rhsa-2012_1594
Vulnerability from csaf_redhat
Published
2012-12-18 22:43
Modified
2024-09-15 20:00
Summary
Red Hat Security Advisory: JBoss Enterprise Application Platform 6.0.1 update

Notes

Topic
JBoss Enterprise Application Platform 6.0.1, which fixes multiple security issues, various bugs, and adds enhancements, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.
Details
JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release serves as a replacement for JBoss Enterprise Application Platform 6.0.0, and includes bug fixes and enhancements. Refer to the 6.0.1 Release Notes for information on the most significant of these changes, available shortly from https://access.redhat.com/knowledge/docs/ Security fixes: Apache CXF checked to ensure XML elements were signed or encrypted by a Supporting Token, but not whether the correct token was used. A remote attacker could transmit confidential information without the appropriate security, and potentially circumvent access controls on web services exposed via Apache CXF. (CVE-2012-2379) When using role-based authorization to configure EJB access, JACC permissions should be used to determine access; however, due to a flaw the configured authorization modules (JACC, XACML, etc.) were not called, and the JACC permissions were not used to determine access to an EJB. (CVE-2012-4550) A flaw in the way Apache CXF enforced child policies of WS-SecurityPolicy 1.1 on the client side could, in certain cases, lead to a client failing to sign or encrypt certain elements as directed by the security policy, leading to information disclosure and insecure information transmission. (CVE-2012-2378) A flaw was found in the way IronJacamar authenticated credentials and returned a valid datasource connection when configured to "allow-multiple-users". A remote attacker, provided the correct subject, could obtain a datasource connection that might belong to a privileged user. (CVE-2012-3428) It was found that Apache CXF was vulnerable to SOAPAction spoofing attacks under certain conditions. Note that WS-Policy validation is performed against the operation being invoked, and an attack must pass validation to be successful. (CVE-2012-3451) When there are no allowed roles for an EJB method invocation, the invocation should be denied for all users. It was found that the processInvocation() method in org.jboss.as.ejb3.security.AuthorizationInterceptor incorrectly authorizes all method invocations to proceed when the list of allowed roles is empty. (CVE-2012-4549) The apachectl script set an insecure library search path. Running apachectl in an attacker-controlled directory containing a malicious library file could cause arbitrary code execution with the privileges of the user running the apachectl script (typically the root user). This issue only affected JBoss Enterprise Application Platform on Solaris. (CVE-2012-0883) It was found that in Mojarra, the FacesContext that is made available during application startup is held in a ThreadLocal. The reference is not properly cleaned up in all cases. As a result, if a JavaServer Faces (JSF) WAR calls FacesContext.getCurrentInstance() during application startup, another WAR can get access to the leftover context and thus get access to the other WAR's resources. A local attacker could use this flaw to access another WAR's resources using a crafted, deployed application. (CVE-2012-2672) An input sanitization flaw was found in the mod_negotiation Apache HTTP Server module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use this flaw to conduct cross-site scripting attacks against users visiting the site. (CVE-2008-0455, CVE-2012-2687) Red Hat would like to thank the Apache CXF project for reporting CVE-2012-2379, CVE-2012-2378, and CVE-2012-3451. The CVE-2012-4550 issue was discovered by Josef Cacek of the Red Hat JBoss EAP Quality Engineering team; CVE-2012-3428 and CVE-2012-4549 were discovered by Arun Neelicattu of the Red Hat Security Response Team; and CVE-2012-2672 was discovered by Marek Schmidt and Stan Silvert of Red Hat. Warning: Before applying this update, back up your existing JBoss Enterprise Application Platform installation and deployed applications.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.


To clipboard 

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "JBoss Enterprise Application Platform 6.0.1, which fixes multiple security\nissues, various bugs, and adds enhancements, is now available from the Red\nHat Customer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "JBoss Enterprise Application Platform 6 is a platform for Java applications\nbased on JBoss Application Server 7.\n\nThis release serves as a replacement for JBoss Enterprise Application\nPlatform 6.0.0, and includes bug fixes and enhancements. Refer to the 6.0.1\nRelease Notes for information on the most significant of these changes,\navailable shortly from https://access.redhat.com/knowledge/docs/\n\nSecurity fixes:\n\nApache CXF checked to ensure XML elements were signed or encrypted by a\nSupporting Token, but not whether the correct token was used. A remote\nattacker could transmit confidential information without the appropriate\nsecurity, and potentially circumvent access controls on web services\nexposed via Apache CXF. (CVE-2012-2379)\n\nWhen using role-based authorization to configure EJB access, JACC\npermissions should be used to determine access; however, due to a flaw the\nconfigured authorization modules (JACC, XACML, etc.) were not called, and\nthe JACC permissions were not used to determine access to an EJB.\n(CVE-2012-4550)\n\nA flaw in the way Apache CXF enforced child policies of WS-SecurityPolicy\n1.1 on the client side could, in certain cases, lead to a client failing to\nsign or encrypt certain elements as directed by the security policy,\nleading to information disclosure and insecure information transmission.\n(CVE-2012-2378)\n\nA flaw was found in the way IronJacamar authenticated credentials and\nreturned a valid datasource connection when configured to\n\"allow-multiple-users\". A remote attacker, provided the correct subject,\ncould obtain a datasource connection that might belong to a privileged\nuser. (CVE-2012-3428)\n\nIt was found that Apache CXF was vulnerable to SOAPAction spoofing attacks\nunder certain conditions. Note that WS-Policy validation is performed\nagainst the operation being invoked, and an attack must pass validation to\nbe successful. (CVE-2012-3451)\n\nWhen there are no allowed roles for an EJB method invocation, the\ninvocation should be denied for all users. It was found that the\nprocessInvocation() method in\norg.jboss.as.ejb3.security.AuthorizationInterceptor incorrectly authorizes\nall method invocations to proceed when the list of allowed roles is empty.\n(CVE-2012-4549)\n\nThe apachectl script set an insecure library search path. Running apachectl\nin an attacker-controlled directory containing a malicious library file\ncould cause arbitrary code execution with the privileges of the user\nrunning the apachectl script (typically the root user). This issue only\naffected JBoss Enterprise Application Platform on Solaris. (CVE-2012-0883)\n\nIt was found that in Mojarra, the FacesContext that is made available\nduring application startup is held in a ThreadLocal. The reference is not\nproperly cleaned up in all cases. As a result, if a JavaServer Faces (JSF)\nWAR calls FacesContext.getCurrentInstance() during application startup,\nanother WAR can get access to the leftover context and thus get access to\nthe other WAR\u0027s resources. A local attacker could use this flaw to access\nanother WAR\u0027s resources using a crafted, deployed application.\n(CVE-2012-2672)\n\nAn input sanitization flaw was found in the mod_negotiation Apache HTTP\nServer module. A remote attacker able to upload or create files with\narbitrary names in a directory that has the MultiViews options enabled,\ncould use this flaw to conduct cross-site scripting attacks against users\nvisiting the site. (CVE-2008-0455, CVE-2012-2687)\n\nRed Hat would like to thank the Apache CXF project for reporting\nCVE-2012-2379, CVE-2012-2378, and CVE-2012-3451. The CVE-2012-4550 issue\nwas discovered by Josef Cacek of the Red Hat JBoss EAP Quality Engineering\nteam; CVE-2012-3428 and CVE-2012-4549 were discovered by Arun Neelicattu of\nthe Red Hat Security Response Team; and CVE-2012-2672 was discovered by\nMarek Schmidt and Stan Silvert of Red Hat.\n\nWarning: Before applying this update, back up your existing JBoss\nEnterprise Application Platform installation and deployed applications.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2012:1594",
        "url": "https://access.redhat.com/errata/RHSA-2012:1594"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/knowledge/docs/",
        "url": "https://access.redhat.com/knowledge/docs/"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=distributions",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=distributions"
      },
      {
        "category": "external",
        "summary": "813559",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=813559"
      },
      {
        "category": "external",
        "summary": "826533",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=826533"
      },
      {
        "category": "external",
        "summary": "826534",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=826534"
      },
      {
        "category": "external",
        "summary": "829560",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=829560"
      },
      {
        "category": "external",
        "summary": "843358",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=843358"
      },
      {
        "category": "external",
        "summary": "850794",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=850794"
      },
      {
        "category": "external",
        "summary": "851896",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=851896"
      },
      {
        "category": "external",
        "summary": "870868",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=870868"
      },
      {
        "category": "external",
        "summary": "870871",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=870871"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://access.redhat.com/security/data/csaf/v2/advisories/2012/rhsa-2012_1594.json"
      }
    ],
    "title": "Red Hat Security Advisory: JBoss Enterprise Application Platform 6.0.1 update",
    "tracking": {
      "current_release_date": "2024-09-15T20:00:27+00:00",
      "generator": {
        "date": "2024-09-15T20:00:27+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "3.33.3"
        }
      },
      "id": "RHSA-2012:1594",
      "initial_release_date": "2012-12-18T22:43:00+00:00",
      "revision_history": [
        {
          "date": "2012-12-18T22:43:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2012-12-18T22:52:56+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-09-15T20:00:27+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss Enterprise Application Platform 6.0",
                "product": {
                  "name": "Red Hat JBoss Enterprise Application Platform 6.0",
                  "product_id": "Red Hat JBoss Enterprise Application Platform 6.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6.0"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Enterprise Application Platform"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2008-0455",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "discovery_date": "2012-08-21T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "850794"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Cross-site scripting (XSS) vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary web script or HTML by uploading a file with a name containing XSS sequences and a file extension, which leads to injection within a (1) \"406 Not Acceptable\" or (2) \"300 Multiple Choices\" HTTP response when the extension is omitted in a request for the file.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "httpd: mod_negotiation XSS via untrusted file names in directories with MultiViews enabled",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 6.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2008-0455"
        },
        {
          "category": "external",
          "summary": "RHBZ#850794",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=850794"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2008-0455",
          "url": "https://www.cve.org/CVERecord?id=CVE-2008-0455"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2008-0455",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-0455"
        }
      ],
      "release_date": "2012-06-13T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Users of JBoss Enterprise Application Platform 6.0.0 as provided from the\nRed Hat Customer Portal are advised to upgrade to JBoss Enterprise\nApplication Platform 6.0.1.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Enterprise Application Platform installation and deployed\napplications.",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 6.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2012:1594"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 2.6,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 6.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "httpd: mod_negotiation XSS via untrusted file names in directories with MultiViews enabled"
    },
    {
      "cve": "CVE-2012-0883",
      "discovery_date": "2012-04-17T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "813559"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "envvars (aka envvars-std) in the Apache HTTP Server before 2.4.2 places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse DSO in the current working directory during execution of apachectl.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "httpd: insecure handling of LD_LIBRARY_PATH in envvars",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Not vulnerable. This issue did not affect the versions of httpd as shipped with Red Hat Enterprise Linux 3, 4, 5 and 6.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 6.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2012-0883"
        },
        {
          "category": "external",
          "summary": "RHBZ#813559",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=813559"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2012-0883",
          "url": "https://www.cve.org/CVERecord?id=CVE-2012-0883"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-0883",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-0883"
        }
      ],
      "release_date": "2012-03-02T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Users of JBoss Enterprise Application Platform 6.0.0 as provided from the\nRed Hat Customer Portal are advised to upgrade to JBoss Enterprise\nApplication Platform 6.0.1.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Enterprise Application Platform installation and deployed\napplications.",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 6.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2012:1594"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "HIGH",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 3.7,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 6.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "httpd: insecure handling of LD_LIBRARY_PATH in envvars"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Apache CXF project"
          ]
        }
      ],
      "cve": "CVE-2012-2378",
      "discovery_date": "2012-05-28T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "826533"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Apache CXF 2.4.5 through 2.4.7, 2.5.1 through 2.5.3, and 2.6.x before 2.6.1, does not properly enforce child policies of a WS-SecurityPolicy 1.1 SupportingToken policy on the client side, which allows remote attackers to bypass the (1) AlgorithmSuite, (2) SignedParts, (3) SignedElements, (4) EncryptedParts, and (5) EncryptedElements policies.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "apache-cxf: Certain child policies of WS-SecurityPolicy 1.1 SupportingToken policy not applied on the client side",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 6.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2012-2378"
        },
        {
          "category": "external",
          "summary": "RHBZ#826533",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=826533"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2012-2378",
          "url": "https://www.cve.org/CVERecord?id=CVE-2012-2378"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-2378",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2378"
        },
        {
          "category": "external",
          "summary": "http://cxf.apache.org/cve-2012-2378.html",
          "url": "http://cxf.apache.org/cve-2012-2378.html"
        }
      ],
      "release_date": "2012-06-07T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Users of JBoss Enterprise Application Platform 6.0.0 as provided from the\nRed Hat Customer Portal are advised to upgrade to JBoss Enterprise\nApplication Platform 6.0.1.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Enterprise Application Platform installation and deployed\napplications.",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 6.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2012:1594"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 6.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "apache-cxf: Certain child policies of WS-SecurityPolicy 1.1 SupportingToken policy not applied on the client side"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Apache CXF project"
          ]
        }
      ],
      "cve": "CVE-2012-2379",
      "discovery_date": "2012-05-28T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "826534"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Apache CXF 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1, when a Supporting Token specifies a child WS-SecurityPolicy 1.1 or 1.2 policy, does not properly ensure that an XML element is signed or encrypted, which has unspecified impact and attack vectors.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "apache-cxf: Apache CXF does not verify that elements were signed / encrypted by a particular Supporting Token",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 6.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2012-2379"
        },
        {
          "category": "external",
          "summary": "RHBZ#826534",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=826534"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2012-2379",
          "url": "https://www.cve.org/CVERecord?id=CVE-2012-2379"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-2379",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2379"
        },
        {
          "category": "external",
          "summary": "http://cxf.apache.org/cve-2012-2379.html",
          "url": "http://cxf.apache.org/cve-2012-2379.html"
        }
      ],
      "release_date": "2012-06-07T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Users of JBoss Enterprise Application Platform 6.0.0 as provided from the\nRed Hat Customer Portal are advised to upgrade to JBoss Enterprise\nApplication Platform 6.0.1.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Enterprise Application Platform installation and deployed\napplications.",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 6.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2012:1594"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 6.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "apache-cxf: Apache CXF does not verify that elements were signed / encrypted by a particular Supporting Token"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Marek Schmidt"
          ]
        },
        {
          "names": [
            "Stan Silvert"
          ],
          "organization": "Red Hat",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2012-2672",
      "discovery_date": "2012-06-01T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "829560"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Oracle Mojarra 2.1.7 does not properly \"clean up\" the FacesContext reference during startup, which allows local users to obtain context information an access resources from another WAR file by calling the FacesContext.getCurrentInstance function.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Mojarra: deployed web applications can read FacesContext from other applications under certain conditions",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 6.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2012-2672"
        },
        {
          "category": "external",
          "summary": "RHBZ#829560",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=829560"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2012-2672",
          "url": "https://www.cve.org/CVERecord?id=CVE-2012-2672"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-2672",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2672"
        }
      ],
      "release_date": "2012-06-01T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Users of JBoss Enterprise Application Platform 6.0.0 as provided from the\nRed Hat Customer Portal are advised to upgrade to JBoss Enterprise\nApplication Platform 6.0.1.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Enterprise Application Platform installation and deployed\napplications.",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 6.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2012:1594"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 1.9,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 6.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "Mojarra: deployed web applications can read FacesContext from other applications under certain conditions"
    },
    {
      "cve": "CVE-2012-2687",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "discovery_date": "2012-08-21T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "850794"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4.3, when the MultiViews option is enabled, allow remote attackers to inject arbitrary web script or HTML via a crafted filename that is not properly handled during construction of a variant list.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "httpd: mod_negotiation XSS via untrusted file names in directories with MultiViews enabled",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 6.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2012-2687"
        },
        {
          "category": "external",
          "summary": "RHBZ#850794",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=850794"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2012-2687",
          "url": "https://www.cve.org/CVERecord?id=CVE-2012-2687"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-2687",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2687"
        }
      ],
      "release_date": "2012-06-13T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Users of JBoss Enterprise Application Platform 6.0.0 as provided from the\nRed Hat Customer Portal are advised to upgrade to JBoss Enterprise\nApplication Platform 6.0.1.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Enterprise Application Platform installation and deployed\napplications.",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 6.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2012:1594"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 2.6,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 6.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "httpd: mod_negotiation XSS via untrusted file names in directories with MultiViews enabled"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Arun Neelicattu"
          ],
          "organization": "Red Hat Security Response Team",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2012-3428",
      "discovery_date": "2012-07-25T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "843358"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The IronJacamar container before 1.0.12.Final for JBoss Application Server, when allow-multiple-users is enabled in conjunction with a security domain, does not use the credentials supplied in a getConnection function call, which allows remote attackers to obtain access to an arbitrary datasource connection in opportunistic circumstances via an invalid connection attempt.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "JBoss: Datasource connection manager returns valid connection for wrong credentials when using security-domains",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 6.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2012-3428"
        },
        {
          "category": "external",
          "summary": "RHBZ#843358",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=843358"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2012-3428",
          "url": "https://www.cve.org/CVERecord?id=CVE-2012-3428"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-3428",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-3428"
        }
      ],
      "release_date": "2012-12-18T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Users of JBoss Enterprise Application Platform 6.0.0 as provided from the\nRed Hat Customer Portal are advised to upgrade to JBoss Enterprise\nApplication Platform 6.0.1.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Enterprise Application Platform installation and deployed\napplications.",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 6.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2012:1594"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 6.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "JBoss: Datasource connection manager returns valid connection for wrong credentials when using security-domains"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Apache CXF project"
          ]
        }
      ],
      "cve": "CVE-2012-3451",
      "discovery_date": "2012-08-25T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "851896"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Apache CXF before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 allows remote attackers to execute unintended web-service operations by sending a header with a SOAP Action String that is inconsistent with the message body.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "apache-cxf: SOAPAction spoofing on document literal web services",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 6.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2012-3451"
        },
        {
          "category": "external",
          "summary": "RHBZ#851896",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=851896"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2012-3451",
          "url": "https://www.cve.org/CVERecord?id=CVE-2012-3451"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-3451",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-3451"
        }
      ],
      "release_date": "2012-09-19T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Users of JBoss Enterprise Application Platform 6.0.0 as provided from the\nRed Hat Customer Portal are advised to upgrade to JBoss Enterprise\nApplication Platform 6.0.1.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Enterprise Application Platform installation and deployed\napplications.",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 6.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2012:1594"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 6.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "apache-cxf: SOAPAction spoofing on document literal web services"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Arun Neelicattu"
          ],
          "organization": "Red Hat Security Response Team",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2012-4549",
      "discovery_date": "2012-10-29T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "870868"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The processInvocation function in org.jboss.as.ejb3.security.AuthorizationInterceptor in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6.0.1, authorizes all requests when no roles are allowed for an Enterprise Java Beans (EJB) method invocation, which allows attackers to bypass intended access restrictions for EJB methods.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "AS: EJB authorization succeeds for any role when allowed roles list is empty",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue did not affect JBoss Enterprise Application Platform versions 4.x and 5.x.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 6.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2012-4549"
        },
        {
          "category": "external",
          "summary": "RHBZ#870868",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=870868"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2012-4549",
          "url": "https://www.cve.org/CVERecord?id=CVE-2012-4549"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-4549",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-4549"
        }
      ],
      "release_date": "2012-12-18T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Users of JBoss Enterprise Application Platform 6.0.0 as provided from the\nRed Hat Customer Portal are advised to upgrade to JBoss Enterprise\nApplication Platform 6.0.1.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Enterprise Application Platform installation and deployed\napplications.",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 6.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2012:1594"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 6.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "AS: EJB authorization succeeds for any role when allowed roles list is empty"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Josef Cacek"
          ],
          "organization": "Red Hat JBoss EAP Quality Engineering team",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2012-4550",
      "discovery_date": "2012-10-24T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "870871"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6.0.1, when using role-based authorization for Enterprise Java Beans (EJB) access, does not call the intended authorization modules, which prevents JACC permissions from being applied and allows remote attackers to obtain access to the EJB.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "JACC: Security constraints configured for EJBs are incorrectly interpreted and not applied",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue did not affect JBoss Enterprise Application Platform versions 4.x and 5.x.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 6.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2012-4550"
        },
        {
          "category": "external",
          "summary": "RHBZ#870871",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=870871"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2012-4550",
          "url": "https://www.cve.org/CVERecord?id=CVE-2012-4550"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-4550",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-4550"
        }
      ],
      "release_date": "2012-04-19T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Users of JBoss Enterprise Application Platform 6.0.0 as provided from the\nRed Hat Customer Portal are advised to upgrade to JBoss Enterprise\nApplication Platform 6.0.1.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Enterprise Application Platform installation and deployed\napplications.",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 6.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2012:1594"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 6.4,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 6.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "JACC: Security constraints configured for EJBs are incorrectly interpreted and not applied"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.