rhsa-2013_1147
Vulnerability from csaf_redhat
Published
2013-08-08 17:04
Modified
2024-11-22 06:54
Summary
Red Hat Security Advisory: Red Hat JBoss SOA Platform 5.3.1 update

Notes

Topic
Red Hat JBoss SOA Platform 5.3.1 roll up patch 3, which fixes three security issues and various bugs, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.
Details
Red Hat JBoss SOA Platform is the next-generation ESB and business process automation infrastructure. Red Hat JBoss SOA Platform allows IT to leverage existing (MoM and EAI), modern (SOA and BPM-Rules), and future (EDA and CEP) integration methodologies to dramatically improve business process execution speed and quality. This roll up patch serves as a cumulative upgrade for Red Hat JBoss SOA Platform 5.3.1. It includes various bug fixes. The following security issues are also fixed with this release: The Jakarta Commons HttpClient component did not verify that the server hostname matched the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name. (CVE-2012-5783) A flaw in JRuby's JSON gem allowed remote attacks by creating different types of malicious objects. For example, it could initiate a denial of service attack through resource consumption by using a JSON document to create arbitrary Ruby symbols, which were never garbage collected. It could also be exploited to create internal objects which could allow a SQL injection attack. (CVE-2013-0269) It was discovered that JRuby's REXML library did not properly restrict XML entity expansion. An attacker could use this flaw to cause a denial of service by tricking a Ruby application using REXML to read text nodes from specially-crafted XML content, which will result in REXML consuming large amounts of system memory. (CVE-2013-1821) Note: Red Hat JBoss SOA Platform only provides JRuby as a dependency of the scripting_chain quickstart example application. The CVE-2013-0269 and CVE-2013-1821 flaws are not exposed unless the version of JRuby shipped with that quickstart is used by a deployed, custom application. Red Hat would like to thank Ruby on Rails upstream for reporting CVE-2013-0269. Upstream acknowledges Thomas Hollstegge of Zweitag and Ben Murphy as the original reporters of CVE-2013-0269. Warning: Before applying the update, back up your existing Red Hat JBoss SOA Platform installation (including its databases, applications, configuration files, and so on). All users of Red Hat JBoss SOA Platform 5.3.1 as provided from the Red Hat Customer Portal are advised to apply this roll up patch.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.



{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Red Hat JBoss SOA Platform 5.3.1 roll up patch 3, which fixes three\nsecurity issues and various bugs, is now available from the Red Hat\nCustomer Portal.\n\nThe Red Hat Security Response Team has rated this update as having moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base scores,\nwhich give detailed severity ratings, are available for each vulnerability\nfrom the CVE links in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat JBoss SOA Platform is the next-generation ESB and business process\nautomation infrastructure. Red Hat JBoss SOA Platform allows IT to leverage\nexisting (MoM and EAI), modern (SOA and BPM-Rules), and future (EDA and\nCEP) integration methodologies to dramatically improve business process\nexecution speed and quality.\n\nThis roll up patch serves as a cumulative upgrade for Red Hat JBoss SOA\nPlatform 5.3.1. It includes various bug fixes. The following security\nissues are also fixed with this release:\n\nThe Jakarta Commons HttpClient component did not verify that the server\nhostname matched the domain name in the subject\u0027s Common Name (CN) or\nsubjectAltName field in X.509 certificates. This could allow a\nman-in-the-middle attacker to spoof an SSL server if they had a certificate\nthat was valid for any domain name. (CVE-2012-5783)\n\nA flaw in JRuby\u0027s JSON gem allowed remote attacks by creating different\ntypes of malicious objects. For example, it could initiate a denial of\nservice attack through resource consumption by using a JSON document to\ncreate arbitrary Ruby symbols, which were never garbage collected. It could\nalso be exploited to create internal objects which could allow a SQL\ninjection attack. (CVE-2013-0269)\n\nIt was discovered that JRuby\u0027s REXML library did not properly restrict XML\nentity expansion. An attacker could use this flaw to cause a denial of\nservice by tricking a Ruby application using REXML to read text nodes from\nspecially-crafted XML content, which will result in REXML consuming large\namounts of system memory. (CVE-2013-1821)\n\nNote: Red Hat JBoss SOA Platform only provides JRuby as a dependency of\nthe scripting_chain quickstart example application. The CVE-2013-0269 and\nCVE-2013-1821 flaws are not exposed unless the version of JRuby shipped\nwith that quickstart is used by a deployed, custom application.\n\nRed Hat would like to thank Ruby on Rails upstream for reporting\nCVE-2013-0269. Upstream acknowledges Thomas Hollstegge of Zweitag and Ben\nMurphy as the original reporters of CVE-2013-0269.\n\nWarning: Before applying the update, back up your existing Red Hat JBoss\nSOA Platform installation (including its databases, applications,\nconfiguration files, and so on).\n\nAll users of Red Hat JBoss SOA Platform 5.3.1 as provided from the Red\nHat Customer Portal are advised to apply this roll up patch.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2013:1147",
        "url": "https://access.redhat.com/errata/RHSA-2013:1147"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform\u0026downloadType=securityPatches\u0026version=5.3.1+GA",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform\u0026downloadType=securityPatches\u0026version=5.3.1+GA"
      },
      {
        "category": "external",
        "summary": "873317",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=873317"
      },
      {
        "category": "external",
        "summary": "909029",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=909029"
      },
      {
        "category": "external",
        "summary": "914716",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=914716"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_1147.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat JBoss SOA Platform 5.3.1 update",
    "tracking": {
      "current_release_date": "2024-11-22T06:54:54+00:00",
      "generator": {
        "date": "2024-11-22T06:54:54+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2013:1147",
      "initial_release_date": "2013-08-08T17:04:00+00:00",
      "revision_history": [
        {
          "date": "2013-08-08T17:04:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2013-08-08T17:07:08+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T06:54:54+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss SOA Platform 5.3",
                "product": {
                  "name": "Red Hat JBoss SOA Platform 5.3",
                  "product_id": "Red Hat JBoss SOA Platform 5.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:5.3"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Middleware"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2012-5783",
      "discovery_date": "2012-11-04T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "873317"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was found that Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject\u0027s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss SOA Platform 5.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2012-5783"
        },
        {
          "category": "external",
          "summary": "RHBZ#873317",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=873317"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2012-5783",
          "url": "https://www.cve.org/CVERecord?id=CVE-2012-5783"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-5783",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5783"
        }
      ],
      "release_date": "2012-10-16T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2013-08-08T17:04:00+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting Red Hat JBoss SOA Platform installation (including its\ndatabases, applications, configuration files, and so on).\n\nNote that it is recommended to halt the Red Hat JBoss SOA Platform\nserver by stopping the JBoss Application Server process before installing\nthis update, and then after installing the update, restart the Red Hat\nJBoss SOA Platform server by starting the JBoss Application Server\nprocess.",
          "product_ids": [
            "Red Hat JBoss SOA Platform 5.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2013:1147"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.0"
          },
          "products": [
            "Red Hat JBoss SOA Platform 5.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Ruby on Rails upstream"
          ]
        },
        {
          "names": [
            "Thomas Hollstegge"
          ],
          "organization": "Zweitag",
          "summary": "Acknowledged by upstream."
        },
        {
          "names": [
            "Ben Murphy"
          ],
          "summary": "Acknowledged by upstream."
        }
      ],
      "cve": "CVE-2013-0269",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2013-02-07T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "909029"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka \"Unsafe Object Creation Vulnerability.\"",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "rubygem-json: Denial of Service and SQL Injection",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat Satellite tools ship RubyGem Json 1.4.6 which is earlier than affected 1.5.5 version however, this version of RubyGem is not affected to the flaw. We may update RubyGem in a future release.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss SOA Platform 5.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2013-0269"
        },
        {
          "category": "external",
          "summary": "RHBZ#909029",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=909029"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2013-0269",
          "url": "https://www.cve.org/CVERecord?id=CVE-2013-0269"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-0269",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0269"
        },
        {
          "category": "external",
          "summary": "http://www.ruby-lang.org/en/news/2013/02/22/json-dos-cve-2013-0269/",
          "url": "http://www.ruby-lang.org/en/news/2013/02/22/json-dos-cve-2013-0269/"
        }
      ],
      "release_date": "2013-02-11T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2013-08-08T17:04:00+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting Red Hat JBoss SOA Platform installation (including its\ndatabases, applications, configuration files, and so on).\n\nNote that it is recommended to halt the Red Hat JBoss SOA Platform\nserver by stopping the JBoss Application Server process before installing\nthis update, and then after installing the update, restart the Red Hat\nJBoss SOA Platform server by starting the JBoss Application Server\nprocess.",
          "product_ids": [
            "Red Hat JBoss SOA Platform 5.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2013:1147"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss SOA Platform 5.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "rubygem-json: Denial of Service and SQL Injection"
    },
    {
      "cve": "CVE-2013-1821",
      "discovery_date": "2013-02-22T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "914716"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows remote attackers to cause a denial of service (memory consumption and crash) via crafted text nodes in an XML document, aka an XML Entity Expansion (XEE) attack.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "ruby: entity expansion DoS vulnerability in REXML",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss SOA Platform 5.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2013-1821"
        },
        {
          "category": "external",
          "summary": "RHBZ#914716",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=914716"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2013-1821",
          "url": "https://www.cve.org/CVERecord?id=CVE-2013-1821"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-1821",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1821"
        },
        {
          "category": "external",
          "summary": "http://www.ruby-lang.org/en/news/2013/02/22/rexml-dos-2013-02-22/",
          "url": "http://www.ruby-lang.org/en/news/2013/02/22/rexml-dos-2013-02-22/"
        }
      ],
      "release_date": "2013-02-22T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2013-08-08T17:04:00+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting Red Hat JBoss SOA Platform installation (including its\ndatabases, applications, configuration files, and so on).\n\nNote that it is recommended to halt the Red Hat JBoss SOA Platform\nserver by stopping the JBoss Application Server process before installing\nthis update, and then after installing the update, restart the Red Hat\nJBoss SOA Platform server by starting the JBoss Application Server\nprocess.",
          "product_ids": [
            "Red Hat JBoss SOA Platform 5.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2013:1147"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss SOA Platform 5.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "ruby: entity expansion DoS vulnerability in REXML"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.