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2014-01-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1049675"
}
],
"notes": [
{
"category": "description",
"text": "The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3 allows remote attackers to read arbitrary files and possibly have other unspecified impact via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Camel: XML eXternal Entity (XXE) flaw in XSLT component",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-0002"
},
{
"category": "external",
"summary": "RHBZ#1049675",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1049675"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-0002",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-0002"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0002",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0002"
},
{
"category": "external",
"summary": "http://camel.apache.org/security-advisories.data/CVE-2014-0002.txt.asc",
"url": "http://camel.apache.org/security-advisories.data/CVE-2014-0002.txt.asc"
}
],
"release_date": "2014-02-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-03T21:30:03+00:00",
"details": "The References section of this erratum contains download links (you must\nlog in to download the updates). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server process.\n\nThe fix for CVE-2013-6468 enables the Java Security Manager (JSM) to\nsandbox the evaluation of MVEL expressions. This introduces performance\ndegradation in high load environments. The following ways of running Red\nHat JBoss BRMS are considered secure while mitigating performance\ndegradation:\n\n1. In high load environments where performance is critical, it is\nrecommended to only deploy applications that have been developed on other\nsystems and properly reviewed. It is also recommended not to create any\nusers with the Analyst role on such systems. If these safeguards are\nfollowed, it is safe to leave JSM disabled on these systems so it does not\nintroduce any performance degradation.\n\n2. In testing and development environments without high loads, or in\nenvironments where rule authoring is exposed to external networks, it is\nrecommended to have JSM enabled in order to achieve security benefits of\nproperly sandboxed evaluation of MVEL expressions.\n\nAllowing users with the Analyst role to log in to the Business Central\nconsole when JSM is disabled is not secure and not recommended.",
"product_ids": [
"Red Hat JBoss BRMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0372"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss BRMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Camel: XML eXternal Entity (XXE) flaw in XSLT component"
},
{
"acknowledgments": [
{
"names": [
"David Jorm"
],
"organization": "Red Hat Security Response Team",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2014-0003",
"discovery_date": "2014-01-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1049692"
}
],
"notes": [
{
"category": "description",
"text": "The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before 2.12.3, and possibly earlier versions allows remote attackers to execute arbitrary Java methods via a crafted message.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Camel: remote code execution via XSL",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-0003"
},
{
"category": "external",
"summary": "RHBZ#1049692",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1049692"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-0003",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-0003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0003"
},
{
"category": "external",
"summary": "http://camel.apache.org/security-advisories.data/CVE-2014-0003.txt.asc",
"url": "http://camel.apache.org/security-advisories.data/CVE-2014-0003.txt.asc"
}
],
"release_date": "2014-02-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-03T21:30:03+00:00",
"details": "The References section of this erratum contains download links (you must\nlog in to download the updates). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server process.\n\nThe fix for CVE-2013-6468 enables the Java Security Manager (JSM) to\nsandbox the evaluation of MVEL expressions. This introduces performance\ndegradation in high load environments. The following ways of running Red\nHat JBoss BRMS are considered secure while mitigating performance\ndegradation:\n\n1. In high load environments where performance is critical, it is\nrecommended to only deploy applications that have been developed on other\nsystems and properly reviewed. It is also recommended not to create any\nusers with the Analyst role on such systems. If these safeguards are\nfollowed, it is safe to leave JSM disabled on these systems so it does not\nintroduce any performance degradation.\n\n2. In testing and development environments without high loads, or in\nenvironments where rule authoring is exposed to external networks, it is\nrecommended to have JSM enabled in order to achieve security benefits of\nproperly sandboxed evaluation of MVEL expressions.\n\nAllowing users with the Analyst role to log in to the Business Central\nconsole when JSM is disabled is not secure and not recommended.",
"product_ids": [
"Red Hat JBoss BRMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0372"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss BRMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Camel: remote code execution via XSL"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…