Action not permitted
Modal body text goes here.
Modal Title
Modal Body
cve-2014-0054
Vulnerability from cvelistv5
Published
2014-04-17 14:00
Modified
2024-08-06 09:05
Severity ?
EPSS score ?
Summary
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T09:05:38.783Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "66148", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/66148", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://jira.spring.io/browse/SPR-11376", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", }, { name: "RHSA-2014:0400", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2014-0400.html", }, { name: "57915", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/57915", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2014-01-31T00:00:00", descriptions: [ { lang: "en", value: "The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-04-19T01:57:01", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "66148", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/66148", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://jira.spring.io/browse/SPR-11376", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", }, { name: "RHSA-2014:0400", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2014-0400.html", }, { name: "57915", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/57915", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2014-0054", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "66148", refsource: "BID", url: "http://www.securityfocus.com/bid/66148", }, { name: "https://jira.spring.io/browse/SPR-11376", refsource: "CONFIRM", url: "https://jira.spring.io/browse/SPR-11376", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", }, { name: "RHSA-2014:0400", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2014-0400.html", }, { name: "57915", refsource: "SECUNIA", url: "http://secunia.com/advisories/57915", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2014-0054", datePublished: "2014-04-17T14:00:00", dateReserved: "2013-12-03T00:00:00", dateUpdated: "2024-08-06T09:05:38.783Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", "vulnerability-lookup:meta": { fkie_nvd: { configurations: "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:springsource:spring_framework:3.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"62111DAE-3E05-4D95-8B34-E2EFB6142DCA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:springsource:spring_framework:3.0.0:m1:*:*:*:*:*:*\", \"matchCriteriaId\": \"13E1344C-CB41-48FC-BB98-7FEBEBF190E9\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:springsource:spring_framework:3.0.0:m2:*:*:*:*:*:*\", \"matchCriteriaId\": \"AD66E687-C387-486D-AC34-279961311A8F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:springsource:spring_framework:3.0.0:m3:*:*:*:*:*:*\", \"matchCriteriaId\": \"49018DD7-9E85-4B4D-B054-CD17EFB13E87\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:springsource:spring_framework:3.0.0:m4:*:*:*:*:*:*\", \"matchCriteriaId\": \"37FC3F37-A033-491B-96F0-8B38E2E43BFA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:springsource:spring_framework:3.0.0:rc1:*:*:*:*:*:*\", \"matchCriteriaId\": \"12021339-C885-4A9E-95C1-4695F3DC1F76\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:springsource:spring_framework:3.0.0:rc2:*:*:*:*:*:*\", \"matchCriteriaId\": \"6FB321B9-4838-4AAC-B8AF-C92015C946A0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:springsource:spring_framework:3.0.0:rc3:*:*:*:*:*:*\", \"matchCriteriaId\": \"DC19AE9E-B46C-4872-B562-E97DC80543F7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:springsource:spring_framework:3.0.0.m1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"32F4893D-61E6-4E7F-A30A-3AB96264531B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:springsource:spring_framework:3.0.0.m2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B7F99079-D584-456B-A116-62D10FBF8233\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:springsource:spring_framework:3.0.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9A9F796E-340B-4FF5-9322-94E57D7BCEE6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:springsource:spring_framework:3.0.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D8BA17FD-BC52-4D84-9753-5D41D3BC35B4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:springsource:spring_framework:3.0.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"637484A7-AB05-4F64-9311-6741BDF2579F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:springsource:spring_framework:3.0.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"FAE5CFA5-769F-49E9-A7A9-56C8CED8692E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:springsource:spring_framework:3.0.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"528C85CE-2CC6-4B09-8C25-44A2B1C2D8B2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:springsource:spring_framework:3.2.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"84A59B07-7EF0-4744-AF78-59C2C9C7DCD5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:springsource:spring_framework:3.2.6:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"373153C1-402D-4159-8B72-5C8544846CC6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:springsource:spring_framework:4.0.0:rc1:*:*:*:*:*:*\", \"matchCriteriaId\": \"4D9CB60A-0AFB-4572-9406-B848B71A37F2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:springsource:spring_framework:4.0.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A943BB84-9368-48F2-96DD-65EF0AEDEFE1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"3.2.7\", \"matchCriteriaId\": \"35922ADD-3B00-4928-AF5E-5449CB55D5C5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vmware:spring_framework:3.0.6:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B9D5172D-5E19-40C1-8C1B-CC22706E780D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vmware:spring_framework:3.0.7:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"46E410D2-DA53-4806-B296-451C3D9CDEEA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vmware:spring_framework:3.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"20D6E5AC-9898-416F-8268-3623E1706072\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vmware:spring_framework:3.1.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B61F3E25-A415-4A25-91D6-4FBA6F575AAB\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vmware:spring_framework:3.1.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"8A2C4C81-2E79-411C-AEB8-A5E40FC28D31\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vmware:spring_framework:3.1.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"010915FE-3BCE-4652-8D8B-47EE085F3BEE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vmware:spring_framework:3.1.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D16C8EFA-F1E4-48C3-BC86-A132873426C4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vmware:spring_framework:3.2.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"47CED0ED-D67E-48AF-BB1A-EB1030897A8C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vmware:spring_framework:3.2.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D2E2EA60-735E-431E-BEFE-DC5C1046E532\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vmware:spring_framework:3.2.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DFD1FA92-7BFC-4874-89FC-BE0F378F0DB3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vmware:spring_framework:3.2.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7CC0E26F-2E8B-4B30-8C43-8BD2015EBB88\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vmware:spring_framework:3.2.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3CB73406-5FE4-438E-BCB7-57FBF6EC38D0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vmware:spring_framework:4.0.0:milestone1:*:*:*:*:*:*\", \"matchCriteriaId\": \"FD20A2BE-2024-4DAA-825E-213ACB667DE9\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vmware:spring_framework:4.0.0:milestone2:*:*:*:*:*:*\", \"matchCriteriaId\": \"264458EB-2332-438F-8635-414E388E25EA\"}]}]}]", descriptions: "[{\"lang\": \"en\", \"value\": \"The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.\"}, {\"lang\": \"es\", \"value\": \"Jaxb2RootElementHttpMessageConverter en Spring MVC en Spring Framework anterior a 3.2.8 y 4.0.0 anterior a 4.0.2 no deshabilita resoluci\\u00f3n de entidad externa, lo que permite a atacantes remotos leer archivos arbitrarios, causar una denegaci\\u00f3n de servicio y realizar ataques CSRF a trav\\u00e9s de XML manipulado, tambi\\u00e9n conocido como un problema de entidad externa XML (XXE). NOTA: esta vulnerabilidad existe debido a una soluci\\u00f3n incompleta para CVE-2013-4152, CVE-2013-7315 y CVE-2013-6429.\"}]", id: "CVE-2014-0054", lastModified: "2024-11-21T02:01:15.597", metrics: "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\", \"baseScore\": 6.8, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}", published: "2014-04-17T14:55:06.417", references: "[{\"url\": \"http://rhn.redhat.com/errata/RHSA-2014-0400.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://secunia.com/advisories/57915\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.securityfocus.com/bid/66148\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://jira.spring.io/browse/SPR-11376\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2014-0400.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/57915\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securityfocus.com/bid/66148\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://jira.spring.io/browse/SPR-11376\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]", sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-352\"}]}]", }, nvd: "{\"cve\":{\"id\":\"CVE-2014-0054\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2014-04-17T14:55:06.417\",\"lastModified\":\"2025-04-12T10:46:40.837\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.\"},{\"lang\":\"es\",\"value\":\"Jaxb2RootElementHttpMessageConverter en Spring MVC en Spring Framework anterior a 3.2.8 y 4.0.0 anterior a 4.0.2 no deshabilita resolución de entidad externa, lo que permite a atacantes remotos leer archivos arbitrarios, causar una denegación de servicio y realizar ataques CSRF a través de XML manipulado, también conocido como un problema de entidad externa XML (XXE). NOTA: esta vulnerabilidad existe debido a una solución incompleta para CVE-2013-4152, CVE-2013-7315 y CVE-2013-6429.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-352\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:springsource:spring_framework:3.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"62111DAE-3E05-4D95-8B34-E2EFB6142DCA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:springsource:spring_framework:3.0.0:m1:*:*:*:*:*:*\",\"matchCriteriaId\":\"13E1344C-CB41-48FC-BB98-7FEBEBF190E9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:springsource:spring_framework:3.0.0:m2:*:*:*:*:*:*\",\"matchCriteriaId\":\"AD66E687-C387-486D-AC34-279961311A8F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:springsource:spring_framework:3.0.0:m3:*:*:*:*:*:*\",\"matchCriteriaId\":\"49018DD7-9E85-4B4D-B054-CD17EFB13E87\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:springsource:spring_framework:3.0.0:m4:*:*:*:*:*:*\",\"matchCriteriaId\":\"37FC3F37-A033-491B-96F0-8B38E2E43BFA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:springsource:spring_framework:3.0.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"12021339-C885-4A9E-95C1-4695F3DC1F76\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:springsource:spring_framework:3.0.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"6FB321B9-4838-4AAC-B8AF-C92015C946A0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:springsource:spring_framework:3.0.0:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"DC19AE9E-B46C-4872-B562-E97DC80543F7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:springsource:spring_framework:3.0.0.m1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"32F4893D-61E6-4E7F-A30A-3AB96264531B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:springsource:spring_framework:3.0.0.m2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B7F99079-D584-456B-A116-62D10FBF8233\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:springsource:spring_framework:3.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9A9F796E-340B-4FF5-9322-94E57D7BCEE6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:springsource:spring_framework:3.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D8BA17FD-BC52-4D84-9753-5D41D3BC35B4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:springsource:spring_framework:3.0.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"637484A7-AB05-4F64-9311-6741BDF2579F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:springsource:spring_framework:3.0.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FAE5CFA5-769F-49E9-A7A9-56C8CED8692E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:springsource:spring_framework:3.0.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"528C85CE-2CC6-4B09-8C25-44A2B1C2D8B2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:springsource:spring_framework:3.2.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"84A59B07-7EF0-4744-AF78-59C2C9C7DCD5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:springsource:spring_framework:3.2.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"373153C1-402D-4159-8B72-5C8544846CC6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:springsource:spring_framework:4.0.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"4D9CB60A-0AFB-4572-9406-B848B71A37F2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:springsource:spring_framework:4.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A943BB84-9368-48F2-96DD-65EF0AEDEFE1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"3.2.7\",\"matchCriteriaId\":\"35922ADD-3B00-4928-AF5E-5449CB55D5C5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_framework:3.0.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B9D5172D-5E19-40C1-8C1B-CC22706E780D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_framework:3.0.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"46E410D2-DA53-4806-B296-451C3D9CDEEA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_framework:3.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"20D6E5AC-9898-416F-8268-3623E1706072\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_framework:3.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B61F3E25-A415-4A25-91D6-4FBA6F575AAB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_framework:3.1.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8A2C4C81-2E79-411C-AEB8-A5E40FC28D31\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_framework:3.1.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"010915FE-3BCE-4652-8D8B-47EE085F3BEE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_framework:3.1.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D16C8EFA-F1E4-48C3-BC86-A132873426C4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_framework:3.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"47CED0ED-D67E-48AF-BB1A-EB1030897A8C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_framework:3.2.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D2E2EA60-735E-431E-BEFE-DC5C1046E532\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_framework:3.2.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DFD1FA92-7BFC-4874-89FC-BE0F378F0DB3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_framework:3.2.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7CC0E26F-2E8B-4B30-8C43-8BD2015EBB88\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_framework:3.2.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3CB73406-5FE4-438E-BCB7-57FBF6EC38D0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_framework:4.0.0:milestone1:*:*:*:*:*:*\",\"matchCriteriaId\":\"FD20A2BE-2024-4DAA-825E-213ACB667DE9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_framework:4.0.0:milestone2:*:*:*:*:*:*\",\"matchCriteriaId\":\"264458EB-2332-438F-8635-414E388E25EA\"}]}]}],\"references\":[{\"url\":\"http://rhn.redhat.com/errata/RHSA-2014-0400.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/57915\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.securityfocus.com/bid/66148\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://jira.spring.io/browse/SPR-11376\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2014-0400.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/57915\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/66148\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://jira.spring.io/browse/SPR-11376\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}", }, }
gsd-2014-0054
Vulnerability from gsd
Modified
2023-12-13 01:22
Details
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
Aliases
Aliases
{ GSD: { alias: "CVE-2014-0054", description: "The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.", id: "GSD-2014-0054", references: [ "https://www.debian.org/security/2014/dsa-2890", "https://access.redhat.com/errata/RHSA-2014:0401", "https://access.redhat.com/errata/RHSA-2014:0400", "https://advisories.mageia.org/CVE-2014-0054.html", ], }, gsd: { metadata: { exploitCode: "unknown", remediation: "unknown", reportConfidence: "confirmed", type: "vulnerability", }, osvSchema: { aliases: [ "CVE-2014-0054", ], details: "The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.", id: "GSD-2014-0054", modified: "2023-12-13T01:22:44.158382Z", schema_version: "1.4.0", }, }, namespaces: { "cve.org": { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2014-0054", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "66148", refsource: "BID", url: "http://www.securityfocus.com/bid/66148", }, { name: "https://jira.spring.io/browse/SPR-11376", refsource: "CONFIRM", url: "https://jira.spring.io/browse/SPR-11376", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", }, { name: "RHSA-2014:0400", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2014-0400.html", }, { name: "57915", refsource: "SECUNIA", url: "http://secunia.com/advisories/57915", }, ], }, }, "gitlab.com": { advisories: [ { affected_range: "[3.2-alpha0,3.2.7.RELEASE],[4.0-alpha0,4.0.1.RELEASE]", affected_versions: "All versions starting from 3.2-alpha0 up to 3.2.7.release, all versions starting from 4.0-alpha0 up to 4.0.1.release", cvss_v2: "AV:N/AC:M/Au:N/C:P/I:P/A:P", cwe_ids: [ "CWE-1035", "CWE-352", "CWE-937", ], date: "2018-04-19", description: "This package does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.", fixed_versions: [ "3.2.8.RELEASE", "4.0.2.RELEASE", ], identifier: "CVE-2014-0054", identifiers: [ "CVE-2014-0054", ], not_impacted: "All versions before 3.2-alpha0, all versions after 3.2.7.release before 4.0-alpha0, all versions after 4.0.1.release", package_slug: "maven/org.springframework/spring-webmvc", pubdate: "2014-04-17", solution: "Upgrade to versions 3.2.8.RELEASE, 4.0.2.RELEASE or above.", title: "XML External Entities", urls: [ "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0054", "http://www.pivotal.io/security/cve-2014-0054", "https://jira.spring.io/browse/SPR-11376", ], uuid: "5d28e72d-82e9-41e6-88c1-fd85fc26a9e9", }, ], }, "nvd.nist.gov": { configurations: { CVE_data_version: "4.0", nodes: [ { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:a:springsource:spring_framework:3.2.6:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:springsource:spring_framework:3.2.5:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:vmware:spring_framework:3.1.2:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:vmware:spring_framework:3.1.1:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:springsource:spring_framework:3.0.2:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:vmware:spring_framework:4.0.0:milestone2:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:springsource:spring_framework:4.0.0:rc1:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:vmware:spring_framework:3.2.2:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:vmware:spring_framework:3.2.1:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:vmware:spring_framework:3.0.6:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:springsource:spring_framework:3.0.5:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:springsource:spring_framework:3.0.0:rc3:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:springsource:spring_framework:3.0.0:rc2:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:vmware:spring_framework:4.0.0:milestone1:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:vmware:spring_framework:3.2.4:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:vmware:spring_framework:3.2.3:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:vmware:spring_framework:3.1.0:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:vmware:spring_framework:3.0.7:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:springsource:spring_framework:3.0.0.m2:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:springsource:spring_framework:3.0.0.m1:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:springsource:spring_framework:3.0.0:m1:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:springsource:spring_framework:3.0.0:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:springsource:spring_framework:4.0.1:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", cpe_name: [], versionEndIncluding: "3.2.7", vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:vmware:spring_framework:3.2.0:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:vmware:spring_framework:3.1.4:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:vmware:spring_framework:3.1.3:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:springsource:spring_framework:3.0.4:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:springsource:spring_framework:3.0.3:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:springsource:spring_framework:3.0.0:rc1:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:springsource:spring_framework:3.0.0:m4:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:springsource:spring_framework:3.0.1:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:springsource:spring_framework:3.0.0:m3:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:springsource:spring_framework:3.0.0:m2:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, ], operator: "OR", }, ], }, cve: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2014-0054", }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "en", value: "The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "en", value: "CWE-352", }, ], }, ], }, references: { reference_data: [ { name: "57915", refsource: "SECUNIA", tags: [ "Vendor Advisory", ], url: "http://secunia.com/advisories/57915", }, { name: "https://jira.spring.io/browse/SPR-11376", refsource: "CONFIRM", tags: [ "Vendor Advisory", ], url: "https://jira.spring.io/browse/SPR-11376", }, { name: "RHSA-2014:0400", refsource: "REDHAT", tags: [], url: "http://rhn.redhat.com/errata/RHSA-2014-0400.html", }, { name: "66148", refsource: "BID", tags: [], url: "http://www.securityfocus.com/bid/66148", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", refsource: "CONFIRM", tags: [], url: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", }, ], }, }, impact: { baseMetricV2: { cvssV2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, severity: "MEDIUM", userInteractionRequired: true, }, }, lastModifiedDate: "2022-04-11T17:36Z", publishedDate: "2014-04-17T14:55Z", }, }, }
rhsa-2014:0400
Vulnerability from csaf_redhat
Published
2014-04-14 13:46
Modified
2025-04-09 15:45
Summary
Red Hat Security Advisory: Red Hat JBoss Fuse 6.1.0 update
Notes
Topic
Red Hat JBoss Fuse 6.1.0, which fixes multiple security issues, several
bugs, and adds various enhancements, is now available from the Red Hat
Customer Portal.
The Red Hat Security Response Team has rated this update as having
Moderate security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Red Hat JBoss Fuse 6.1.0 is a minor product release that updates Red Hat
JBoss Fuse 6.0.0, and includes several bug fixes and enhancements. Refer to
the Release Notes document, available from the link in the References
section, for a list of changes.
Details
Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,
flexible, open source enterprise service bus and integration platform.
Security fixes:
A flaw was found in the way Apache Santuario XML Security for Java
validated XML signatures. Santuario allowed a signature to specify an
arbitrary canonicalization algorithm, which would be applied to the
SignedInfo XML fragment. A remote attacker could exploit this to spoof an
XML signature via a specially crafted XML signature block. (CVE-2013-2172)
A flaw was found in the Apache Hadoop RPC protocol. A man-in-the-middle
attacker could possibly use this flaw to unilaterally disable bidirectional
authentication between a client and a server, forcing a downgrade to simple
(unidirectional) authentication. This flaw only affected users who have
enabled Hadoop's Kerberos security features. (CVE-2013-2192)
It was discovered that the Spring OXM wrapper did not expose any property
for disabling entity resolution when using the JAXB unmarshaller. A remote
attacker could use this flaw to conduct XML External Entity (XXE) attacks
on web sites, and read files in the context of the user running the
application server. (CVE-2013-4152)
It was discovered that the Apache Santuario XML Security for Java project
allowed Document Type Definitions (DTDs) to be processed when applying
Transforms even when secure validation was enabled. A remote attacker could
use this flaw to exhaust all available memory on the system, causing a
denial of service. (CVE-2013-4517)
It was found that the Spring MVC SourceHttpMessageConverter enabled entity
resolution by default. A remote attacker could use this flaw to conduct XXE
attacks on web sites, and read files in the context of the user running the
application server. (CVE-2013-6429)
The Spring JavaScript escape method insufficiently escaped some characters.
Applications using this method to escape user-supplied content, which would
be rendered in HTML5 documents, could be exposed to cross-site scripting
(XSS) flaws. (CVE-2013-6430)
A denial of service flaw was found in the way Apache Commons FileUpload
handled small-sized buffers used by MultipartStream. A remote attacker
could use this flaw to create a malformed Content-Type header for a
multipart request, causing Apache Commons FileUpload to enter an infinite
loop when processing such an incoming request. (CVE-2014-0050)
It was found that fixes for the CVE-2013-4152 and CVE-2013-6429 XXE issues
in Spring were incomplete. Spring MVC processed user-provided XML and
neither disabled XML external entities nor provided an option to disable
them, possibly allowing a remote attacker to conduct XXE attacks.
(CVE-2014-0054)
A cross-site scripting (XSS) flaw was found in the Spring Framework when
using Spring MVC. When the action was not specified in a Spring form, the
action field would be populated with the requested URI, allowing an
attacker to inject malicious content into the form. (CVE-2014-1904)
The HawtJNI Library class wrote native libraries to a predictable file name
in /tmp when the native libraries were bundled in a JAR file, and no custom
library path was specified. A local attacker could overwrite these native
libraries with malicious versions during the window between when HawtJNI
writes them and when they are executed. (CVE-2013-2035)
An information disclosure flaw was found in the way Apache Zookeeper stored
the password of an administrative user in the log files. A local user with
access to these log files could use the exposed sensitive information to
gain administrative access to an application using Apache Zookeeper.
(CVE-2014-0085)
The CVE-2013-6430 issue was discovered by Jon Passki of Coverity SRL and
Arun Neelicattu of the Red Hat Security Response Team, the CVE-2013-2035
issue was discovered by Florian Weimer of the Red Hat Product Security
Team, and the CVE-2014-0085 issue was discovered by Graeme Colman of
Red Hat.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat JBoss Fuse 6.1.0, which fixes multiple security issues, several\nbugs, and adds various enhancements, is now available from the Red Hat\nCustomer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nModerate security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nRed Hat JBoss Fuse 6.1.0 is a minor product release that updates Red Hat\nJBoss Fuse 6.0.0, and includes several bug fixes and enhancements. Refer to\nthe Release Notes document, available from the link in the References\nsection, for a list of changes.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,\nflexible, open source enterprise service bus and integration platform.\n\nSecurity fixes:\n\nA flaw was found in the way Apache Santuario XML Security for Java\nvalidated XML signatures. Santuario allowed a signature to specify an\narbitrary canonicalization algorithm, which would be applied to the\nSignedInfo XML fragment. A remote attacker could exploit this to spoof an\nXML signature via a specially crafted XML signature block. (CVE-2013-2172)\n\nA flaw was found in the Apache Hadoop RPC protocol. A man-in-the-middle\nattacker could possibly use this flaw to unilaterally disable bidirectional\nauthentication between a client and a server, forcing a downgrade to simple\n(unidirectional) authentication. This flaw only affected users who have\nenabled Hadoop's Kerberos security features. (CVE-2013-2192)\n\nIt was discovered that the Spring OXM wrapper did not expose any property\nfor disabling entity resolution when using the JAXB unmarshaller. A remote\nattacker could use this flaw to conduct XML External Entity (XXE) attacks\non web sites, and read files in the context of the user running the\napplication server. (CVE-2013-4152)\n\nIt was discovered that the Apache Santuario XML Security for Java project\nallowed Document Type Definitions (DTDs) to be processed when applying\nTransforms even when secure validation was enabled. A remote attacker could\nuse this flaw to exhaust all available memory on the system, causing a\ndenial of service. (CVE-2013-4517)\n\nIt was found that the Spring MVC SourceHttpMessageConverter enabled entity\nresolution by default. A remote attacker could use this flaw to conduct XXE\nattacks on web sites, and read files in the context of the user running the\napplication server. (CVE-2013-6429)\n\nThe Spring JavaScript escape method insufficiently escaped some characters.\nApplications using this method to escape user-supplied content, which would\nbe rendered in HTML5 documents, could be exposed to cross-site scripting\n(XSS) flaws. (CVE-2013-6430)\n\nA denial of service flaw was found in the way Apache Commons FileUpload\nhandled small-sized buffers used by MultipartStream. A remote attacker\ncould use this flaw to create a malformed Content-Type header for a\nmultipart request, causing Apache Commons FileUpload to enter an infinite\nloop when processing such an incoming request. (CVE-2014-0050)\n\nIt was found that fixes for the CVE-2013-4152 and CVE-2013-6429 XXE issues\nin Spring were incomplete. Spring MVC processed user-provided XML and\nneither disabled XML external entities nor provided an option to disable\nthem, possibly allowing a remote attacker to conduct XXE attacks.\n(CVE-2014-0054)\n\nA cross-site scripting (XSS) flaw was found in the Spring Framework when\nusing Spring MVC. When the action was not specified in a Spring form, the\naction field would be populated with the requested URI, allowing an\nattacker to inject malicious content into the form. (CVE-2014-1904)\n\nThe HawtJNI Library class wrote native libraries to a predictable file name\nin /tmp when the native libraries were bundled in a JAR file, and no custom\nlibrary path was specified. A local attacker could overwrite these native\nlibraries with malicious versions during the window between when HawtJNI\nwrites them and when they are executed. (CVE-2013-2035)\n\nAn information disclosure flaw was found in the way Apache Zookeeper stored\nthe password of an administrative user in the log files. A local user with\naccess to these log files could use the exposed sensitive information to\ngain administrative access to an application using Apache Zookeeper.\n(CVE-2014-0085)\n\nThe CVE-2013-6430 issue was discovered by Jon Passki of Coverity SRL and\nArun Neelicattu of the Red Hat Security Response Team, the CVE-2013-2035\nissue was discovered by Florian Weimer of the Red Hat Product Security\nTeam, and the CVE-2014-0085 issue was discovered by Graeme Colman of\nRed Hat.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2014:0400", url: "https://access.redhat.com/errata/RHSA-2014:0400", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=6.1.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=6.1.0", }, { category: "external", summary: "https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_Fuse/", url: "https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_Fuse/", }, { category: "external", summary: "958618", url: "https://bugzilla.redhat.com/show_bug.cgi?id=958618", }, { category: "external", summary: "999263", url: "https://bugzilla.redhat.com/show_bug.cgi?id=999263", }, { category: "external", summary: "1000186", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1000186", }, { category: "external", summary: "1001326", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1001326", }, { category: "external", summary: "1039783", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1039783", }, { category: "external", summary: "1045257", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1045257", }, { category: "external", summary: "1053290", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1053290", }, { category: "external", summary: "1062337", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1062337", }, { category: "external", summary: "1067265", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067265", }, { category: "external", summary: "1075296", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1075296", }, { category: "external", summary: "1075328", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1075328", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0400.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Fuse 6.1.0 update", tracking: { current_release_date: "2025-04-09T15:45:26+00:00", generator: { date: "2025-04-09T15:45:26+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.2", }, }, id: "RHSA-2014:0400", initial_release_date: "2014-04-14T13:46:50+00:00", revision_history: [ { date: "2014-04-14T13:46:50+00:00", number: "1", summary: "Initial version", }, { date: "2014-04-14T14:27:37+00:00", number: "2", summary: "Last updated version", }, { date: "2025-04-09T15:45:26+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss Fuse 6.1", product: { name: "Red Hat JBoss Fuse 6.1", product_id: "Red Hat JBoss Fuse 6.1", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_fuse:6.1.0", }, }, }, ], category: "product_family", name: "Fuse Enterprise Middleware", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2013-1624", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2013-02-04T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "908428", }, ], notes: [ { category: "description", text: "It was discovered that bouncycastle leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: TLS CBC padding timing attack", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-1624", }, { category: "external", summary: "RHBZ#908428", url: "https://bugzilla.redhat.com/show_bug.cgi?id=908428", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-1624", url: "https://www.cve.org/CVERecord?id=CVE-2013-1624", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-1624", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-1624", }, { category: "external", summary: "http://www.isg.rhul.ac.uk/tls/", url: "http://www.isg.rhul.ac.uk/tls/", }, { category: "external", summary: "http://www.isg.rhul.ac.uk/tls/TLStiming.pdf", url: "http://www.isg.rhul.ac.uk/tls/TLStiming.pdf", }, ], release_date: "2013-02-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:50+00:00", details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0400", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5.1, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:N/C:P/I:P/A:P", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: TLS CBC padding timing attack", }, { acknowledgments: [ { names: [ "Florian Weimer", ], organization: "Red Hat Product Security Team", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2013-2035", cwe: { id: "CWE-377", name: "Insecure Temporary File", }, discovery_date: "2013-04-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "958618", }, ], notes: [ { category: "description", text: "The HawtJNI Library class wrote native libraries to a predictable file name in /tmp when the native libraries were bundled in a JAR file, and no custom library path was specified. A local attacker could overwrite these native libraries with malicious versions during the window between when HawtJNI writes them and when they are executed.", title: "Vulnerability description", }, { category: "summary", text: "HawtJNI: predictable temporary file name leading to local arbitrary code execution", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-2035", }, { category: "external", summary: "RHBZ#958618", url: "https://bugzilla.redhat.com/show_bug.cgi?id=958618", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-2035", url: "https://www.cve.org/CVERecord?id=CVE-2013-2035", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-2035", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-2035", }, ], release_date: "2013-05-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:50+00:00", details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0400", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "NONE", baseScore: 3.3, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:L/AC:M/Au:N/C:P/I:P/A:N", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "HawtJNI: predictable temporary file name leading to local arbitrary code execution", }, { cve: "CVE-2013-2172", cwe: { id: "CWE-290", name: "Authentication Bypass by Spoofing", }, discovery_date: "2013-08-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "999263", }, ], notes: [ { category: "description", text: "A flaw was found in the way Apache Santuario XML Security for Java validated XML signatures. Santuario allowed a signature to specify an arbitrary canonicalization algorithm, which would be applied to the SignedInfo XML fragment. A remote attacker could exploit this to spoof an XML signature via a specially crafted XML signature block.", title: "Vulnerability description", }, { category: "summary", text: "Java: XML signature spoofing", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-2172", }, { category: "external", summary: "RHBZ#999263", url: "https://bugzilla.redhat.com/show_bug.cgi?id=999263", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-2172", url: "https://www.cve.org/CVERecord?id=CVE-2013-2172", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-2172", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-2172", }, { category: "external", summary: "http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc", url: "http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc", }, ], release_date: "2013-06-25T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:50+00:00", details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0400", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:N", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Java: XML signature spoofing", }, { cve: "CVE-2013-2192", discovery_date: "2013-08-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1001326", }, ], notes: [ { category: "description", text: "The RPC protocol implementation in Apache Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1, when the Kerberos security features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information by forcing a downgrade to simple authentication.", title: "Vulnerability description", }, { category: "summary", text: "hadoop: man-in-the-middle vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-2192", }, { category: "external", summary: "RHBZ#1001326", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1001326", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-2192", url: "https://www.cve.org/CVERecord?id=CVE-2013-2192", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-2192", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-2192", }, ], release_date: "2013-08-23T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:50+00:00", details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0400", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "ADJACENT_NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 3.2, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:A/AC:H/Au:N/C:P/I:P/A:N", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "hadoop: man-in-the-middle vulnerability", }, { cve: "CVE-2013-4152", discovery_date: "2013-08-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1000186", }, ], notes: [ { category: "description", text: "The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.", title: "Vulnerability description", }, { category: "summary", text: "Framework: XML External Entity (XXE) injection flaw", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-4152", }, { category: "external", summary: "RHBZ#1000186", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1000186", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-4152", url: "https://www.cve.org/CVERecord?id=CVE-2013-4152", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-4152", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-4152", }, { category: "external", summary: "http://www.gopivotal.com/security/cve-2013-4152", url: "http://www.gopivotal.com/security/cve-2013-4152", }, { category: "external", summary: "https://github.com/SpringSource/spring-framework/pull/317", url: "https://github.com/SpringSource/spring-framework/pull/317", }, { category: "external", summary: "https://jira.springsource.org/browse/SPR-10806", url: "https://jira.springsource.org/browse/SPR-10806", }, ], release_date: "2013-08-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:50+00:00", details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0400", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Framework: XML External Entity (XXE) injection flaw", }, { cve: "CVE-2013-4517", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2013-12-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1045257", }, ], notes: [ { category: "description", text: "It was discovered that the Apache Santuario XML Security for Java project allowed Document Type Definitions (DTDs) to be processed when applying Transforms even when secure validation was enabled. A remote attacker could use this flaw to exhaust all available memory on the system, causing a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "Java: Java XML Signature DoS Attack", title: "Vulnerability summary", }, { category: "other", text: "Fuse ESB 4, Fuse Message Broker 5.2, 5.3, 5.4, Fuse Mediation Router 2.7, 2.8 and Fuse Services Framework 2.3, 2.4 are now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/\n\nFuse ESB Enterprise is now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/\n\nRed Hat JBoss BRMS 5; Red Hat JBoss Enterprise Application Platform 4; Red Hat JBoss Enterprise Data Services Platform 5; Red Hat JBoss Enterprise Portal Platform 4 and 5; and Red Hat JBoss Enterprise SOA Platform 4 and 5 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-4517", }, { category: "external", summary: "RHBZ#1045257", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1045257", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-4517", url: "https://www.cve.org/CVERecord?id=CVE-2013-4517", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-4517", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-4517", }, ], release_date: "2013-11-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:50+00:00", details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0400", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Java: Java XML Signature DoS Attack", }, { cve: "CVE-2013-6429", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2014-01-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1053290", }, ], notes: [ { category: "description", text: "The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.", title: "Vulnerability description", }, { category: "summary", text: "Framework: XML External Entity (XXE) injection flaw", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-6429", }, { category: "external", summary: "RHBZ#1053290", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1053290", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-6429", url: "https://www.cve.org/CVERecord?id=CVE-2013-6429", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-6429", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-6429", }, { category: "external", summary: "http://www.gopivotal.com/security/cve-2013-6429", url: "http://www.gopivotal.com/security/cve-2013-6429", }, ], release_date: "2014-01-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:50+00:00", details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0400", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Framework: XML External Entity (XXE) injection flaw", }, { acknowledgments: [ { names: [ "Jon Passki", ], organization: "Coverity SRL", }, { names: [ "Arun Neelicattu", ], organization: "Red Hat Security Response Team", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2013-6430", discovery_date: "2013-12-06T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1039783", }, ], notes: [ { category: "description", text: "The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a (1) line separator or (2) paragraph separator Unicode character or (3) left or (4) right angle bracket.", title: "Vulnerability description", }, { category: "summary", text: "Framework: org.spring.web.util.JavaScriptUtils.javaScriptEscape insufficient escaping of characters", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-6430", }, { category: "external", summary: "RHBZ#1039783", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1039783", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-6430", url: "https://www.cve.org/CVERecord?id=CVE-2013-6430", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-6430", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-6430", }, { category: "external", summary: "http://www.gopivotal.com/security/cve-2013-6430", url: "http://www.gopivotal.com/security/cve-2013-6430", }, ], release_date: "2014-01-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:50+00:00", details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0400", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Framework: org.spring.web.util.JavaScriptUtils.javaScriptEscape insufficient escaping of characters", }, { cve: "CVE-2014-0050", discovery_date: "2014-02-06T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1062337", }, ], notes: [ { category: "description", text: "A denial of service flaw was found in the way Apache Commons FileUpload, which is embedded in Tomcat and JBoss Web, handled small-sized buffers used by MultipartStream. A remote attacker could use this flaw to create a malformed Content-Type header for a multipart request, causing Tomcat to enter an infinite loop when processing such an incoming request.", title: "Vulnerability description", }, { category: "summary", text: "apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-0050", }, { category: "external", summary: "RHBZ#1062337", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1062337", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-0050", url: "https://www.cve.org/CVERecord?id=CVE-2014-0050", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0050", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0050", }, ], release_date: "2014-02-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:50+00:00", details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0400", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream", }, { cve: "CVE-2014-0054", discovery_date: "2014-03-11T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1075328", }, ], notes: [ { category: "description", text: "The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.", title: "Vulnerability description", }, { category: "summary", text: "Framework: incomplete fix for CVE-2013-7315/CVE-2013-6429", title: "Vulnerability summary", }, { category: "other", text: "The Red Hat Security Response Team has rated this issue as having Moderate security impact. OpenShift Enterprise 1 is currently in the Production 1 phase of its lifecycle, as such this issue is not currently planned to be addressed in future updates. For additional information, refer to the Satellite Life Cycle: https://access.redhat.com/site/support/policy/updates/openshift page.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-0054", }, { category: "external", summary: "RHBZ#1075328", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1075328", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-0054", url: "https://www.cve.org/CVERecord?id=CVE-2014-0054", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0054", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0054", }, { category: "external", summary: "http://www.gopivotal.com/security/cve-2014-0054", url: "http://www.gopivotal.com/security/cve-2014-0054", }, ], release_date: "2014-01-31T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:50+00:00", details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0400", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Framework: incomplete fix for CVE-2013-7315/CVE-2013-6429", }, { acknowledgments: [ { names: [ "Graeme Colman", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2014-0085", cwe: { id: "CWE-522", name: "Insufficiently Protected Credentials", }, discovery_date: "2014-02-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1067265", }, ], notes: [ { category: "description", text: "JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. This permitted sensitive information disclosure via logging to local users. This issue is a vulnerability in JBoss Fuse's usage of Apache Zookeeper, not in Zookeeper itself as was previously stated.", title: "Vulnerability description", }, { category: "summary", text: "Fuse: admin user cleartext password appears in logging", title: "Vulnerability summary", }, { category: "other", text: "This flaw only affects Apache Zookeeper in conjunction with Fuse Fabric. Fuse Fabric was storing cleartext passwords, which would appear as cleartext in Apache Zookeeper's log files. Fuse Fabric now encrypts passwords by default.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-0085", }, { category: "external", summary: "RHBZ#1067265", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067265", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-0085", url: "https://www.cve.org/CVERecord?id=CVE-2014-0085", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0085", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0085", }, ], release_date: "2014-04-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:50+00:00", details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0400", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.1, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:L/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "Fuse: admin user cleartext password appears in logging", }, { cve: "CVE-2014-1904", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2014-03-11T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1075296", }, ], notes: [ { category: "description", text: "Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.", title: "Vulnerability description", }, { category: "summary", text: "Framework: cross-site scripting flaw when using Spring MVC", title: "Vulnerability summary", }, { category: "other", text: "The Red Hat Security Response Team has rated this issue as having Moderate security impact. OpenShift Enterprise 1 is currently in the Production 1 phase of its lifecycle, as such this issue is not currently planned to be addressed in future updates. For additional information, refer to the Satellite Life Cycle: https://access.redhat.com/site/support/policy/updates/openshift page.\n\nFuse ESB Enterprise is now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-1904", }, { category: "external", summary: "RHBZ#1075296", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1075296", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-1904", url: "https://www.cve.org/CVERecord?id=CVE-2014-1904", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-1904", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-1904", }, { category: "external", summary: "http://www.gopivotal.com/security/cve-2014-1904", url: "http://www.gopivotal.com/security/cve-2014-1904", }, ], release_date: "2014-02-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:50+00:00", details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0400", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Framework: cross-site scripting flaw when using Spring MVC", }, { cve: "CVE-2014-3584", cwe: { id: "CWE-835", name: "Loop with Unreachable Exit Condition ('Infinite Loop')", }, discovery_date: "2014-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1157330", }, ], notes: [ { category: "description", text: "The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.", title: "Vulnerability description", }, { category: "summary", text: "CXF: Denial of Service (DoS) via invalid JAX-RS SAML tokens", title: "Vulnerability summary", }, { category: "other", text: "This issue did not affect Apache CXF as shipped with Red Hat JBoss Enterprise Application Platform 5 and 6; Red Hat JBoss Enterprise Web Platform 5; Red Hat JBoss SOA Platform 5; Red Hat JBoss Fuse Service Works 6; Red Hat JBoss BRMS 5 and 6; Red Hat JBoss BPM Suite 6; Red Hat JBoss Data Virtualization 6; Red Hat JBoss Operations Network 3 and Red Hat JBoss Portal Platform 6 as the REST Web Services endpoints are not available.\n\nFuse ESB Enterprise 7 is now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-3584", }, { category: "external", summary: "RHBZ#1157330", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1157330", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-3584", url: "https://www.cve.org/CVERecord?id=CVE-2014-3584", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-3584", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-3584", }, ], release_date: "2014-10-25T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:50+00:00", details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0400", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:N/I:N/A:P", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "CXF: Denial of Service (DoS) via invalid JAX-RS SAML tokens", }, ], }
RHSA-2014:0400
Vulnerability from csaf_redhat
Published
2014-04-14 13:46
Modified
2025-04-09 15:45
Summary
Red Hat Security Advisory: Red Hat JBoss Fuse 6.1.0 update
Notes
Topic
Red Hat JBoss Fuse 6.1.0, which fixes multiple security issues, several
bugs, and adds various enhancements, is now available from the Red Hat
Customer Portal.
The Red Hat Security Response Team has rated this update as having
Moderate security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Red Hat JBoss Fuse 6.1.0 is a minor product release that updates Red Hat
JBoss Fuse 6.0.0, and includes several bug fixes and enhancements. Refer to
the Release Notes document, available from the link in the References
section, for a list of changes.
Details
Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,
flexible, open source enterprise service bus and integration platform.
Security fixes:
A flaw was found in the way Apache Santuario XML Security for Java
validated XML signatures. Santuario allowed a signature to specify an
arbitrary canonicalization algorithm, which would be applied to the
SignedInfo XML fragment. A remote attacker could exploit this to spoof an
XML signature via a specially crafted XML signature block. (CVE-2013-2172)
A flaw was found in the Apache Hadoop RPC protocol. A man-in-the-middle
attacker could possibly use this flaw to unilaterally disable bidirectional
authentication between a client and a server, forcing a downgrade to simple
(unidirectional) authentication. This flaw only affected users who have
enabled Hadoop's Kerberos security features. (CVE-2013-2192)
It was discovered that the Spring OXM wrapper did not expose any property
for disabling entity resolution when using the JAXB unmarshaller. A remote
attacker could use this flaw to conduct XML External Entity (XXE) attacks
on web sites, and read files in the context of the user running the
application server. (CVE-2013-4152)
It was discovered that the Apache Santuario XML Security for Java project
allowed Document Type Definitions (DTDs) to be processed when applying
Transforms even when secure validation was enabled. A remote attacker could
use this flaw to exhaust all available memory on the system, causing a
denial of service. (CVE-2013-4517)
It was found that the Spring MVC SourceHttpMessageConverter enabled entity
resolution by default. A remote attacker could use this flaw to conduct XXE
attacks on web sites, and read files in the context of the user running the
application server. (CVE-2013-6429)
The Spring JavaScript escape method insufficiently escaped some characters.
Applications using this method to escape user-supplied content, which would
be rendered in HTML5 documents, could be exposed to cross-site scripting
(XSS) flaws. (CVE-2013-6430)
A denial of service flaw was found in the way Apache Commons FileUpload
handled small-sized buffers used by MultipartStream. A remote attacker
could use this flaw to create a malformed Content-Type header for a
multipart request, causing Apache Commons FileUpload to enter an infinite
loop when processing such an incoming request. (CVE-2014-0050)
It was found that fixes for the CVE-2013-4152 and CVE-2013-6429 XXE issues
in Spring were incomplete. Spring MVC processed user-provided XML and
neither disabled XML external entities nor provided an option to disable
them, possibly allowing a remote attacker to conduct XXE attacks.
(CVE-2014-0054)
A cross-site scripting (XSS) flaw was found in the Spring Framework when
using Spring MVC. When the action was not specified in a Spring form, the
action field would be populated with the requested URI, allowing an
attacker to inject malicious content into the form. (CVE-2014-1904)
The HawtJNI Library class wrote native libraries to a predictable file name
in /tmp when the native libraries were bundled in a JAR file, and no custom
library path was specified. A local attacker could overwrite these native
libraries with malicious versions during the window between when HawtJNI
writes them and when they are executed. (CVE-2013-2035)
An information disclosure flaw was found in the way Apache Zookeeper stored
the password of an administrative user in the log files. A local user with
access to these log files could use the exposed sensitive information to
gain administrative access to an application using Apache Zookeeper.
(CVE-2014-0085)
The CVE-2013-6430 issue was discovered by Jon Passki of Coverity SRL and
Arun Neelicattu of the Red Hat Security Response Team, the CVE-2013-2035
issue was discovered by Florian Weimer of the Red Hat Product Security
Team, and the CVE-2014-0085 issue was discovered by Graeme Colman of
Red Hat.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat JBoss Fuse 6.1.0, which fixes multiple security issues, several\nbugs, and adds various enhancements, is now available from the Red Hat\nCustomer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nModerate security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nRed Hat JBoss Fuse 6.1.0 is a minor product release that updates Red Hat\nJBoss Fuse 6.0.0, and includes several bug fixes and enhancements. Refer to\nthe Release Notes document, available from the link in the References\nsection, for a list of changes.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,\nflexible, open source enterprise service bus and integration platform.\n\nSecurity fixes:\n\nA flaw was found in the way Apache Santuario XML Security for Java\nvalidated XML signatures. Santuario allowed a signature to specify an\narbitrary canonicalization algorithm, which would be applied to the\nSignedInfo XML fragment. A remote attacker could exploit this to spoof an\nXML signature via a specially crafted XML signature block. (CVE-2013-2172)\n\nA flaw was found in the Apache Hadoop RPC protocol. A man-in-the-middle\nattacker could possibly use this flaw to unilaterally disable bidirectional\nauthentication between a client and a server, forcing a downgrade to simple\n(unidirectional) authentication. This flaw only affected users who have\nenabled Hadoop's Kerberos security features. (CVE-2013-2192)\n\nIt was discovered that the Spring OXM wrapper did not expose any property\nfor disabling entity resolution when using the JAXB unmarshaller. A remote\nattacker could use this flaw to conduct XML External Entity (XXE) attacks\non web sites, and read files in the context of the user running the\napplication server. (CVE-2013-4152)\n\nIt was discovered that the Apache Santuario XML Security for Java project\nallowed Document Type Definitions (DTDs) to be processed when applying\nTransforms even when secure validation was enabled. A remote attacker could\nuse this flaw to exhaust all available memory on the system, causing a\ndenial of service. (CVE-2013-4517)\n\nIt was found that the Spring MVC SourceHttpMessageConverter enabled entity\nresolution by default. A remote attacker could use this flaw to conduct XXE\nattacks on web sites, and read files in the context of the user running the\napplication server. (CVE-2013-6429)\n\nThe Spring JavaScript escape method insufficiently escaped some characters.\nApplications using this method to escape user-supplied content, which would\nbe rendered in HTML5 documents, could be exposed to cross-site scripting\n(XSS) flaws. (CVE-2013-6430)\n\nA denial of service flaw was found in the way Apache Commons FileUpload\nhandled small-sized buffers used by MultipartStream. A remote attacker\ncould use this flaw to create a malformed Content-Type header for a\nmultipart request, causing Apache Commons FileUpload to enter an infinite\nloop when processing such an incoming request. (CVE-2014-0050)\n\nIt was found that fixes for the CVE-2013-4152 and CVE-2013-6429 XXE issues\nin Spring were incomplete. Spring MVC processed user-provided XML and\nneither disabled XML external entities nor provided an option to disable\nthem, possibly allowing a remote attacker to conduct XXE attacks.\n(CVE-2014-0054)\n\nA cross-site scripting (XSS) flaw was found in the Spring Framework when\nusing Spring MVC. When the action was not specified in a Spring form, the\naction field would be populated with the requested URI, allowing an\nattacker to inject malicious content into the form. (CVE-2014-1904)\n\nThe HawtJNI Library class wrote native libraries to a predictable file name\nin /tmp when the native libraries were bundled in a JAR file, and no custom\nlibrary path was specified. A local attacker could overwrite these native\nlibraries with malicious versions during the window between when HawtJNI\nwrites them and when they are executed. (CVE-2013-2035)\n\nAn information disclosure flaw was found in the way Apache Zookeeper stored\nthe password of an administrative user in the log files. A local user with\naccess to these log files could use the exposed sensitive information to\ngain administrative access to an application using Apache Zookeeper.\n(CVE-2014-0085)\n\nThe CVE-2013-6430 issue was discovered by Jon Passki of Coverity SRL and\nArun Neelicattu of the Red Hat Security Response Team, the CVE-2013-2035\nissue was discovered by Florian Weimer of the Red Hat Product Security\nTeam, and the CVE-2014-0085 issue was discovered by Graeme Colman of\nRed Hat.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2014:0400", url: "https://access.redhat.com/errata/RHSA-2014:0400", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=6.1.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=6.1.0", }, { category: "external", summary: "https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_Fuse/", url: "https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_Fuse/", }, { category: "external", summary: "958618", url: "https://bugzilla.redhat.com/show_bug.cgi?id=958618", }, { category: "external", summary: "999263", url: "https://bugzilla.redhat.com/show_bug.cgi?id=999263", }, { category: "external", summary: "1000186", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1000186", }, { category: "external", summary: "1001326", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1001326", }, { category: "external", summary: "1039783", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1039783", }, { category: "external", summary: "1045257", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1045257", }, { category: "external", summary: "1053290", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1053290", }, { category: "external", summary: "1062337", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1062337", }, { category: "external", summary: "1067265", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067265", }, { category: "external", summary: "1075296", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1075296", }, { category: "external", summary: "1075328", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1075328", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0400.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Fuse 6.1.0 update", tracking: { current_release_date: "2025-04-09T15:45:26+00:00", generator: { date: "2025-04-09T15:45:26+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.2", }, }, id: "RHSA-2014:0400", initial_release_date: "2014-04-14T13:46:50+00:00", revision_history: [ { date: "2014-04-14T13:46:50+00:00", number: "1", summary: "Initial version", }, { date: "2014-04-14T14:27:37+00:00", number: "2", summary: "Last updated version", }, { date: "2025-04-09T15:45:26+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss Fuse 6.1", product: { name: "Red Hat JBoss Fuse 6.1", product_id: "Red Hat JBoss Fuse 6.1", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_fuse:6.1.0", }, }, }, ], category: "product_family", name: "Fuse Enterprise Middleware", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2013-1624", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2013-02-04T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "908428", }, ], notes: [ { category: "description", text: "It was discovered that bouncycastle leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: TLS CBC padding timing attack", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-1624", }, { category: "external", summary: "RHBZ#908428", url: "https://bugzilla.redhat.com/show_bug.cgi?id=908428", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-1624", url: "https://www.cve.org/CVERecord?id=CVE-2013-1624", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-1624", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-1624", }, { category: "external", summary: "http://www.isg.rhul.ac.uk/tls/", url: "http://www.isg.rhul.ac.uk/tls/", }, { category: "external", summary: "http://www.isg.rhul.ac.uk/tls/TLStiming.pdf", url: "http://www.isg.rhul.ac.uk/tls/TLStiming.pdf", }, ], release_date: "2013-02-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:50+00:00", details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0400", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5.1, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:N/C:P/I:P/A:P", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: TLS CBC padding timing attack", }, { acknowledgments: [ { names: [ "Florian Weimer", ], organization: "Red Hat Product Security Team", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2013-2035", cwe: { id: "CWE-377", name: "Insecure Temporary File", }, discovery_date: "2013-04-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "958618", }, ], notes: [ { category: "description", text: "The HawtJNI Library class wrote native libraries to a predictable file name in /tmp when the native libraries were bundled in a JAR file, and no custom library path was specified. A local attacker could overwrite these native libraries with malicious versions during the window between when HawtJNI writes them and when they are executed.", title: "Vulnerability description", }, { category: "summary", text: "HawtJNI: predictable temporary file name leading to local arbitrary code execution", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-2035", }, { category: "external", summary: "RHBZ#958618", url: "https://bugzilla.redhat.com/show_bug.cgi?id=958618", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-2035", url: "https://www.cve.org/CVERecord?id=CVE-2013-2035", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-2035", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-2035", }, ], release_date: "2013-05-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:50+00:00", details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0400", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "NONE", baseScore: 3.3, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:L/AC:M/Au:N/C:P/I:P/A:N", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "HawtJNI: predictable temporary file name leading to local arbitrary code execution", }, { cve: "CVE-2013-2172", cwe: { id: "CWE-290", name: "Authentication Bypass by Spoofing", }, discovery_date: "2013-08-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "999263", }, ], notes: [ { category: "description", text: "A flaw was found in the way Apache Santuario XML Security for Java validated XML signatures. Santuario allowed a signature to specify an arbitrary canonicalization algorithm, which would be applied to the SignedInfo XML fragment. A remote attacker could exploit this to spoof an XML signature via a specially crafted XML signature block.", title: "Vulnerability description", }, { category: "summary", text: "Java: XML signature spoofing", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-2172", }, { category: "external", summary: "RHBZ#999263", url: "https://bugzilla.redhat.com/show_bug.cgi?id=999263", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-2172", url: "https://www.cve.org/CVERecord?id=CVE-2013-2172", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-2172", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-2172", }, { category: "external", summary: "http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc", url: "http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc", }, ], release_date: "2013-06-25T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:50+00:00", details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0400", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:N", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Java: XML signature spoofing", }, { cve: "CVE-2013-2192", discovery_date: "2013-08-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1001326", }, ], notes: [ { category: "description", text: "The RPC protocol implementation in Apache Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1, when the Kerberos security features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information by forcing a downgrade to simple authentication.", title: "Vulnerability description", }, { category: "summary", text: "hadoop: man-in-the-middle vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-2192", }, { category: "external", summary: "RHBZ#1001326", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1001326", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-2192", url: "https://www.cve.org/CVERecord?id=CVE-2013-2192", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-2192", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-2192", }, ], release_date: "2013-08-23T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:50+00:00", details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0400", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "ADJACENT_NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 3.2, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:A/AC:H/Au:N/C:P/I:P/A:N", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "hadoop: man-in-the-middle vulnerability", }, { cve: "CVE-2013-4152", discovery_date: "2013-08-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1000186", }, ], notes: [ { category: "description", text: "The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.", title: "Vulnerability description", }, { category: "summary", text: "Framework: XML External Entity (XXE) injection flaw", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-4152", }, { category: "external", summary: "RHBZ#1000186", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1000186", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-4152", url: "https://www.cve.org/CVERecord?id=CVE-2013-4152", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-4152", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-4152", }, { category: "external", summary: "http://www.gopivotal.com/security/cve-2013-4152", url: "http://www.gopivotal.com/security/cve-2013-4152", }, { category: "external", summary: "https://github.com/SpringSource/spring-framework/pull/317", url: "https://github.com/SpringSource/spring-framework/pull/317", }, { category: "external", summary: "https://jira.springsource.org/browse/SPR-10806", url: "https://jira.springsource.org/browse/SPR-10806", }, ], release_date: "2013-08-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:50+00:00", details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0400", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Framework: XML External Entity (XXE) injection flaw", }, { cve: "CVE-2013-4517", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2013-12-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1045257", }, ], notes: [ { category: "description", text: "It was discovered that the Apache Santuario XML Security for Java project allowed Document Type Definitions (DTDs) to be processed when applying Transforms even when secure validation was enabled. A remote attacker could use this flaw to exhaust all available memory on the system, causing a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "Java: Java XML Signature DoS Attack", title: "Vulnerability summary", }, { category: "other", text: "Fuse ESB 4, Fuse Message Broker 5.2, 5.3, 5.4, Fuse Mediation Router 2.7, 2.8 and Fuse Services Framework 2.3, 2.4 are now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/\n\nFuse ESB Enterprise is now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/\n\nRed Hat JBoss BRMS 5; Red Hat JBoss Enterprise Application Platform 4; Red Hat JBoss Enterprise Data Services Platform 5; Red Hat JBoss Enterprise Portal Platform 4 and 5; and Red Hat JBoss Enterprise SOA Platform 4 and 5 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-4517", }, { category: "external", summary: "RHBZ#1045257", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1045257", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-4517", url: "https://www.cve.org/CVERecord?id=CVE-2013-4517", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-4517", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-4517", }, ], release_date: "2013-11-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:50+00:00", details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0400", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Java: Java XML Signature DoS Attack", }, { cve: "CVE-2013-6429", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2014-01-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1053290", }, ], notes: [ { category: "description", text: "The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.", title: "Vulnerability description", }, { category: "summary", text: "Framework: XML External Entity (XXE) injection flaw", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-6429", }, { category: "external", summary: "RHBZ#1053290", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1053290", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-6429", url: "https://www.cve.org/CVERecord?id=CVE-2013-6429", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-6429", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-6429", }, { category: "external", summary: "http://www.gopivotal.com/security/cve-2013-6429", url: "http://www.gopivotal.com/security/cve-2013-6429", }, ], release_date: "2014-01-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:50+00:00", details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0400", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Framework: XML External Entity (XXE) injection flaw", }, { acknowledgments: [ { names: [ "Jon Passki", ], organization: "Coverity SRL", }, { names: [ "Arun Neelicattu", ], organization: "Red Hat Security Response Team", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2013-6430", discovery_date: "2013-12-06T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1039783", }, ], notes: [ { category: "description", text: "The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a (1) line separator or (2) paragraph separator Unicode character or (3) left or (4) right angle bracket.", title: "Vulnerability description", }, { category: "summary", text: "Framework: org.spring.web.util.JavaScriptUtils.javaScriptEscape insufficient escaping of characters", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-6430", }, { category: "external", summary: "RHBZ#1039783", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1039783", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-6430", url: "https://www.cve.org/CVERecord?id=CVE-2013-6430", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-6430", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-6430", }, { category: "external", summary: "http://www.gopivotal.com/security/cve-2013-6430", url: "http://www.gopivotal.com/security/cve-2013-6430", }, ], release_date: "2014-01-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:50+00:00", details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0400", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Framework: org.spring.web.util.JavaScriptUtils.javaScriptEscape insufficient escaping of characters", }, { cve: "CVE-2014-0050", discovery_date: "2014-02-06T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1062337", }, ], notes: [ { category: "description", text: "A denial of service flaw was found in the way Apache Commons FileUpload, which is embedded in Tomcat and JBoss Web, handled small-sized buffers used by MultipartStream. A remote attacker could use this flaw to create a malformed Content-Type header for a multipart request, causing Tomcat to enter an infinite loop when processing such an incoming request.", title: "Vulnerability description", }, { category: "summary", text: "apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-0050", }, { category: "external", summary: "RHBZ#1062337", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1062337", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-0050", url: "https://www.cve.org/CVERecord?id=CVE-2014-0050", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0050", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0050", }, ], release_date: "2014-02-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:50+00:00", details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0400", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream", }, { cve: "CVE-2014-0054", discovery_date: "2014-03-11T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1075328", }, ], notes: [ { category: "description", text: "The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.", title: "Vulnerability description", }, { category: "summary", text: "Framework: incomplete fix for CVE-2013-7315/CVE-2013-6429", title: "Vulnerability summary", }, { category: "other", text: "The Red Hat Security Response Team has rated this issue as having Moderate security impact. OpenShift Enterprise 1 is currently in the Production 1 phase of its lifecycle, as such this issue is not currently planned to be addressed in future updates. For additional information, refer to the Satellite Life Cycle: https://access.redhat.com/site/support/policy/updates/openshift page.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-0054", }, { category: "external", summary: "RHBZ#1075328", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1075328", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-0054", url: "https://www.cve.org/CVERecord?id=CVE-2014-0054", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0054", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0054", }, { category: "external", summary: "http://www.gopivotal.com/security/cve-2014-0054", url: "http://www.gopivotal.com/security/cve-2014-0054", }, ], release_date: "2014-01-31T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:50+00:00", details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0400", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Framework: incomplete fix for CVE-2013-7315/CVE-2013-6429", }, { acknowledgments: [ { names: [ "Graeme Colman", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2014-0085", cwe: { id: "CWE-522", name: "Insufficiently Protected Credentials", }, discovery_date: "2014-02-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1067265", }, ], notes: [ { category: "description", text: "JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. This permitted sensitive information disclosure via logging to local users. This issue is a vulnerability in JBoss Fuse's usage of Apache Zookeeper, not in Zookeeper itself as was previously stated.", title: "Vulnerability description", }, { category: "summary", text: "Fuse: admin user cleartext password appears in logging", title: "Vulnerability summary", }, { category: "other", text: "This flaw only affects Apache Zookeeper in conjunction with Fuse Fabric. Fuse Fabric was storing cleartext passwords, which would appear as cleartext in Apache Zookeeper's log files. Fuse Fabric now encrypts passwords by default.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-0085", }, { category: "external", summary: "RHBZ#1067265", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067265", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-0085", url: "https://www.cve.org/CVERecord?id=CVE-2014-0085", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0085", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0085", }, ], release_date: "2014-04-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:50+00:00", details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0400", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.1, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:L/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "Fuse: admin user cleartext password appears in logging", }, { cve: "CVE-2014-1904", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2014-03-11T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1075296", }, ], notes: [ { category: "description", text: "Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.", title: "Vulnerability description", }, { category: "summary", text: "Framework: cross-site scripting flaw when using Spring MVC", title: "Vulnerability summary", }, { category: "other", text: "The Red Hat Security Response Team has rated this issue as having Moderate security impact. OpenShift Enterprise 1 is currently in the Production 1 phase of its lifecycle, as such this issue is not currently planned to be addressed in future updates. For additional information, refer to the Satellite Life Cycle: https://access.redhat.com/site/support/policy/updates/openshift page.\n\nFuse ESB Enterprise is now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-1904", }, { category: "external", summary: "RHBZ#1075296", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1075296", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-1904", url: "https://www.cve.org/CVERecord?id=CVE-2014-1904", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-1904", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-1904", }, { category: "external", summary: "http://www.gopivotal.com/security/cve-2014-1904", url: "http://www.gopivotal.com/security/cve-2014-1904", }, ], release_date: "2014-02-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:50+00:00", details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0400", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Framework: cross-site scripting flaw when using Spring MVC", }, { cve: "CVE-2014-3584", cwe: { id: "CWE-835", name: "Loop with Unreachable Exit Condition ('Infinite Loop')", }, discovery_date: "2014-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1157330", }, ], notes: [ { category: "description", text: "The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.", title: "Vulnerability description", }, { category: "summary", text: "CXF: Denial of Service (DoS) via invalid JAX-RS SAML tokens", title: "Vulnerability summary", }, { category: "other", text: "This issue did not affect Apache CXF as shipped with Red Hat JBoss Enterprise Application Platform 5 and 6; Red Hat JBoss Enterprise Web Platform 5; Red Hat JBoss SOA Platform 5; Red Hat JBoss Fuse Service Works 6; Red Hat JBoss BRMS 5 and 6; Red Hat JBoss BPM Suite 6; Red Hat JBoss Data Virtualization 6; Red Hat JBoss Operations Network 3 and Red Hat JBoss Portal Platform 6 as the REST Web Services endpoints are not available.\n\nFuse ESB Enterprise 7 is now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-3584", }, { category: "external", summary: "RHBZ#1157330", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1157330", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-3584", url: "https://www.cve.org/CVERecord?id=CVE-2014-3584", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-3584", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-3584", }, ], release_date: "2014-10-25T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:50+00:00", details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0400", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:N/I:N/A:P", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "CXF: Denial of Service (DoS) via invalid JAX-RS SAML tokens", }, ], }
rhsa-2014:0401
Vulnerability from csaf_redhat
Published
2014-04-14 13:46
Modified
2025-04-09 15:44
Summary
Red Hat Security Advisory: Red Hat JBoss A-MQ 6.1.0 update
Notes
Topic
Red Hat JBoss A-MQ 6.1.0, which fixes multiple security issues, several
bugs, and adds various enhancements, is now available from the Red Hat
Customer Portal.
The Red Hat Security Response Team has rated this update as having
Moderate security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Details
Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant
messaging system that is tailored for use in mission critical applications.
Red Hat JBoss A-MQ 6.1.0 is a minor product release that updates Red Hat
JBoss A-MQ 6.0.0 and includes several bug fixes and enhancements. Refer to
the Release Notes document, available from the link in the References
section, for a list of changes.
The following security issues are resolved with this update:
A flaw was found in the Apache Hadoop RPC protocol. A man-in-the-middle
attacker could possibly use this flaw to unilaterally disable bidirectional
authentication between a client and a server, forcing a downgrade to simple
(unidirectional) authentication. This flaw only affected users who have
enabled Hadoop's Kerberos security features. (CVE-2013-2192)
It was discovered that the Spring OXM wrapper did not expose any property
for disabling entity resolution when using the JAXB unmarshaller. A remote
attacker could use this flaw to conduct XML External Entity (XXE) attacks
on web sites, and read files in the context of the user running the
application server. The patch for this flaw disables external entity
processing by default, and provides a configuration directive to re-enable
it. (CVE-2013-4152)
It was found that the Spring MVC SourceHttpMessageConverter enabled entity
resolution by default. A remote attacker could use this flaw to conduct XXE
attacks on web sites, and read files in the context of the user running the
application server. The patch for this flaw disables external entity
processing by default, and introduces a property to re-enable it.
(CVE-2013-6429)
The Spring JavaScript escape method insufficiently escaped some characters.
Applications using this method to escape user-supplied content, which would
be rendered in HTML5 documents, could be exposed to cross-site scripting
(XSS) flaws. (CVE-2013-6430)
A denial of service flaw was found in the way Apache Commons FileUpload
handled small-sized buffers used by MultipartStream. A remote attacker
could use this flaw to create a malformed Content-Type header for a
multipart request, causing Apache Commons FileUpload to enter an infinite
loop when processing such an incoming request. (CVE-2014-0050)
It was found that fixes for the CVE-2013-4152 and CVE-2013-6429 XXE issues
in Spring were incomplete. Spring MVC processed user-provided XML and
neither disabled XML external entities nor provided an option to disable
them, possibly allowing a remote attacker to conduct XXE attacks.
(CVE-2014-0054)
A cross-site scripting (XSS) flaw was found in the Spring Framework when
using Spring MVC. When the action was not specified in a Spring form, the
action field would be populated with the requested URI, allowing an
attacker to inject malicious content into the form. (CVE-2014-1904)
The HawtJNI Library class wrote native libraries to a predictable file name
in /tmp when the native libraries were bundled in a JAR file, and no custom
library path was specified. A local attacker could overwrite these native
libraries with malicious versions during the window between when HawtJNI
writes them and when they are executed. (CVE-2013-2035)
An information disclosure flaw was found in the way Apache Zookeeper stored
the password of an administrative user in the log files. A local user with
access to these log files could use the exposed sensitive information to
gain administrative access to an application using Apache Zookeeper.
(CVE-2014-0085)
The CVE-2013-6430 issue was discovered by Jon Passki of Coverity SRL and
Arun Neelicattu of the Red Hat Security Response Team, the CVE-2013-2035
issue was discovered by Florian Weimer of the Red Hat Product Security
Team, and the CVE-2014-0085 issue was discovered by Graeme Colman of
Red Hat.
All users of Red Hat JBoss A-MQ 6.0.0 as provided from the Red Hat Customer
Portal are advised to apply this update.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat JBoss A-MQ 6.1.0, which fixes multiple security issues, several\nbugs, and adds various enhancements, is now available from the Red Hat\nCustomer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nModerate security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant\nmessaging system that is tailored for use in mission critical applications.\n\nRed Hat JBoss A-MQ 6.1.0 is a minor product release that updates Red Hat\nJBoss A-MQ 6.0.0 and includes several bug fixes and enhancements. Refer to\nthe Release Notes document, available from the link in the References\nsection, for a list of changes.\n\nThe following security issues are resolved with this update:\n\nA flaw was found in the Apache Hadoop RPC protocol. A man-in-the-middle\nattacker could possibly use this flaw to unilaterally disable bidirectional\nauthentication between a client and a server, forcing a downgrade to simple\n(unidirectional) authentication. This flaw only affected users who have\nenabled Hadoop's Kerberos security features. (CVE-2013-2192)\n\nIt was discovered that the Spring OXM wrapper did not expose any property\nfor disabling entity resolution when using the JAXB unmarshaller. A remote\nattacker could use this flaw to conduct XML External Entity (XXE) attacks\non web sites, and read files in the context of the user running the\napplication server. The patch for this flaw disables external entity\nprocessing by default, and provides a configuration directive to re-enable\nit. (CVE-2013-4152)\n\nIt was found that the Spring MVC SourceHttpMessageConverter enabled entity\nresolution by default. A remote attacker could use this flaw to conduct XXE\nattacks on web sites, and read files in the context of the user running the\napplication server. The patch for this flaw disables external entity\nprocessing by default, and introduces a property to re-enable it.\n(CVE-2013-6429)\n\nThe Spring JavaScript escape method insufficiently escaped some characters.\nApplications using this method to escape user-supplied content, which would\nbe rendered in HTML5 documents, could be exposed to cross-site scripting\n(XSS) flaws. (CVE-2013-6430)\n\nA denial of service flaw was found in the way Apache Commons FileUpload\nhandled small-sized buffers used by MultipartStream. A remote attacker\ncould use this flaw to create a malformed Content-Type header for a\nmultipart request, causing Apache Commons FileUpload to enter an infinite\nloop when processing such an incoming request. (CVE-2014-0050)\n\nIt was found that fixes for the CVE-2013-4152 and CVE-2013-6429 XXE issues\nin Spring were incomplete. Spring MVC processed user-provided XML and\nneither disabled XML external entities nor provided an option to disable\nthem, possibly allowing a remote attacker to conduct XXE attacks.\n(CVE-2014-0054)\n\nA cross-site scripting (XSS) flaw was found in the Spring Framework when\nusing Spring MVC. When the action was not specified in a Spring form, the\naction field would be populated with the requested URI, allowing an\nattacker to inject malicious content into the form. (CVE-2014-1904)\n\nThe HawtJNI Library class wrote native libraries to a predictable file name\nin /tmp when the native libraries were bundled in a JAR file, and no custom\nlibrary path was specified. A local attacker could overwrite these native\nlibraries with malicious versions during the window between when HawtJNI\nwrites them and when they are executed. (CVE-2013-2035)\n\nAn information disclosure flaw was found in the way Apache Zookeeper stored\nthe password of an administrative user in the log files. A local user with\naccess to these log files could use the exposed sensitive information to\ngain administrative access to an application using Apache Zookeeper.\n(CVE-2014-0085)\n\nThe CVE-2013-6430 issue was discovered by Jon Passki of Coverity SRL and\nArun Neelicattu of the Red Hat Security Response Team, the CVE-2013-2035\nissue was discovered by Florian Weimer of the Red Hat Product Security\nTeam, and the CVE-2014-0085 issue was discovered by Graeme Colman of\nRed Hat.\n\nAll users of Red Hat JBoss A-MQ 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2014:0401", url: "https://access.redhat.com/errata/RHSA-2014:0401", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq&downloadType=distributions&version=6.1.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq&downloadType=distributions&version=6.1.0", }, { category: "external", summary: "https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_A-MQ/", url: "https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_A-MQ/", }, { category: "external", summary: "958618", url: "https://bugzilla.redhat.com/show_bug.cgi?id=958618", }, { category: "external", summary: "1000186", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1000186", }, { category: "external", summary: "1001326", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1001326", }, { category: "external", summary: "1039783", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1039783", }, { category: "external", summary: "1053290", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1053290", }, { category: "external", summary: "1062337", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1062337", }, { category: "external", summary: "1067265", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067265", }, { category: "external", summary: "1075296", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1075296", }, { category: "external", summary: "1075328", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1075328", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0401.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss A-MQ 6.1.0 update", tracking: { current_release_date: "2025-04-09T15:44:57+00:00", generator: { date: "2025-04-09T15:44:57+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.2", }, }, id: "RHSA-2014:0401", initial_release_date: "2014-04-14T13:46:41+00:00", revision_history: [ { date: "2014-04-14T13:46:41+00:00", number: "1", summary: "Initial version", }, { date: "2019-02-20T12:33:04+00:00", number: "2", summary: "Last updated version", }, { date: "2025-04-09T15:44:57+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss A-MQ 6.1", product: { name: "Red Hat JBoss A-MQ 6.1", product_id: "Red Hat JBoss A-MQ 6.1", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_amq:6.1.0", }, }, }, ], category: "product_family", name: "Red Hat JBoss AMQ", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2013-1624", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2013-02-04T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "908428", }, ], notes: [ { category: "description", text: "It was discovered that bouncycastle leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: TLS CBC padding timing attack", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-1624", }, { category: "external", summary: "RHBZ#908428", url: "https://bugzilla.redhat.com/show_bug.cgi?id=908428", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-1624", url: "https://www.cve.org/CVERecord?id=CVE-2013-1624", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-1624", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-1624", }, { category: "external", summary: "http://www.isg.rhul.ac.uk/tls/", url: "http://www.isg.rhul.ac.uk/tls/", }, { category: "external", summary: "http://www.isg.rhul.ac.uk/tls/TLStiming.pdf", url: "http://www.isg.rhul.ac.uk/tls/TLStiming.pdf", }, ], release_date: "2013-02-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:41+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0401", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5.1, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:N/C:P/I:P/A:P", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: TLS CBC padding timing attack", }, { acknowledgments: [ { names: [ "Florian Weimer", ], organization: "Red Hat Product Security Team", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2013-2035", cwe: { id: "CWE-377", name: "Insecure Temporary File", }, discovery_date: "2013-04-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "958618", }, ], notes: [ { category: "description", text: "The HawtJNI Library class wrote native libraries to a predictable file name in /tmp when the native libraries were bundled in a JAR file, and no custom library path was specified. A local attacker could overwrite these native libraries with malicious versions during the window between when HawtJNI writes them and when they are executed.", title: "Vulnerability description", }, { category: "summary", text: "HawtJNI: predictable temporary file name leading to local arbitrary code execution", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-2035", }, { category: "external", summary: "RHBZ#958618", url: "https://bugzilla.redhat.com/show_bug.cgi?id=958618", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-2035", url: "https://www.cve.org/CVERecord?id=CVE-2013-2035", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-2035", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-2035", }, ], release_date: "2013-05-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:41+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0401", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "NONE", baseScore: 3.3, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:L/AC:M/Au:N/C:P/I:P/A:N", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "HawtJNI: predictable temporary file name leading to local arbitrary code execution", }, { cve: "CVE-2013-2192", discovery_date: "2013-08-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1001326", }, ], notes: [ { category: "description", text: "The RPC protocol implementation in Apache Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1, when the Kerberos security features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information by forcing a downgrade to simple authentication.", title: "Vulnerability description", }, { category: "summary", text: "hadoop: man-in-the-middle vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-2192", }, { category: "external", summary: "RHBZ#1001326", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1001326", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-2192", url: "https://www.cve.org/CVERecord?id=CVE-2013-2192", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-2192", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-2192", }, ], release_date: "2013-08-23T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:41+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0401", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "ADJACENT_NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 3.2, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:A/AC:H/Au:N/C:P/I:P/A:N", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "hadoop: man-in-the-middle vulnerability", }, { cve: "CVE-2013-4152", discovery_date: "2013-08-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1000186", }, ], notes: [ { category: "description", text: "The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.", title: "Vulnerability description", }, { category: "summary", text: "Framework: XML External Entity (XXE) injection flaw", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-4152", }, { category: "external", summary: "RHBZ#1000186", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1000186", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-4152", url: "https://www.cve.org/CVERecord?id=CVE-2013-4152", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-4152", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-4152", }, { category: "external", summary: "http://www.gopivotal.com/security/cve-2013-4152", url: "http://www.gopivotal.com/security/cve-2013-4152", }, { category: "external", summary: "https://github.com/SpringSource/spring-framework/pull/317", url: "https://github.com/SpringSource/spring-framework/pull/317", }, { category: "external", summary: "https://jira.springsource.org/browse/SPR-10806", url: "https://jira.springsource.org/browse/SPR-10806", }, ], release_date: "2013-08-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:41+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0401", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Framework: XML External Entity (XXE) injection flaw", }, { cve: "CVE-2013-6429", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2014-01-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1053290", }, ], notes: [ { category: "description", text: "The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.", title: "Vulnerability description", }, { category: "summary", text: "Framework: XML External Entity (XXE) injection flaw", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-6429", }, { category: "external", summary: "RHBZ#1053290", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1053290", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-6429", url: "https://www.cve.org/CVERecord?id=CVE-2013-6429", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-6429", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-6429", }, { category: "external", summary: "http://www.gopivotal.com/security/cve-2013-6429", url: "http://www.gopivotal.com/security/cve-2013-6429", }, ], release_date: "2014-01-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:41+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0401", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Framework: XML External Entity (XXE) injection flaw", }, { acknowledgments: [ { names: [ "Jon Passki", ], organization: "Coverity SRL", }, { names: [ "Arun Neelicattu", ], organization: "Red Hat Security Response Team", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2013-6430", discovery_date: "2013-12-06T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1039783", }, ], notes: [ { category: "description", text: "The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a (1) line separator or (2) paragraph separator Unicode character or (3) left or (4) right angle bracket.", title: "Vulnerability description", }, { category: "summary", text: "Framework: org.spring.web.util.JavaScriptUtils.javaScriptEscape insufficient escaping of characters", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-6430", }, { category: "external", summary: "RHBZ#1039783", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1039783", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-6430", url: "https://www.cve.org/CVERecord?id=CVE-2013-6430", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-6430", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-6430", }, { category: "external", summary: "http://www.gopivotal.com/security/cve-2013-6430", url: "http://www.gopivotal.com/security/cve-2013-6430", }, ], release_date: "2014-01-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:41+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0401", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Framework: org.spring.web.util.JavaScriptUtils.javaScriptEscape insufficient escaping of characters", }, { cve: "CVE-2014-0050", discovery_date: "2014-02-06T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1062337", }, ], notes: [ { category: "description", text: "A denial of service flaw was found in the way Apache Commons FileUpload, which is embedded in Tomcat and JBoss Web, handled small-sized buffers used by MultipartStream. A remote attacker could use this flaw to create a malformed Content-Type header for a multipart request, causing Tomcat to enter an infinite loop when processing such an incoming request.", title: "Vulnerability description", }, { category: "summary", text: "apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-0050", }, { category: "external", summary: "RHBZ#1062337", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1062337", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-0050", url: "https://www.cve.org/CVERecord?id=CVE-2014-0050", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0050", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0050", }, ], release_date: "2014-02-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:41+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0401", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream", }, { cve: "CVE-2014-0054", discovery_date: "2014-03-11T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1075328", }, ], notes: [ { category: "description", text: "The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.", title: "Vulnerability description", }, { category: "summary", text: "Framework: incomplete fix for CVE-2013-7315/CVE-2013-6429", title: "Vulnerability summary", }, { category: "other", text: "The Red Hat Security Response Team has rated this issue as having Moderate security impact. OpenShift Enterprise 1 is currently in the Production 1 phase of its lifecycle, as such this issue is not currently planned to be addressed in future updates. For additional information, refer to the Satellite Life Cycle: https://access.redhat.com/site/support/policy/updates/openshift page.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-0054", }, { category: "external", summary: "RHBZ#1075328", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1075328", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-0054", url: "https://www.cve.org/CVERecord?id=CVE-2014-0054", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0054", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0054", }, { category: "external", summary: "http://www.gopivotal.com/security/cve-2014-0054", url: "http://www.gopivotal.com/security/cve-2014-0054", }, ], release_date: "2014-01-31T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:41+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0401", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Framework: incomplete fix for CVE-2013-7315/CVE-2013-6429", }, { acknowledgments: [ { names: [ "Graeme Colman", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2014-0085", cwe: { id: "CWE-522", name: "Insufficiently Protected Credentials", }, discovery_date: "2014-02-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1067265", }, ], notes: [ { category: "description", text: "JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. This permitted sensitive information disclosure via logging to local users. This issue is a vulnerability in JBoss Fuse's usage of Apache Zookeeper, not in Zookeeper itself as was previously stated.", title: "Vulnerability description", }, { category: "summary", text: "Fuse: admin user cleartext password appears in logging", title: "Vulnerability summary", }, { category: "other", text: "This flaw only affects Apache Zookeeper in conjunction with Fuse Fabric. Fuse Fabric was storing cleartext passwords, which would appear as cleartext in Apache Zookeeper's log files. Fuse Fabric now encrypts passwords by default.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-0085", }, { category: "external", summary: "RHBZ#1067265", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067265", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-0085", url: "https://www.cve.org/CVERecord?id=CVE-2014-0085", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0085", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0085", }, ], release_date: "2014-04-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:41+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0401", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.1, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:L/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "Fuse: admin user cleartext password appears in logging", }, { cve: "CVE-2014-1904", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2014-03-11T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1075296", }, ], notes: [ { category: "description", text: "Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.", title: "Vulnerability description", }, { category: "summary", text: "Framework: cross-site scripting flaw when using Spring MVC", title: "Vulnerability summary", }, { category: "other", text: "The Red Hat Security Response Team has rated this issue as having Moderate security impact. OpenShift Enterprise 1 is currently in the Production 1 phase of its lifecycle, as such this issue is not currently planned to be addressed in future updates. For additional information, refer to the Satellite Life Cycle: https://access.redhat.com/site/support/policy/updates/openshift page.\n\nFuse ESB Enterprise is now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-1904", }, { category: "external", summary: "RHBZ#1075296", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1075296", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-1904", url: "https://www.cve.org/CVERecord?id=CVE-2014-1904", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-1904", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-1904", }, { category: "external", summary: "http://www.gopivotal.com/security/cve-2014-1904", url: "http://www.gopivotal.com/security/cve-2014-1904", }, ], release_date: "2014-02-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:41+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0401", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Framework: cross-site scripting flaw when using Spring MVC", }, ], }
rhsa-2014_0401
Vulnerability from csaf_redhat
Published
2014-04-14 13:46
Modified
2024-11-22 08:11
Summary
Red Hat Security Advisory: Red Hat JBoss A-MQ 6.1.0 update
Notes
Topic
Red Hat JBoss A-MQ 6.1.0, which fixes multiple security issues, several
bugs, and adds various enhancements, is now available from the Red Hat
Customer Portal.
The Red Hat Security Response Team has rated this update as having
Moderate security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Details
Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant
messaging system that is tailored for use in mission critical applications.
Red Hat JBoss A-MQ 6.1.0 is a minor product release that updates Red Hat
JBoss A-MQ 6.0.0 and includes several bug fixes and enhancements. Refer to
the Release Notes document, available from the link in the References
section, for a list of changes.
The following security issues are resolved with this update:
A flaw was found in the Apache Hadoop RPC protocol. A man-in-the-middle
attacker could possibly use this flaw to unilaterally disable bidirectional
authentication between a client and a server, forcing a downgrade to simple
(unidirectional) authentication. This flaw only affected users who have
enabled Hadoop's Kerberos security features. (CVE-2013-2192)
It was discovered that the Spring OXM wrapper did not expose any property
for disabling entity resolution when using the JAXB unmarshaller. A remote
attacker could use this flaw to conduct XML External Entity (XXE) attacks
on web sites, and read files in the context of the user running the
application server. The patch for this flaw disables external entity
processing by default, and provides a configuration directive to re-enable
it. (CVE-2013-4152)
It was found that the Spring MVC SourceHttpMessageConverter enabled entity
resolution by default. A remote attacker could use this flaw to conduct XXE
attacks on web sites, and read files in the context of the user running the
application server. The patch for this flaw disables external entity
processing by default, and introduces a property to re-enable it.
(CVE-2013-6429)
The Spring JavaScript escape method insufficiently escaped some characters.
Applications using this method to escape user-supplied content, which would
be rendered in HTML5 documents, could be exposed to cross-site scripting
(XSS) flaws. (CVE-2013-6430)
A denial of service flaw was found in the way Apache Commons FileUpload
handled small-sized buffers used by MultipartStream. A remote attacker
could use this flaw to create a malformed Content-Type header for a
multipart request, causing Apache Commons FileUpload to enter an infinite
loop when processing such an incoming request. (CVE-2014-0050)
It was found that fixes for the CVE-2013-4152 and CVE-2013-6429 XXE issues
in Spring were incomplete. Spring MVC processed user-provided XML and
neither disabled XML external entities nor provided an option to disable
them, possibly allowing a remote attacker to conduct XXE attacks.
(CVE-2014-0054)
A cross-site scripting (XSS) flaw was found in the Spring Framework when
using Spring MVC. When the action was not specified in a Spring form, the
action field would be populated with the requested URI, allowing an
attacker to inject malicious content into the form. (CVE-2014-1904)
The HawtJNI Library class wrote native libraries to a predictable file name
in /tmp when the native libraries were bundled in a JAR file, and no custom
library path was specified. A local attacker could overwrite these native
libraries with malicious versions during the window between when HawtJNI
writes them and when they are executed. (CVE-2013-2035)
An information disclosure flaw was found in the way Apache Zookeeper stored
the password of an administrative user in the log files. A local user with
access to these log files could use the exposed sensitive information to
gain administrative access to an application using Apache Zookeeper.
(CVE-2014-0085)
The CVE-2013-6430 issue was discovered by Jon Passki of Coverity SRL and
Arun Neelicattu of the Red Hat Security Response Team, the CVE-2013-2035
issue was discovered by Florian Weimer of the Red Hat Product Security
Team, and the CVE-2014-0085 issue was discovered by Graeme Colman of
Red Hat.
All users of Red Hat JBoss A-MQ 6.0.0 as provided from the Red Hat Customer
Portal are advised to apply this update.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat JBoss A-MQ 6.1.0, which fixes multiple security issues, several\nbugs, and adds various enhancements, is now available from the Red Hat\nCustomer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nModerate security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant\nmessaging system that is tailored for use in mission critical applications.\n\nRed Hat JBoss A-MQ 6.1.0 is a minor product release that updates Red Hat\nJBoss A-MQ 6.0.0 and includes several bug fixes and enhancements. Refer to\nthe Release Notes document, available from the link in the References\nsection, for a list of changes.\n\nThe following security issues are resolved with this update:\n\nA flaw was found in the Apache Hadoop RPC protocol. A man-in-the-middle\nattacker could possibly use this flaw to unilaterally disable bidirectional\nauthentication between a client and a server, forcing a downgrade to simple\n(unidirectional) authentication. This flaw only affected users who have\nenabled Hadoop's Kerberos security features. (CVE-2013-2192)\n\nIt was discovered that the Spring OXM wrapper did not expose any property\nfor disabling entity resolution when using the JAXB unmarshaller. A remote\nattacker could use this flaw to conduct XML External Entity (XXE) attacks\non web sites, and read files in the context of the user running the\napplication server. The patch for this flaw disables external entity\nprocessing by default, and provides a configuration directive to re-enable\nit. (CVE-2013-4152)\n\nIt was found that the Spring MVC SourceHttpMessageConverter enabled entity\nresolution by default. A remote attacker could use this flaw to conduct XXE\nattacks on web sites, and read files in the context of the user running the\napplication server. The patch for this flaw disables external entity\nprocessing by default, and introduces a property to re-enable it.\n(CVE-2013-6429)\n\nThe Spring JavaScript escape method insufficiently escaped some characters.\nApplications using this method to escape user-supplied content, which would\nbe rendered in HTML5 documents, could be exposed to cross-site scripting\n(XSS) flaws. (CVE-2013-6430)\n\nA denial of service flaw was found in the way Apache Commons FileUpload\nhandled small-sized buffers used by MultipartStream. A remote attacker\ncould use this flaw to create a malformed Content-Type header for a\nmultipart request, causing Apache Commons FileUpload to enter an infinite\nloop when processing such an incoming request. (CVE-2014-0050)\n\nIt was found that fixes for the CVE-2013-4152 and CVE-2013-6429 XXE issues\nin Spring were incomplete. Spring MVC processed user-provided XML and\nneither disabled XML external entities nor provided an option to disable\nthem, possibly allowing a remote attacker to conduct XXE attacks.\n(CVE-2014-0054)\n\nA cross-site scripting (XSS) flaw was found in the Spring Framework when\nusing Spring MVC. When the action was not specified in a Spring form, the\naction field would be populated with the requested URI, allowing an\nattacker to inject malicious content into the form. (CVE-2014-1904)\n\nThe HawtJNI Library class wrote native libraries to a predictable file name\nin /tmp when the native libraries were bundled in a JAR file, and no custom\nlibrary path was specified. A local attacker could overwrite these native\nlibraries with malicious versions during the window between when HawtJNI\nwrites them and when they are executed. (CVE-2013-2035)\n\nAn information disclosure flaw was found in the way Apache Zookeeper stored\nthe password of an administrative user in the log files. A local user with\naccess to these log files could use the exposed sensitive information to\ngain administrative access to an application using Apache Zookeeper.\n(CVE-2014-0085)\n\nThe CVE-2013-6430 issue was discovered by Jon Passki of Coverity SRL and\nArun Neelicattu of the Red Hat Security Response Team, the CVE-2013-2035\nissue was discovered by Florian Weimer of the Red Hat Product Security\nTeam, and the CVE-2014-0085 issue was discovered by Graeme Colman of\nRed Hat.\n\nAll users of Red Hat JBoss A-MQ 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2014:0401", url: "https://access.redhat.com/errata/RHSA-2014:0401", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq&downloadType=distributions&version=6.1.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq&downloadType=distributions&version=6.1.0", }, { category: "external", summary: "https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_A-MQ/", url: "https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_A-MQ/", }, { category: "external", summary: "958618", url: "https://bugzilla.redhat.com/show_bug.cgi?id=958618", }, { category: "external", summary: "1000186", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1000186", }, { category: "external", summary: "1001326", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1001326", }, { category: "external", summary: "1039783", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1039783", }, { category: "external", summary: "1053290", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1053290", }, { category: "external", summary: "1062337", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1062337", }, { category: "external", summary: "1067265", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067265", }, { category: "external", summary: "1075296", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1075296", }, { category: "external", summary: "1075328", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1075328", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0401.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss A-MQ 6.1.0 update", tracking: { current_release_date: "2024-11-22T08:11:43+00:00", generator: { date: "2024-11-22T08:11:43+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2014:0401", initial_release_date: "2014-04-14T13:46:41+00:00", revision_history: [ { date: "2014-04-14T13:46:41+00:00", number: "1", summary: "Initial version", }, { date: "2019-02-20T12:33:04+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T08:11:43+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss A-MQ 6.1", product: { name: "Red Hat JBoss A-MQ 6.1", product_id: "Red Hat JBoss A-MQ 6.1", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_amq:6.1.0", }, }, }, ], category: "product_family", name: "Red Hat JBoss AMQ", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2013-1624", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2013-02-04T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "908428", }, ], notes: [ { category: "description", text: "It was discovered that bouncycastle leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: TLS CBC padding timing attack", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-1624", }, { category: "external", summary: "RHBZ#908428", url: "https://bugzilla.redhat.com/show_bug.cgi?id=908428", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-1624", url: "https://www.cve.org/CVERecord?id=CVE-2013-1624", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-1624", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-1624", }, { category: "external", summary: "http://www.isg.rhul.ac.uk/tls/", url: "http://www.isg.rhul.ac.uk/tls/", }, { category: "external", summary: "http://www.isg.rhul.ac.uk/tls/TLStiming.pdf", url: "http://www.isg.rhul.ac.uk/tls/TLStiming.pdf", }, ], release_date: "2013-02-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:41+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0401", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5.1, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:N/C:P/I:P/A:P", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: TLS CBC padding timing attack", }, { acknowledgments: [ { names: [ "Florian Weimer", ], organization: "Red Hat Product Security Team", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2013-2035", cwe: { id: "CWE-377", name: "Insecure Temporary File", }, discovery_date: "2013-04-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "958618", }, ], notes: [ { category: "description", text: "The HawtJNI Library class wrote native libraries to a predictable file name in /tmp when the native libraries were bundled in a JAR file, and no custom library path was specified. A local attacker could overwrite these native libraries with malicious versions during the window between when HawtJNI writes them and when they are executed.", title: "Vulnerability description", }, { category: "summary", text: "HawtJNI: predictable temporary file name leading to local arbitrary code execution", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-2035", }, { category: "external", summary: "RHBZ#958618", url: "https://bugzilla.redhat.com/show_bug.cgi?id=958618", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-2035", url: "https://www.cve.org/CVERecord?id=CVE-2013-2035", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-2035", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-2035", }, ], release_date: "2013-05-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:41+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0401", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "NONE", baseScore: 3.3, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:L/AC:M/Au:N/C:P/I:P/A:N", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "HawtJNI: predictable temporary file name leading to local arbitrary code execution", }, { cve: "CVE-2013-2192", discovery_date: "2013-08-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1001326", }, ], notes: [ { category: "description", text: "The RPC protocol implementation in Apache Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1, when the Kerberos security features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information by forcing a downgrade to simple authentication.", title: "Vulnerability description", }, { category: "summary", text: "hadoop: man-in-the-middle vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-2192", }, { category: "external", summary: "RHBZ#1001326", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1001326", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-2192", url: "https://www.cve.org/CVERecord?id=CVE-2013-2192", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-2192", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-2192", }, ], release_date: "2013-08-23T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:41+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0401", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "ADJACENT_NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 3.2, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:A/AC:H/Au:N/C:P/I:P/A:N", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "hadoop: man-in-the-middle vulnerability", }, { cve: "CVE-2013-4152", discovery_date: "2013-08-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1000186", }, ], notes: [ { category: "description", text: "The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.", title: "Vulnerability description", }, { category: "summary", text: "Framework: XML External Entity (XXE) injection flaw", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-4152", }, { category: "external", summary: "RHBZ#1000186", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1000186", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-4152", url: "https://www.cve.org/CVERecord?id=CVE-2013-4152", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-4152", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-4152", }, { category: "external", summary: "http://www.gopivotal.com/security/cve-2013-4152", url: "http://www.gopivotal.com/security/cve-2013-4152", }, { category: "external", summary: "https://github.com/SpringSource/spring-framework/pull/317", url: "https://github.com/SpringSource/spring-framework/pull/317", }, { category: "external", summary: "https://jira.springsource.org/browse/SPR-10806", url: "https://jira.springsource.org/browse/SPR-10806", }, ], release_date: "2013-08-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:41+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0401", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Framework: XML External Entity (XXE) injection flaw", }, { cve: "CVE-2013-6429", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2014-01-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1053290", }, ], notes: [ { category: "description", text: "The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.", title: "Vulnerability description", }, { category: "summary", text: "Framework: XML External Entity (XXE) injection flaw", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-6429", }, { category: "external", summary: "RHBZ#1053290", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1053290", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-6429", url: "https://www.cve.org/CVERecord?id=CVE-2013-6429", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-6429", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-6429", }, { category: "external", summary: "http://www.gopivotal.com/security/cve-2013-6429", url: "http://www.gopivotal.com/security/cve-2013-6429", }, ], release_date: "2014-01-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:41+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0401", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Framework: XML External Entity (XXE) injection flaw", }, { acknowledgments: [ { names: [ "Jon Passki", ], organization: "Coverity SRL", }, { names: [ "Arun Neelicattu", ], organization: "Red Hat Security Response Team", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2013-6430", discovery_date: "2013-12-06T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1039783", }, ], notes: [ { category: "description", text: "The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a (1) line separator or (2) paragraph separator Unicode character or (3) left or (4) right angle bracket.", title: "Vulnerability description", }, { category: "summary", text: "Framework: org.spring.web.util.JavaScriptUtils.javaScriptEscape insufficient escaping of characters", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-6430", }, { category: "external", summary: "RHBZ#1039783", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1039783", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-6430", url: "https://www.cve.org/CVERecord?id=CVE-2013-6430", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-6430", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-6430", }, { category: "external", summary: "http://www.gopivotal.com/security/cve-2013-6430", url: "http://www.gopivotal.com/security/cve-2013-6430", }, ], release_date: "2014-01-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:41+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0401", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Framework: org.spring.web.util.JavaScriptUtils.javaScriptEscape insufficient escaping of characters", }, { cve: "CVE-2014-0050", discovery_date: "2014-02-06T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1062337", }, ], notes: [ { category: "description", text: "A denial of service flaw was found in the way Apache Commons FileUpload, which is embedded in Tomcat and JBoss Web, handled small-sized buffers used by MultipartStream. A remote attacker could use this flaw to create a malformed Content-Type header for a multipart request, causing Tomcat to enter an infinite loop when processing such an incoming request.", title: "Vulnerability description", }, { category: "summary", text: "apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-0050", }, { category: "external", summary: "RHBZ#1062337", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1062337", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-0050", url: "https://www.cve.org/CVERecord?id=CVE-2014-0050", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0050", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0050", }, ], release_date: "2014-02-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:41+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0401", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream", }, { cve: "CVE-2014-0054", discovery_date: "2014-03-11T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1075328", }, ], notes: [ { category: "description", text: "The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.", title: "Vulnerability description", }, { category: "summary", text: "Framework: incomplete fix for CVE-2013-7315/CVE-2013-6429", title: "Vulnerability summary", }, { category: "other", text: "The Red Hat Security Response Team has rated this issue as having Moderate security impact. OpenShift Enterprise 1 is currently in the Production 1 phase of its lifecycle, as such this issue is not currently planned to be addressed in future updates. For additional information, refer to the Satellite Life Cycle: https://access.redhat.com/site/support/policy/updates/openshift page.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-0054", }, { category: "external", summary: "RHBZ#1075328", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1075328", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-0054", url: "https://www.cve.org/CVERecord?id=CVE-2014-0054", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0054", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0054", }, { category: "external", summary: "http://www.gopivotal.com/security/cve-2014-0054", url: "http://www.gopivotal.com/security/cve-2014-0054", }, ], release_date: "2014-01-31T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:41+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0401", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Framework: incomplete fix for CVE-2013-7315/CVE-2013-6429", }, { acknowledgments: [ { names: [ "Graeme Colman", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2014-0085", cwe: { id: "CWE-522", name: "Insufficiently Protected Credentials", }, discovery_date: "2014-02-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1067265", }, ], notes: [ { category: "description", text: "JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. This permitted sensitive information disclosure via logging to local users. This issue is a vulnerability in JBoss Fuse's usage of Apache Zookeeper, not in Zookeeper itself as was previously stated.", title: "Vulnerability description", }, { category: "summary", text: "Fuse: admin user cleartext password appears in logging", title: "Vulnerability summary", }, { category: "other", text: "This flaw only affects Apache Zookeeper in conjunction with Fuse Fabric. Fuse Fabric was storing cleartext passwords, which would appear as cleartext in Apache Zookeeper's log files. Fuse Fabric now encrypts passwords by default.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-0085", }, { category: "external", summary: "RHBZ#1067265", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067265", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-0085", url: "https://www.cve.org/CVERecord?id=CVE-2014-0085", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0085", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0085", }, ], release_date: "2014-04-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:41+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0401", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.1, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:L/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "Fuse: admin user cleartext password appears in logging", }, { cve: "CVE-2014-1904", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2014-03-11T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1075296", }, ], notes: [ { category: "description", text: "Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.", title: "Vulnerability description", }, { category: "summary", text: "Framework: cross-site scripting flaw when using Spring MVC", title: "Vulnerability summary", }, { category: "other", text: "The Red Hat Security Response Team has rated this issue as having Moderate security impact. OpenShift Enterprise 1 is currently in the Production 1 phase of its lifecycle, as such this issue is not currently planned to be addressed in future updates. For additional information, refer to the Satellite Life Cycle: https://access.redhat.com/site/support/policy/updates/openshift page.\n\nFuse ESB Enterprise is now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-1904", }, { category: "external", summary: "RHBZ#1075296", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1075296", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-1904", url: "https://www.cve.org/CVERecord?id=CVE-2014-1904", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-1904", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-1904", }, { category: "external", summary: "http://www.gopivotal.com/security/cve-2014-1904", url: "http://www.gopivotal.com/security/cve-2014-1904", }, ], release_date: "2014-02-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:41+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0401", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Framework: cross-site scripting flaw when using Spring MVC", }, ], }
rhsa-2014_0400
Vulnerability from csaf_redhat
Published
2014-04-14 13:46
Modified
2024-11-22 08:11
Summary
Red Hat Security Advisory: Red Hat JBoss Fuse 6.1.0 update
Notes
Topic
Red Hat JBoss Fuse 6.1.0, which fixes multiple security issues, several
bugs, and adds various enhancements, is now available from the Red Hat
Customer Portal.
The Red Hat Security Response Team has rated this update as having
Moderate security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Red Hat JBoss Fuse 6.1.0 is a minor product release that updates Red Hat
JBoss Fuse 6.0.0, and includes several bug fixes and enhancements. Refer to
the Release Notes document, available from the link in the References
section, for a list of changes.
Details
Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,
flexible, open source enterprise service bus and integration platform.
Security fixes:
A flaw was found in the way Apache Santuario XML Security for Java
validated XML signatures. Santuario allowed a signature to specify an
arbitrary canonicalization algorithm, which would be applied to the
SignedInfo XML fragment. A remote attacker could exploit this to spoof an
XML signature via a specially crafted XML signature block. (CVE-2013-2172)
A flaw was found in the Apache Hadoop RPC protocol. A man-in-the-middle
attacker could possibly use this flaw to unilaterally disable bidirectional
authentication between a client and a server, forcing a downgrade to simple
(unidirectional) authentication. This flaw only affected users who have
enabled Hadoop's Kerberos security features. (CVE-2013-2192)
It was discovered that the Spring OXM wrapper did not expose any property
for disabling entity resolution when using the JAXB unmarshaller. A remote
attacker could use this flaw to conduct XML External Entity (XXE) attacks
on web sites, and read files in the context of the user running the
application server. (CVE-2013-4152)
It was discovered that the Apache Santuario XML Security for Java project
allowed Document Type Definitions (DTDs) to be processed when applying
Transforms even when secure validation was enabled. A remote attacker could
use this flaw to exhaust all available memory on the system, causing a
denial of service. (CVE-2013-4517)
It was found that the Spring MVC SourceHttpMessageConverter enabled entity
resolution by default. A remote attacker could use this flaw to conduct XXE
attacks on web sites, and read files in the context of the user running the
application server. (CVE-2013-6429)
The Spring JavaScript escape method insufficiently escaped some characters.
Applications using this method to escape user-supplied content, which would
be rendered in HTML5 documents, could be exposed to cross-site scripting
(XSS) flaws. (CVE-2013-6430)
A denial of service flaw was found in the way Apache Commons FileUpload
handled small-sized buffers used by MultipartStream. A remote attacker
could use this flaw to create a malformed Content-Type header for a
multipart request, causing Apache Commons FileUpload to enter an infinite
loop when processing such an incoming request. (CVE-2014-0050)
It was found that fixes for the CVE-2013-4152 and CVE-2013-6429 XXE issues
in Spring were incomplete. Spring MVC processed user-provided XML and
neither disabled XML external entities nor provided an option to disable
them, possibly allowing a remote attacker to conduct XXE attacks.
(CVE-2014-0054)
A cross-site scripting (XSS) flaw was found in the Spring Framework when
using Spring MVC. When the action was not specified in a Spring form, the
action field would be populated with the requested URI, allowing an
attacker to inject malicious content into the form. (CVE-2014-1904)
The HawtJNI Library class wrote native libraries to a predictable file name
in /tmp when the native libraries were bundled in a JAR file, and no custom
library path was specified. A local attacker could overwrite these native
libraries with malicious versions during the window between when HawtJNI
writes them and when they are executed. (CVE-2013-2035)
An information disclosure flaw was found in the way Apache Zookeeper stored
the password of an administrative user in the log files. A local user with
access to these log files could use the exposed sensitive information to
gain administrative access to an application using Apache Zookeeper.
(CVE-2014-0085)
The CVE-2013-6430 issue was discovered by Jon Passki of Coverity SRL and
Arun Neelicattu of the Red Hat Security Response Team, the CVE-2013-2035
issue was discovered by Florian Weimer of the Red Hat Product Security
Team, and the CVE-2014-0085 issue was discovered by Graeme Colman of
Red Hat.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat JBoss Fuse 6.1.0, which fixes multiple security issues, several\nbugs, and adds various enhancements, is now available from the Red Hat\nCustomer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nModerate security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nRed Hat JBoss Fuse 6.1.0 is a minor product release that updates Red Hat\nJBoss Fuse 6.0.0, and includes several bug fixes and enhancements. Refer to\nthe Release Notes document, available from the link in the References\nsection, for a list of changes.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,\nflexible, open source enterprise service bus and integration platform.\n\nSecurity fixes:\n\nA flaw was found in the way Apache Santuario XML Security for Java\nvalidated XML signatures. Santuario allowed a signature to specify an\narbitrary canonicalization algorithm, which would be applied to the\nSignedInfo XML fragment. A remote attacker could exploit this to spoof an\nXML signature via a specially crafted XML signature block. (CVE-2013-2172)\n\nA flaw was found in the Apache Hadoop RPC protocol. A man-in-the-middle\nattacker could possibly use this flaw to unilaterally disable bidirectional\nauthentication between a client and a server, forcing a downgrade to simple\n(unidirectional) authentication. This flaw only affected users who have\nenabled Hadoop's Kerberos security features. (CVE-2013-2192)\n\nIt was discovered that the Spring OXM wrapper did not expose any property\nfor disabling entity resolution when using the JAXB unmarshaller. A remote\nattacker could use this flaw to conduct XML External Entity (XXE) attacks\non web sites, and read files in the context of the user running the\napplication server. (CVE-2013-4152)\n\nIt was discovered that the Apache Santuario XML Security for Java project\nallowed Document Type Definitions (DTDs) to be processed when applying\nTransforms even when secure validation was enabled. A remote attacker could\nuse this flaw to exhaust all available memory on the system, causing a\ndenial of service. (CVE-2013-4517)\n\nIt was found that the Spring MVC SourceHttpMessageConverter enabled entity\nresolution by default. A remote attacker could use this flaw to conduct XXE\nattacks on web sites, and read files in the context of the user running the\napplication server. (CVE-2013-6429)\n\nThe Spring JavaScript escape method insufficiently escaped some characters.\nApplications using this method to escape user-supplied content, which would\nbe rendered in HTML5 documents, could be exposed to cross-site scripting\n(XSS) flaws. (CVE-2013-6430)\n\nA denial of service flaw was found in the way Apache Commons FileUpload\nhandled small-sized buffers used by MultipartStream. A remote attacker\ncould use this flaw to create a malformed Content-Type header for a\nmultipart request, causing Apache Commons FileUpload to enter an infinite\nloop when processing such an incoming request. (CVE-2014-0050)\n\nIt was found that fixes for the CVE-2013-4152 and CVE-2013-6429 XXE issues\nin Spring were incomplete. Spring MVC processed user-provided XML and\nneither disabled XML external entities nor provided an option to disable\nthem, possibly allowing a remote attacker to conduct XXE attacks.\n(CVE-2014-0054)\n\nA cross-site scripting (XSS) flaw was found in the Spring Framework when\nusing Spring MVC. When the action was not specified in a Spring form, the\naction field would be populated with the requested URI, allowing an\nattacker to inject malicious content into the form. (CVE-2014-1904)\n\nThe HawtJNI Library class wrote native libraries to a predictable file name\nin /tmp when the native libraries were bundled in a JAR file, and no custom\nlibrary path was specified. A local attacker could overwrite these native\nlibraries with malicious versions during the window between when HawtJNI\nwrites them and when they are executed. (CVE-2013-2035)\n\nAn information disclosure flaw was found in the way Apache Zookeeper stored\nthe password of an administrative user in the log files. A local user with\naccess to these log files could use the exposed sensitive information to\ngain administrative access to an application using Apache Zookeeper.\n(CVE-2014-0085)\n\nThe CVE-2013-6430 issue was discovered by Jon Passki of Coverity SRL and\nArun Neelicattu of the Red Hat Security Response Team, the CVE-2013-2035\nissue was discovered by Florian Weimer of the Red Hat Product Security\nTeam, and the CVE-2014-0085 issue was discovered by Graeme Colman of\nRed Hat.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2014:0400", url: "https://access.redhat.com/errata/RHSA-2014:0400", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=6.1.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=6.1.0", }, { category: "external", summary: "https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_Fuse/", url: "https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_Fuse/", }, { category: "external", summary: "958618", url: "https://bugzilla.redhat.com/show_bug.cgi?id=958618", }, { category: "external", summary: "999263", url: "https://bugzilla.redhat.com/show_bug.cgi?id=999263", }, { category: "external", summary: "1000186", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1000186", }, { category: "external", summary: "1001326", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1001326", }, { category: "external", summary: "1039783", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1039783", }, { category: "external", summary: "1045257", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1045257", }, { category: "external", summary: "1053290", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1053290", }, { category: "external", summary: "1062337", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1062337", }, { category: "external", summary: "1067265", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067265", }, { category: "external", summary: "1075296", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1075296", }, { category: "external", summary: "1075328", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1075328", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0400.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Fuse 6.1.0 update", tracking: { current_release_date: "2024-11-22T08:11:58+00:00", generator: { date: "2024-11-22T08:11:58+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2014:0400", initial_release_date: "2014-04-14T13:46:50+00:00", revision_history: [ { date: "2014-04-14T13:46:50+00:00", number: "1", summary: "Initial version", }, { date: "2014-04-14T14:27:37+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T08:11:58+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss Fuse 6.1", product: { name: "Red Hat JBoss Fuse 6.1", product_id: "Red Hat JBoss Fuse 6.1", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_fuse:6.1.0", }, }, }, ], category: "product_family", name: "Fuse Enterprise Middleware", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2013-1624", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2013-02-04T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "908428", }, ], notes: [ { category: "description", text: "It was discovered that bouncycastle leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: TLS CBC padding timing attack", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-1624", }, { category: "external", summary: "RHBZ#908428", url: "https://bugzilla.redhat.com/show_bug.cgi?id=908428", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-1624", url: "https://www.cve.org/CVERecord?id=CVE-2013-1624", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-1624", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-1624", }, { category: "external", summary: "http://www.isg.rhul.ac.uk/tls/", url: "http://www.isg.rhul.ac.uk/tls/", }, { category: "external", summary: "http://www.isg.rhul.ac.uk/tls/TLStiming.pdf", url: "http://www.isg.rhul.ac.uk/tls/TLStiming.pdf", }, ], release_date: "2013-02-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:50+00:00", details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0400", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5.1, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:N/C:P/I:P/A:P", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: TLS CBC padding timing attack", }, { acknowledgments: [ { names: [ "Florian Weimer", ], organization: "Red Hat Product Security Team", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2013-2035", cwe: { id: "CWE-377", name: "Insecure Temporary File", }, discovery_date: "2013-04-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "958618", }, ], notes: [ { category: "description", text: "The HawtJNI Library class wrote native libraries to a predictable file name in /tmp when the native libraries were bundled in a JAR file, and no custom library path was specified. A local attacker could overwrite these native libraries with malicious versions during the window between when HawtJNI writes them and when they are executed.", title: "Vulnerability description", }, { category: "summary", text: "HawtJNI: predictable temporary file name leading to local arbitrary code execution", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-2035", }, { category: "external", summary: "RHBZ#958618", url: "https://bugzilla.redhat.com/show_bug.cgi?id=958618", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-2035", url: "https://www.cve.org/CVERecord?id=CVE-2013-2035", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-2035", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-2035", }, ], release_date: "2013-05-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:50+00:00", details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0400", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "NONE", baseScore: 3.3, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:L/AC:M/Au:N/C:P/I:P/A:N", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "HawtJNI: predictable temporary file name leading to local arbitrary code execution", }, { cve: "CVE-2013-2172", cwe: { id: "CWE-290", name: "Authentication Bypass by Spoofing", }, discovery_date: "2013-08-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "999263", }, ], notes: [ { category: "description", text: "A flaw was found in the way Apache Santuario XML Security for Java validated XML signatures. Santuario allowed a signature to specify an arbitrary canonicalization algorithm, which would be applied to the SignedInfo XML fragment. A remote attacker could exploit this to spoof an XML signature via a specially crafted XML signature block.", title: "Vulnerability description", }, { category: "summary", text: "Java: XML signature spoofing", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-2172", }, { category: "external", summary: "RHBZ#999263", url: "https://bugzilla.redhat.com/show_bug.cgi?id=999263", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-2172", url: "https://www.cve.org/CVERecord?id=CVE-2013-2172", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-2172", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-2172", }, { category: "external", summary: "http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc", url: "http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc", }, ], release_date: "2013-06-25T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:50+00:00", details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0400", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:N", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Java: XML signature spoofing", }, { cve: "CVE-2013-2192", discovery_date: "2013-08-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1001326", }, ], notes: [ { category: "description", text: "The RPC protocol implementation in Apache Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1, when the Kerberos security features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information by forcing a downgrade to simple authentication.", title: "Vulnerability description", }, { category: "summary", text: "hadoop: man-in-the-middle vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-2192", }, { category: "external", summary: "RHBZ#1001326", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1001326", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-2192", url: "https://www.cve.org/CVERecord?id=CVE-2013-2192", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-2192", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-2192", }, ], release_date: "2013-08-23T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:50+00:00", details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0400", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "ADJACENT_NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 3.2, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:A/AC:H/Au:N/C:P/I:P/A:N", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "hadoop: man-in-the-middle vulnerability", }, { cve: "CVE-2013-4152", discovery_date: "2013-08-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1000186", }, ], notes: [ { category: "description", text: "The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.", title: "Vulnerability description", }, { category: "summary", text: "Framework: XML External Entity (XXE) injection flaw", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-4152", }, { category: "external", summary: "RHBZ#1000186", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1000186", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-4152", url: "https://www.cve.org/CVERecord?id=CVE-2013-4152", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-4152", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-4152", }, { category: "external", summary: "http://www.gopivotal.com/security/cve-2013-4152", url: "http://www.gopivotal.com/security/cve-2013-4152", }, { category: "external", summary: "https://github.com/SpringSource/spring-framework/pull/317", url: "https://github.com/SpringSource/spring-framework/pull/317", }, { category: "external", summary: "https://jira.springsource.org/browse/SPR-10806", url: "https://jira.springsource.org/browse/SPR-10806", }, ], release_date: "2013-08-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:50+00:00", details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0400", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Framework: XML External Entity (XXE) injection flaw", }, { cve: "CVE-2013-4517", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2013-12-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1045257", }, ], notes: [ { category: "description", text: "It was discovered that the Apache Santuario XML Security for Java project allowed Document Type Definitions (DTDs) to be processed when applying Transforms even when secure validation was enabled. A remote attacker could use this flaw to exhaust all available memory on the system, causing a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "Java: Java XML Signature DoS Attack", title: "Vulnerability summary", }, { category: "other", text: "Fuse ESB 4, Fuse Message Broker 5.2, 5.3, 5.4, Fuse Mediation Router 2.7, 2.8 and Fuse Services Framework 2.3, 2.4 are now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/\n\nFuse ESB Enterprise is now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/\n\nRed Hat JBoss BRMS 5; Red Hat JBoss Enterprise Application Platform 4; Red Hat JBoss Enterprise Data Services Platform 5; Red Hat JBoss Enterprise Portal Platform 4 and 5; and Red Hat JBoss Enterprise SOA Platform 4 and 5 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-4517", }, { category: "external", summary: "RHBZ#1045257", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1045257", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-4517", url: "https://www.cve.org/CVERecord?id=CVE-2013-4517", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-4517", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-4517", }, ], release_date: "2013-11-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:50+00:00", details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0400", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Java: Java XML Signature DoS Attack", }, { cve: "CVE-2013-6429", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2014-01-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1053290", }, ], notes: [ { category: "description", text: "The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.", title: "Vulnerability description", }, { category: "summary", text: "Framework: XML External Entity (XXE) injection flaw", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-6429", }, { category: "external", summary: "RHBZ#1053290", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1053290", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-6429", url: "https://www.cve.org/CVERecord?id=CVE-2013-6429", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-6429", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-6429", }, { category: "external", summary: "http://www.gopivotal.com/security/cve-2013-6429", url: "http://www.gopivotal.com/security/cve-2013-6429", }, ], release_date: "2014-01-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:50+00:00", details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0400", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Framework: XML External Entity (XXE) injection flaw", }, { acknowledgments: [ { names: [ "Jon Passki", ], organization: "Coverity SRL", }, { names: [ "Arun Neelicattu", ], organization: "Red Hat Security Response Team", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2013-6430", discovery_date: "2013-12-06T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1039783", }, ], notes: [ { category: "description", text: "The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a (1) line separator or (2) paragraph separator Unicode character or (3) left or (4) right angle bracket.", title: "Vulnerability description", }, { category: "summary", text: "Framework: org.spring.web.util.JavaScriptUtils.javaScriptEscape insufficient escaping of characters", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-6430", }, { category: "external", summary: "RHBZ#1039783", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1039783", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-6430", url: "https://www.cve.org/CVERecord?id=CVE-2013-6430", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-6430", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-6430", }, { category: "external", summary: "http://www.gopivotal.com/security/cve-2013-6430", url: "http://www.gopivotal.com/security/cve-2013-6430", }, ], release_date: "2014-01-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:50+00:00", details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0400", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Framework: org.spring.web.util.JavaScriptUtils.javaScriptEscape insufficient escaping of characters", }, { cve: "CVE-2014-0050", discovery_date: "2014-02-06T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1062337", }, ], notes: [ { category: "description", text: "A denial of service flaw was found in the way Apache Commons FileUpload, which is embedded in Tomcat and JBoss Web, handled small-sized buffers used by MultipartStream. A remote attacker could use this flaw to create a malformed Content-Type header for a multipart request, causing Tomcat to enter an infinite loop when processing such an incoming request.", title: "Vulnerability description", }, { category: "summary", text: "apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-0050", }, { category: "external", summary: "RHBZ#1062337", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1062337", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-0050", url: "https://www.cve.org/CVERecord?id=CVE-2014-0050", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0050", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0050", }, ], release_date: "2014-02-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:50+00:00", details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0400", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream", }, { cve: "CVE-2014-0054", discovery_date: "2014-03-11T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1075328", }, ], notes: [ { category: "description", text: "The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.", title: "Vulnerability description", }, { category: "summary", text: "Framework: incomplete fix for CVE-2013-7315/CVE-2013-6429", title: "Vulnerability summary", }, { category: "other", text: "The Red Hat Security Response Team has rated this issue as having Moderate security impact. OpenShift Enterprise 1 is currently in the Production 1 phase of its lifecycle, as such this issue is not currently planned to be addressed in future updates. For additional information, refer to the Satellite Life Cycle: https://access.redhat.com/site/support/policy/updates/openshift page.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-0054", }, { category: "external", summary: "RHBZ#1075328", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1075328", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-0054", url: "https://www.cve.org/CVERecord?id=CVE-2014-0054", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0054", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0054", }, { category: "external", summary: "http://www.gopivotal.com/security/cve-2014-0054", url: "http://www.gopivotal.com/security/cve-2014-0054", }, ], release_date: "2014-01-31T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:50+00:00", details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0400", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Framework: incomplete fix for CVE-2013-7315/CVE-2013-6429", }, { acknowledgments: [ { names: [ "Graeme Colman", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2014-0085", cwe: { id: "CWE-522", name: "Insufficiently Protected Credentials", }, discovery_date: "2014-02-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1067265", }, ], notes: [ { category: "description", text: "JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. This permitted sensitive information disclosure via logging to local users. This issue is a vulnerability in JBoss Fuse's usage of Apache Zookeeper, not in Zookeeper itself as was previously stated.", title: "Vulnerability description", }, { category: "summary", text: "Fuse: admin user cleartext password appears in logging", title: "Vulnerability summary", }, { category: "other", text: "This flaw only affects Apache Zookeeper in conjunction with Fuse Fabric. Fuse Fabric was storing cleartext passwords, which would appear as cleartext in Apache Zookeeper's log files. Fuse Fabric now encrypts passwords by default.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-0085", }, { category: "external", summary: "RHBZ#1067265", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067265", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-0085", url: "https://www.cve.org/CVERecord?id=CVE-2014-0085", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0085", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0085", }, ], release_date: "2014-04-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:50+00:00", details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0400", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.1, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:L/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "Fuse: admin user cleartext password appears in logging", }, { cve: "CVE-2014-1904", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2014-03-11T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1075296", }, ], notes: [ { category: "description", text: "Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.", title: "Vulnerability description", }, { category: "summary", text: "Framework: cross-site scripting flaw when using Spring MVC", title: "Vulnerability summary", }, { category: "other", text: "The Red Hat Security Response Team has rated this issue as having Moderate security impact. OpenShift Enterprise 1 is currently in the Production 1 phase of its lifecycle, as such this issue is not currently planned to be addressed in future updates. For additional information, refer to the Satellite Life Cycle: https://access.redhat.com/site/support/policy/updates/openshift page.\n\nFuse ESB Enterprise is now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-1904", }, { category: "external", summary: "RHBZ#1075296", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1075296", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-1904", url: "https://www.cve.org/CVERecord?id=CVE-2014-1904", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-1904", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-1904", }, { category: "external", summary: "http://www.gopivotal.com/security/cve-2014-1904", url: "http://www.gopivotal.com/security/cve-2014-1904", }, ], release_date: "2014-02-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:50+00:00", details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0400", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Framework: cross-site scripting flaw when using Spring MVC", }, { cve: "CVE-2014-3584", cwe: { id: "CWE-835", name: "Loop with Unreachable Exit Condition ('Infinite Loop')", }, discovery_date: "2014-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1157330", }, ], notes: [ { category: "description", text: "The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.", title: "Vulnerability description", }, { category: "summary", text: "CXF: Denial of Service (DoS) via invalid JAX-RS SAML tokens", title: "Vulnerability summary", }, { category: "other", text: "This issue did not affect Apache CXF as shipped with Red Hat JBoss Enterprise Application Platform 5 and 6; Red Hat JBoss Enterprise Web Platform 5; Red Hat JBoss SOA Platform 5; Red Hat JBoss Fuse Service Works 6; Red Hat JBoss BRMS 5 and 6; Red Hat JBoss BPM Suite 6; Red Hat JBoss Data Virtualization 6; Red Hat JBoss Operations Network 3 and Red Hat JBoss Portal Platform 6 as the REST Web Services endpoints are not available.\n\nFuse ESB Enterprise 7 is now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-3584", }, { category: "external", summary: "RHBZ#1157330", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1157330", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-3584", url: "https://www.cve.org/CVERecord?id=CVE-2014-3584", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-3584", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-3584", }, ], release_date: "2014-10-25T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:50+00:00", details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0400", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:N/I:N/A:P", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "CXF: Denial of Service (DoS) via invalid JAX-RS SAML tokens", }, ], }
RHSA-2014:0401
Vulnerability from csaf_redhat
Published
2014-04-14 13:46
Modified
2025-04-09 15:44
Summary
Red Hat Security Advisory: Red Hat JBoss A-MQ 6.1.0 update
Notes
Topic
Red Hat JBoss A-MQ 6.1.0, which fixes multiple security issues, several
bugs, and adds various enhancements, is now available from the Red Hat
Customer Portal.
The Red Hat Security Response Team has rated this update as having
Moderate security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Details
Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant
messaging system that is tailored for use in mission critical applications.
Red Hat JBoss A-MQ 6.1.0 is a minor product release that updates Red Hat
JBoss A-MQ 6.0.0 and includes several bug fixes and enhancements. Refer to
the Release Notes document, available from the link in the References
section, for a list of changes.
The following security issues are resolved with this update:
A flaw was found in the Apache Hadoop RPC protocol. A man-in-the-middle
attacker could possibly use this flaw to unilaterally disable bidirectional
authentication between a client and a server, forcing a downgrade to simple
(unidirectional) authentication. This flaw only affected users who have
enabled Hadoop's Kerberos security features. (CVE-2013-2192)
It was discovered that the Spring OXM wrapper did not expose any property
for disabling entity resolution when using the JAXB unmarshaller. A remote
attacker could use this flaw to conduct XML External Entity (XXE) attacks
on web sites, and read files in the context of the user running the
application server. The patch for this flaw disables external entity
processing by default, and provides a configuration directive to re-enable
it. (CVE-2013-4152)
It was found that the Spring MVC SourceHttpMessageConverter enabled entity
resolution by default. A remote attacker could use this flaw to conduct XXE
attacks on web sites, and read files in the context of the user running the
application server. The patch for this flaw disables external entity
processing by default, and introduces a property to re-enable it.
(CVE-2013-6429)
The Spring JavaScript escape method insufficiently escaped some characters.
Applications using this method to escape user-supplied content, which would
be rendered in HTML5 documents, could be exposed to cross-site scripting
(XSS) flaws. (CVE-2013-6430)
A denial of service flaw was found in the way Apache Commons FileUpload
handled small-sized buffers used by MultipartStream. A remote attacker
could use this flaw to create a malformed Content-Type header for a
multipart request, causing Apache Commons FileUpload to enter an infinite
loop when processing such an incoming request. (CVE-2014-0050)
It was found that fixes for the CVE-2013-4152 and CVE-2013-6429 XXE issues
in Spring were incomplete. Spring MVC processed user-provided XML and
neither disabled XML external entities nor provided an option to disable
them, possibly allowing a remote attacker to conduct XXE attacks.
(CVE-2014-0054)
A cross-site scripting (XSS) flaw was found in the Spring Framework when
using Spring MVC. When the action was not specified in a Spring form, the
action field would be populated with the requested URI, allowing an
attacker to inject malicious content into the form. (CVE-2014-1904)
The HawtJNI Library class wrote native libraries to a predictable file name
in /tmp when the native libraries were bundled in a JAR file, and no custom
library path was specified. A local attacker could overwrite these native
libraries with malicious versions during the window between when HawtJNI
writes them and when they are executed. (CVE-2013-2035)
An information disclosure flaw was found in the way Apache Zookeeper stored
the password of an administrative user in the log files. A local user with
access to these log files could use the exposed sensitive information to
gain administrative access to an application using Apache Zookeeper.
(CVE-2014-0085)
The CVE-2013-6430 issue was discovered by Jon Passki of Coverity SRL and
Arun Neelicattu of the Red Hat Security Response Team, the CVE-2013-2035
issue was discovered by Florian Weimer of the Red Hat Product Security
Team, and the CVE-2014-0085 issue was discovered by Graeme Colman of
Red Hat.
All users of Red Hat JBoss A-MQ 6.0.0 as provided from the Red Hat Customer
Portal are advised to apply this update.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat JBoss A-MQ 6.1.0, which fixes multiple security issues, several\nbugs, and adds various enhancements, is now available from the Red Hat\nCustomer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nModerate security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant\nmessaging system that is tailored for use in mission critical applications.\n\nRed Hat JBoss A-MQ 6.1.0 is a minor product release that updates Red Hat\nJBoss A-MQ 6.0.0 and includes several bug fixes and enhancements. Refer to\nthe Release Notes document, available from the link in the References\nsection, for a list of changes.\n\nThe following security issues are resolved with this update:\n\nA flaw was found in the Apache Hadoop RPC protocol. A man-in-the-middle\nattacker could possibly use this flaw to unilaterally disable bidirectional\nauthentication between a client and a server, forcing a downgrade to simple\n(unidirectional) authentication. This flaw only affected users who have\nenabled Hadoop's Kerberos security features. (CVE-2013-2192)\n\nIt was discovered that the Spring OXM wrapper did not expose any property\nfor disabling entity resolution when using the JAXB unmarshaller. A remote\nattacker could use this flaw to conduct XML External Entity (XXE) attacks\non web sites, and read files in the context of the user running the\napplication server. The patch for this flaw disables external entity\nprocessing by default, and provides a configuration directive to re-enable\nit. (CVE-2013-4152)\n\nIt was found that the Spring MVC SourceHttpMessageConverter enabled entity\nresolution by default. A remote attacker could use this flaw to conduct XXE\nattacks on web sites, and read files in the context of the user running the\napplication server. The patch for this flaw disables external entity\nprocessing by default, and introduces a property to re-enable it.\n(CVE-2013-6429)\n\nThe Spring JavaScript escape method insufficiently escaped some characters.\nApplications using this method to escape user-supplied content, which would\nbe rendered in HTML5 documents, could be exposed to cross-site scripting\n(XSS) flaws. (CVE-2013-6430)\n\nA denial of service flaw was found in the way Apache Commons FileUpload\nhandled small-sized buffers used by MultipartStream. A remote attacker\ncould use this flaw to create a malformed Content-Type header for a\nmultipart request, causing Apache Commons FileUpload to enter an infinite\nloop when processing such an incoming request. (CVE-2014-0050)\n\nIt was found that fixes for the CVE-2013-4152 and CVE-2013-6429 XXE issues\nin Spring were incomplete. Spring MVC processed user-provided XML and\nneither disabled XML external entities nor provided an option to disable\nthem, possibly allowing a remote attacker to conduct XXE attacks.\n(CVE-2014-0054)\n\nA cross-site scripting (XSS) flaw was found in the Spring Framework when\nusing Spring MVC. When the action was not specified in a Spring form, the\naction field would be populated with the requested URI, allowing an\nattacker to inject malicious content into the form. (CVE-2014-1904)\n\nThe HawtJNI Library class wrote native libraries to a predictable file name\nin /tmp when the native libraries were bundled in a JAR file, and no custom\nlibrary path was specified. A local attacker could overwrite these native\nlibraries with malicious versions during the window between when HawtJNI\nwrites them and when they are executed. (CVE-2013-2035)\n\nAn information disclosure flaw was found in the way Apache Zookeeper stored\nthe password of an administrative user in the log files. A local user with\naccess to these log files could use the exposed sensitive information to\ngain administrative access to an application using Apache Zookeeper.\n(CVE-2014-0085)\n\nThe CVE-2013-6430 issue was discovered by Jon Passki of Coverity SRL and\nArun Neelicattu of the Red Hat Security Response Team, the CVE-2013-2035\nissue was discovered by Florian Weimer of the Red Hat Product Security\nTeam, and the CVE-2014-0085 issue was discovered by Graeme Colman of\nRed Hat.\n\nAll users of Red Hat JBoss A-MQ 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2014:0401", url: "https://access.redhat.com/errata/RHSA-2014:0401", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq&downloadType=distributions&version=6.1.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq&downloadType=distributions&version=6.1.0", }, { category: "external", summary: "https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_A-MQ/", url: "https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_A-MQ/", }, { category: "external", summary: "958618", url: "https://bugzilla.redhat.com/show_bug.cgi?id=958618", }, { category: "external", summary: "1000186", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1000186", }, { category: "external", summary: "1001326", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1001326", }, { category: "external", summary: "1039783", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1039783", }, { category: "external", summary: "1053290", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1053290", }, { category: "external", summary: "1062337", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1062337", }, { category: "external", summary: "1067265", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067265", }, { category: "external", summary: "1075296", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1075296", }, { category: "external", summary: "1075328", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1075328", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0401.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss A-MQ 6.1.0 update", tracking: { current_release_date: "2025-04-09T15:44:57+00:00", generator: { date: "2025-04-09T15:44:57+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.2", }, }, id: "RHSA-2014:0401", initial_release_date: "2014-04-14T13:46:41+00:00", revision_history: [ { date: "2014-04-14T13:46:41+00:00", number: "1", summary: "Initial version", }, { date: "2019-02-20T12:33:04+00:00", number: "2", summary: "Last updated version", }, { date: "2025-04-09T15:44:57+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss A-MQ 6.1", product: { name: "Red Hat JBoss A-MQ 6.1", product_id: "Red Hat JBoss A-MQ 6.1", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_amq:6.1.0", }, }, }, ], category: "product_family", name: "Red Hat JBoss AMQ", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2013-1624", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2013-02-04T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "908428", }, ], notes: [ { category: "description", text: "It was discovered that bouncycastle leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: TLS CBC padding timing attack", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-1624", }, { category: "external", summary: "RHBZ#908428", url: "https://bugzilla.redhat.com/show_bug.cgi?id=908428", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-1624", url: "https://www.cve.org/CVERecord?id=CVE-2013-1624", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-1624", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-1624", }, { category: "external", summary: "http://www.isg.rhul.ac.uk/tls/", url: "http://www.isg.rhul.ac.uk/tls/", }, { category: "external", summary: "http://www.isg.rhul.ac.uk/tls/TLStiming.pdf", url: "http://www.isg.rhul.ac.uk/tls/TLStiming.pdf", }, ], release_date: "2013-02-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:41+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0401", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5.1, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:N/C:P/I:P/A:P", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: TLS CBC padding timing attack", }, { acknowledgments: [ { names: [ "Florian Weimer", ], organization: "Red Hat Product Security Team", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2013-2035", cwe: { id: "CWE-377", name: "Insecure Temporary File", }, discovery_date: "2013-04-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "958618", }, ], notes: [ { category: "description", text: "The HawtJNI Library class wrote native libraries to a predictable file name in /tmp when the native libraries were bundled in a JAR file, and no custom library path was specified. A local attacker could overwrite these native libraries with malicious versions during the window between when HawtJNI writes them and when they are executed.", title: "Vulnerability description", }, { category: "summary", text: "HawtJNI: predictable temporary file name leading to local arbitrary code execution", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-2035", }, { category: "external", summary: "RHBZ#958618", url: "https://bugzilla.redhat.com/show_bug.cgi?id=958618", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-2035", url: "https://www.cve.org/CVERecord?id=CVE-2013-2035", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-2035", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-2035", }, ], release_date: "2013-05-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:41+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0401", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "NONE", baseScore: 3.3, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:L/AC:M/Au:N/C:P/I:P/A:N", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "HawtJNI: predictable temporary file name leading to local arbitrary code execution", }, { cve: "CVE-2013-2192", discovery_date: "2013-08-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1001326", }, ], notes: [ { category: "description", text: "The RPC protocol implementation in Apache Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1, when the Kerberos security features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information by forcing a downgrade to simple authentication.", title: "Vulnerability description", }, { category: "summary", text: "hadoop: man-in-the-middle vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-2192", }, { category: "external", summary: "RHBZ#1001326", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1001326", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-2192", url: "https://www.cve.org/CVERecord?id=CVE-2013-2192", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-2192", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-2192", }, ], release_date: "2013-08-23T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:41+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0401", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "ADJACENT_NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 3.2, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:A/AC:H/Au:N/C:P/I:P/A:N", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "hadoop: man-in-the-middle vulnerability", }, { cve: "CVE-2013-4152", discovery_date: "2013-08-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1000186", }, ], notes: [ { category: "description", text: "The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.", title: "Vulnerability description", }, { category: "summary", text: "Framework: XML External Entity (XXE) injection flaw", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-4152", }, { category: "external", summary: "RHBZ#1000186", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1000186", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-4152", url: "https://www.cve.org/CVERecord?id=CVE-2013-4152", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-4152", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-4152", }, { category: "external", summary: "http://www.gopivotal.com/security/cve-2013-4152", url: "http://www.gopivotal.com/security/cve-2013-4152", }, { category: "external", summary: "https://github.com/SpringSource/spring-framework/pull/317", url: "https://github.com/SpringSource/spring-framework/pull/317", }, { category: "external", summary: "https://jira.springsource.org/browse/SPR-10806", url: "https://jira.springsource.org/browse/SPR-10806", }, ], release_date: "2013-08-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:41+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0401", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Framework: XML External Entity (XXE) injection flaw", }, { cve: "CVE-2013-6429", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2014-01-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1053290", }, ], notes: [ { category: "description", text: "The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.", title: "Vulnerability description", }, { category: "summary", text: "Framework: XML External Entity (XXE) injection flaw", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-6429", }, { category: "external", summary: "RHBZ#1053290", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1053290", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-6429", url: "https://www.cve.org/CVERecord?id=CVE-2013-6429", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-6429", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-6429", }, { category: "external", summary: "http://www.gopivotal.com/security/cve-2013-6429", url: "http://www.gopivotal.com/security/cve-2013-6429", }, ], release_date: "2014-01-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:41+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0401", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Framework: XML External Entity (XXE) injection flaw", }, { acknowledgments: [ { names: [ "Jon Passki", ], organization: "Coverity SRL", }, { names: [ "Arun Neelicattu", ], organization: "Red Hat Security Response Team", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2013-6430", discovery_date: "2013-12-06T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1039783", }, ], notes: [ { category: "description", text: "The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a (1) line separator or (2) paragraph separator Unicode character or (3) left or (4) right angle bracket.", title: "Vulnerability description", }, { category: "summary", text: "Framework: org.spring.web.util.JavaScriptUtils.javaScriptEscape insufficient escaping of characters", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-6430", }, { category: "external", summary: "RHBZ#1039783", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1039783", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-6430", url: "https://www.cve.org/CVERecord?id=CVE-2013-6430", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-6430", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-6430", }, { category: "external", summary: "http://www.gopivotal.com/security/cve-2013-6430", url: "http://www.gopivotal.com/security/cve-2013-6430", }, ], release_date: "2014-01-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:41+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0401", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Framework: org.spring.web.util.JavaScriptUtils.javaScriptEscape insufficient escaping of characters", }, { cve: "CVE-2014-0050", discovery_date: "2014-02-06T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1062337", }, ], notes: [ { category: "description", text: "A denial of service flaw was found in the way Apache Commons FileUpload, which is embedded in Tomcat and JBoss Web, handled small-sized buffers used by MultipartStream. A remote attacker could use this flaw to create a malformed Content-Type header for a multipart request, causing Tomcat to enter an infinite loop when processing such an incoming request.", title: "Vulnerability description", }, { category: "summary", text: "apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-0050", }, { category: "external", summary: "RHBZ#1062337", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1062337", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-0050", url: "https://www.cve.org/CVERecord?id=CVE-2014-0050", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0050", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0050", }, ], release_date: "2014-02-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:41+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0401", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream", }, { cve: "CVE-2014-0054", discovery_date: "2014-03-11T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1075328", }, ], notes: [ { category: "description", text: "The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.", title: "Vulnerability description", }, { category: "summary", text: "Framework: incomplete fix for CVE-2013-7315/CVE-2013-6429", title: "Vulnerability summary", }, { category: "other", text: "The Red Hat Security Response Team has rated this issue as having Moderate security impact. OpenShift Enterprise 1 is currently in the Production 1 phase of its lifecycle, as such this issue is not currently planned to be addressed in future updates. For additional information, refer to the Satellite Life Cycle: https://access.redhat.com/site/support/policy/updates/openshift page.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-0054", }, { category: "external", summary: "RHBZ#1075328", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1075328", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-0054", url: "https://www.cve.org/CVERecord?id=CVE-2014-0054", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0054", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0054", }, { category: "external", summary: "http://www.gopivotal.com/security/cve-2014-0054", url: "http://www.gopivotal.com/security/cve-2014-0054", }, ], release_date: "2014-01-31T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:41+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0401", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Framework: incomplete fix for CVE-2013-7315/CVE-2013-6429", }, { acknowledgments: [ { names: [ "Graeme Colman", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2014-0085", cwe: { id: "CWE-522", name: "Insufficiently Protected Credentials", }, discovery_date: "2014-02-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1067265", }, ], notes: [ { category: "description", text: "JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. This permitted sensitive information disclosure via logging to local users. This issue is a vulnerability in JBoss Fuse's usage of Apache Zookeeper, not in Zookeeper itself as was previously stated.", title: "Vulnerability description", }, { category: "summary", text: "Fuse: admin user cleartext password appears in logging", title: "Vulnerability summary", }, { category: "other", text: "This flaw only affects Apache Zookeeper in conjunction with Fuse Fabric. Fuse Fabric was storing cleartext passwords, which would appear as cleartext in Apache Zookeeper's log files. Fuse Fabric now encrypts passwords by default.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-0085", }, { category: "external", summary: "RHBZ#1067265", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067265", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-0085", url: "https://www.cve.org/CVERecord?id=CVE-2014-0085", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0085", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0085", }, ], release_date: "2014-04-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:41+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0401", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.1, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:L/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "Fuse: admin user cleartext password appears in logging", }, { cve: "CVE-2014-1904", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2014-03-11T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1075296", }, ], notes: [ { category: "description", text: "Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.", title: "Vulnerability description", }, { category: "summary", text: "Framework: cross-site scripting flaw when using Spring MVC", title: "Vulnerability summary", }, { category: "other", text: "The Red Hat Security Response Team has rated this issue as having Moderate security impact. OpenShift Enterprise 1 is currently in the Production 1 phase of its lifecycle, as such this issue is not currently planned to be addressed in future updates. For additional information, refer to the Satellite Life Cycle: https://access.redhat.com/site/support/policy/updates/openshift page.\n\nFuse ESB Enterprise is now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-1904", }, { category: "external", summary: "RHBZ#1075296", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1075296", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-1904", url: "https://www.cve.org/CVERecord?id=CVE-2014-1904", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-1904", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-1904", }, { category: "external", summary: "http://www.gopivotal.com/security/cve-2014-1904", url: "http://www.gopivotal.com/security/cve-2014-1904", }, ], release_date: "2014-02-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-04-14T13:46:41+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0401", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Framework: cross-site scripting flaw when using Spring MVC", }, ], }
ghsa-8cmm-qj8g-fcp6
Vulnerability from github
Published
2022-05-13 01:02
Modified
2024-02-27 23:40
Summary
Cross-Site Request Forgery in Spring Framework
Details
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
{ affected: [ { package: { ecosystem: "Maven", name: "org.springframework:spring-webmvc", }, ranges: [ { events: [ { introduced: "0", }, { fixed: "3.2.8", }, ], type: "ECOSYSTEM", }, ], }, { package: { ecosystem: "Maven", name: "org.springframework:spring-webmvc", }, ranges: [ { events: [ { introduced: "4.0.0", }, { fixed: "4.0.2", }, ], type: "ECOSYSTEM", }, ], }, ], aliases: [ "CVE-2014-0054", ], database_specific: { cwe_ids: [ "CWE-352", ], github_reviewed: true, github_reviewed_at: "2022-07-07T23:09:05Z", nvd_published_at: "2014-04-17T14:55:00Z", severity: "MODERATE", }, details: "The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.", id: "GHSA-8cmm-qj8g-fcp6", modified: "2024-02-27T23:40:01Z", published: "2022-05-13T01:02:38Z", references: [ { type: "ADVISORY", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0054", }, { type: "WEB", url: "https://github.com/spring-projects/spring-framework/issues/16003", }, { type: "WEB", url: "https://github.com/spring-projects/spring-framework/commit/1a8629d40825c073b6863ae2ab748b647b28506a", }, { type: "WEB", url: "https://github.com/spring-projects/spring-framework/commit/1c5cab2a4069ec3239c531d741aeb07a434f521b", }, { type: "WEB", url: "https://github.com/spring-projects/spring-framework/commit/edba32b3093703d5e9ed42b5b8ec23ecc1998398", }, { type: "WEB", url: "https://github.com/spring-projects/spring-framework/commit/fb0683c066e74e9667d6cd8c5fa01f674c68c3be", }, { type: "WEB", url: "http://rhn.redhat.com/errata/RHSA-2014-0400.html", }, { type: "WEB", url: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", }, ], schema_version: "1.4.0", severity: [], summary: "Cross-Site Request Forgery in Spring Framework", }
fkie_cve-2014-0054
Vulnerability from fkie_nvd
Published
2014-04-17 14:55
Modified
2025-04-12 10:46
Severity ?
Summary
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:springsource:spring_framework:3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "62111DAE-3E05-4D95-8B34-E2EFB6142DCA", vulnerable: true, }, { criteria: "cpe:2.3:a:springsource:spring_framework:3.0.0:m1:*:*:*:*:*:*", matchCriteriaId: "13E1344C-CB41-48FC-BB98-7FEBEBF190E9", vulnerable: true, }, { criteria: "cpe:2.3:a:springsource:spring_framework:3.0.0:m2:*:*:*:*:*:*", matchCriteriaId: "AD66E687-C387-486D-AC34-279961311A8F", vulnerable: true, }, { criteria: "cpe:2.3:a:springsource:spring_framework:3.0.0:m3:*:*:*:*:*:*", matchCriteriaId: "49018DD7-9E85-4B4D-B054-CD17EFB13E87", vulnerable: true, }, { criteria: "cpe:2.3:a:springsource:spring_framework:3.0.0:m4:*:*:*:*:*:*", matchCriteriaId: "37FC3F37-A033-491B-96F0-8B38E2E43BFA", vulnerable: true, }, { criteria: "cpe:2.3:a:springsource:spring_framework:3.0.0:rc1:*:*:*:*:*:*", matchCriteriaId: "12021339-C885-4A9E-95C1-4695F3DC1F76", vulnerable: true, }, { criteria: "cpe:2.3:a:springsource:spring_framework:3.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "6FB321B9-4838-4AAC-B8AF-C92015C946A0", vulnerable: true, }, { criteria: "cpe:2.3:a:springsource:spring_framework:3.0.0:rc3:*:*:*:*:*:*", matchCriteriaId: "DC19AE9E-B46C-4872-B562-E97DC80543F7", vulnerable: true, }, { criteria: "cpe:2.3:a:springsource:spring_framework:3.0.0.m1:*:*:*:*:*:*:*", matchCriteriaId: "32F4893D-61E6-4E7F-A30A-3AB96264531B", vulnerable: true, }, { criteria: "cpe:2.3:a:springsource:spring_framework:3.0.0.m2:*:*:*:*:*:*:*", matchCriteriaId: "B7F99079-D584-456B-A116-62D10FBF8233", vulnerable: true, }, { criteria: "cpe:2.3:a:springsource:spring_framework:3.0.1:*:*:*:*:*:*:*", matchCriteriaId: "9A9F796E-340B-4FF5-9322-94E57D7BCEE6", vulnerable: true, }, { criteria: "cpe:2.3:a:springsource:spring_framework:3.0.2:*:*:*:*:*:*:*", matchCriteriaId: "D8BA17FD-BC52-4D84-9753-5D41D3BC35B4", vulnerable: true, }, { criteria: "cpe:2.3:a:springsource:spring_framework:3.0.3:*:*:*:*:*:*:*", matchCriteriaId: "637484A7-AB05-4F64-9311-6741BDF2579F", vulnerable: true, }, { criteria: "cpe:2.3:a:springsource:spring_framework:3.0.4:*:*:*:*:*:*:*", matchCriteriaId: "FAE5CFA5-769F-49E9-A7A9-56C8CED8692E", vulnerable: true, }, { criteria: "cpe:2.3:a:springsource:spring_framework:3.0.5:*:*:*:*:*:*:*", matchCriteriaId: "528C85CE-2CC6-4B09-8C25-44A2B1C2D8B2", vulnerable: true, }, { criteria: "cpe:2.3:a:springsource:spring_framework:3.2.5:*:*:*:*:*:*:*", matchCriteriaId: "84A59B07-7EF0-4744-AF78-59C2C9C7DCD5", vulnerable: true, }, { criteria: "cpe:2.3:a:springsource:spring_framework:3.2.6:*:*:*:*:*:*:*", matchCriteriaId: "373153C1-402D-4159-8B72-5C8544846CC6", vulnerable: true, }, { criteria: "cpe:2.3:a:springsource:spring_framework:4.0.0:rc1:*:*:*:*:*:*", matchCriteriaId: "4D9CB60A-0AFB-4572-9406-B848B71A37F2", vulnerable: true, }, { criteria: "cpe:2.3:a:springsource:spring_framework:4.0.1:*:*:*:*:*:*:*", matchCriteriaId: "A943BB84-9368-48F2-96DD-65EF0AEDEFE1", vulnerable: true, }, { criteria: "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", matchCriteriaId: "35922ADD-3B00-4928-AF5E-5449CB55D5C5", versionEndIncluding: "3.2.7", vulnerable: true, }, { criteria: "cpe:2.3:a:vmware:spring_framework:3.0.6:*:*:*:*:*:*:*", matchCriteriaId: "B9D5172D-5E19-40C1-8C1B-CC22706E780D", vulnerable: true, }, { criteria: "cpe:2.3:a:vmware:spring_framework:3.0.7:*:*:*:*:*:*:*", matchCriteriaId: "46E410D2-DA53-4806-B296-451C3D9CDEEA", vulnerable: true, }, { criteria: "cpe:2.3:a:vmware:spring_framework:3.1.0:*:*:*:*:*:*:*", matchCriteriaId: "20D6E5AC-9898-416F-8268-3623E1706072", vulnerable: true, }, { criteria: "cpe:2.3:a:vmware:spring_framework:3.1.1:*:*:*:*:*:*:*", matchCriteriaId: "B61F3E25-A415-4A25-91D6-4FBA6F575AAB", vulnerable: true, }, { criteria: "cpe:2.3:a:vmware:spring_framework:3.1.2:*:*:*:*:*:*:*", matchCriteriaId: "8A2C4C81-2E79-411C-AEB8-A5E40FC28D31", vulnerable: true, }, { criteria: "cpe:2.3:a:vmware:spring_framework:3.1.3:*:*:*:*:*:*:*", matchCriteriaId: "010915FE-3BCE-4652-8D8B-47EE085F3BEE", vulnerable: true, }, { criteria: "cpe:2.3:a:vmware:spring_framework:3.1.4:*:*:*:*:*:*:*", matchCriteriaId: "D16C8EFA-F1E4-48C3-BC86-A132873426C4", vulnerable: true, }, { criteria: "cpe:2.3:a:vmware:spring_framework:3.2.0:*:*:*:*:*:*:*", matchCriteriaId: "47CED0ED-D67E-48AF-BB1A-EB1030897A8C", vulnerable: true, }, { criteria: "cpe:2.3:a:vmware:spring_framework:3.2.1:*:*:*:*:*:*:*", matchCriteriaId: "D2E2EA60-735E-431E-BEFE-DC5C1046E532", vulnerable: true, }, { criteria: "cpe:2.3:a:vmware:spring_framework:3.2.2:*:*:*:*:*:*:*", matchCriteriaId: "DFD1FA92-7BFC-4874-89FC-BE0F378F0DB3", vulnerable: true, }, { criteria: "cpe:2.3:a:vmware:spring_framework:3.2.3:*:*:*:*:*:*:*", matchCriteriaId: "7CC0E26F-2E8B-4B30-8C43-8BD2015EBB88", vulnerable: true, }, { criteria: "cpe:2.3:a:vmware:spring_framework:3.2.4:*:*:*:*:*:*:*", matchCriteriaId: "3CB73406-5FE4-438E-BCB7-57FBF6EC38D0", vulnerable: true, }, { criteria: "cpe:2.3:a:vmware:spring_framework:4.0.0:milestone1:*:*:*:*:*:*", matchCriteriaId: "FD20A2BE-2024-4DAA-825E-213ACB667DE9", vulnerable: true, }, { criteria: "cpe:2.3:a:vmware:spring_framework:4.0.0:milestone2:*:*:*:*:*:*", matchCriteriaId: "264458EB-2332-438F-8635-414E388E25EA", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.", }, { lang: "es", value: "Jaxb2RootElementHttpMessageConverter en Spring MVC en Spring Framework anterior a 3.2.8 y 4.0.0 anterior a 4.0.2 no deshabilita resolución de entidad externa, lo que permite a atacantes remotos leer archivos arbitrarios, causar una denegación de servicio y realizar ataques CSRF a través de XML manipulado, también conocido como un problema de entidad externa XML (XXE). NOTA: esta vulnerabilidad existe debido a una solución incompleta para CVE-2013-4152, CVE-2013-7315 y CVE-2013-6429.", }, ], id: "CVE-2014-0054", lastModified: "2025-04-12T10:46:40.837", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], }, published: "2014-04-17T14:55:06.417", references: [ { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2014-0400.html", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "http://secunia.com/advisories/57915", }, { source: "secalert@redhat.com", url: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", }, { source: "secalert@redhat.com", url: "http://www.securityfocus.com/bid/66148", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://jira.spring.io/browse/SPR-11376", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2014-0400.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://secunia.com/advisories/57915", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/bid/66148", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://jira.spring.io/browse/SPR-11376", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Deferred", weaknesses: [ { description: [ { lang: "en", value: "CWE-352", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.