rhsa-2014_0037
Vulnerability from csaf_redhat
Published
2014-01-21 17:33
Modified
2024-11-05 18:17
Summary
Red Hat Security Advisory: jasperreports-server-pro security, bug fix, and enhancement update

Notes

Topic
An updated jasperreports-server-pro package that fixes two security issues, several bugs, and adds various enhancements is now available. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.
Details
The Red Hat Enterprise Virtualization reports package provides a suite of pre-configured reports and dashboards that enable you to monitor the system. The reports module is based on JasperReports and JasperServer, and can also be used to create ad-hoc reports. Apache Axis did not verify that the server hostname matched the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name. (CVE-2012-5784) A flaw was found in the Apache Hadoop RPC protocol. A man-in-the-middle attacker could possibly use this flaw to unilaterally disable bidirectional authentication between a client and a server, forcing a downgrade to simple (unidirectional) authentication. This flaw only affects users who have enabled Hadoop's Kerberos security features. (CVE-2013-2192) This update fixes several bugs and adds multiple enhancements. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section. All jasperreports-server-pro users are advised to upgrade to this updated package, which contains backported patches to correct these issues and add these enhancements.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.


To clipboard 

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An updated jasperreports-server-pro package that fixes two security issues,\nseveral bugs, and adds various enhancements is now available.\n\nThe Red Hat Security Response Team has rated this update as having moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base scores,\nwhich give detailed severity ratings, are available for each vulnerability\nfrom the CVE links in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The Red Hat Enterprise Virtualization reports package provides a suite of\npre-configured reports and dashboards that enable you to monitor the\nsystem. The reports module is based on JasperReports and JasperServer, and\ncan also be used to create ad-hoc reports.\n\nApache Axis did not verify that the server hostname matched the domain name\nin the subject\u0027s Common Name (CN) or subjectAltName field in X.509\ncertificates. This could allow a man-in-the-middle attacker to spoof an SSL\nserver if they had a certificate that was valid for any domain name.\n(CVE-2012-5784)\n\nA flaw was found in the Apache Hadoop RPC protocol. A man-in-the-middle\nattacker could possibly use this flaw to unilaterally disable bidirectional\nauthentication between a client and a server, forcing a downgrade to simple\n(unidirectional) authentication. This flaw only affects users who have\nenabled Hadoop\u0027s Kerberos security features. (CVE-2013-2192)\n\nThis update fixes several bugs and adds multiple enhancements.\nDocumentation for these changes will be available shortly from the\nTechnical Notes document linked to in the References section.\n\nAll jasperreports-server-pro users are advised to upgrade to this updated\npackage, which contains backported patches to correct these issues and add\nthese enhancements.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2014:0037",
        "url": "https://access.redhat.com/errata/RHSA-2014:0037"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.3/html/Technical_Notes/chap-RHSA-20140037_-_jasperreports.html",
        "url": "https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.3/html/Technical_Notes/chap-RHSA-20140037_-_jasperreports.html"
      },
      {
        "category": "external",
        "summary": "873252",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=873252"
      },
      {
        "category": "external",
        "summary": "967349",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=967349"
      },
      {
        "category": "external",
        "summary": "977642",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=977642"
      },
      {
        "category": "external",
        "summary": "988210",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=988210"
      },
      {
        "category": "external",
        "summary": "1001326",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1001326"
      },
      {
        "category": "external",
        "summary": "1020340",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1020340"
      },
      {
        "category": "external",
        "summary": "1033090",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1033090"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0037.json"
      }
    ],
    "title": "Red Hat Security Advisory: jasperreports-server-pro security, bug fix, and enhancement update",
    "tracking": {
      "current_release_date": "2024-11-05T18:17:47+00:00",
      "generator": {
        "date": "2024-11-05T18:17:47+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.1.1"
        }
      },
      "id": "RHSA-2014:0037",
      "initial_release_date": "2014-01-21T17:33:29+00:00",
      "revision_history": [
        {
          "date": "2014-01-21T17:33:29+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2014-01-21T17:33:29+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-05T18:17:47+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "RHEV-M 3.3",
                "product": {
                  "name": "RHEV-M 3.3",
                  "product_id": "6Server-RHEV-S-3.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:rhev_manager:3"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Virtualization"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jasperreports-server-pro-0:5.5.0-4.el6ev.src",
                "product": {
                  "name": "jasperreports-server-pro-0:5.5.0-4.el6ev.src",
                  "product_id": "jasperreports-server-pro-0:5.5.0-4.el6ev.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jasperreports-server-pro@5.5.0-4.el6ev?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jasperreports-server-pro-0:5.5.0-4.el6ev.noarch",
                "product": {
                  "name": "jasperreports-server-pro-0:5.5.0-4.el6ev.noarch",
                  "product_id": "jasperreports-server-pro-0:5.5.0-4.el6ev.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jasperreports-server-pro@5.5.0-4.el6ev?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jasperreports-server-pro-0:5.5.0-4.el6ev.noarch as a component of RHEV-M 3.3",
          "product_id": "6Server-RHEV-S-3.3:jasperreports-server-pro-0:5.5.0-4.el6ev.noarch"
        },
        "product_reference": "jasperreports-server-pro-0:5.5.0-4.el6ev.noarch",
        "relates_to_product_reference": "6Server-RHEV-S-3.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jasperreports-server-pro-0:5.5.0-4.el6ev.src as a component of RHEV-M 3.3",
          "product_id": "6Server-RHEV-S-3.3:jasperreports-server-pro-0:5.5.0-4.el6ev.src"
        },
        "product_reference": "jasperreports-server-pro-0:5.5.0-4.el6ev.src",
        "relates_to_product_reference": "6Server-RHEV-S-3.3"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2012-5784",
      "discovery_date": "2012-11-04T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "873252"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Apache Axis did not verify that the server host name matched the domain name in the subject\u0027s Common Name (CN) or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "axis: missing connection hostname check against X.509 certificate name",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-RHEV-S-3.3:jasperreports-server-pro-0:5.5.0-4.el6ev.noarch",
          "6Server-RHEV-S-3.3:jasperreports-server-pro-0:5.5.0-4.el6ev.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2012-5784"
        },
        {
          "category": "external",
          "summary": "RHBZ#873252",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=873252"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2012-5784",
          "url": "https://www.cve.org/CVERecord?id=CVE-2012-5784"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-5784",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5784"
        }
      ],
      "release_date": "2012-10-16T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-01-21T17:33:29+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
          "product_ids": [
            "6Server-RHEV-S-3.3:jasperreports-server-pro-0:5.5.0-4.el6ev.noarch",
            "6Server-RHEV-S-3.3:jasperreports-server-pro-0:5.5.0-4.el6ev.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:0037"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "6Server-RHEV-S-3.3:jasperreports-server-pro-0:5.5.0-4.el6ev.noarch",
            "6Server-RHEV-S-3.3:jasperreports-server-pro-0:5.5.0-4.el6ev.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "axis: missing connection hostname check against X.509 certificate name"
    },
    {
      "cve": "CVE-2013-2192",
      "discovery_date": "2013-08-26T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1001326"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The RPC protocol implementation in Apache Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1, when the Kerberos security features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information by forcing a downgrade to simple authentication.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "hadoop: man-in-the-middle vulnerability",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-RHEV-S-3.3:jasperreports-server-pro-0:5.5.0-4.el6ev.noarch",
          "6Server-RHEV-S-3.3:jasperreports-server-pro-0:5.5.0-4.el6ev.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2013-2192"
        },
        {
          "category": "external",
          "summary": "RHBZ#1001326",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1001326"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2013-2192",
          "url": "https://www.cve.org/CVERecord?id=CVE-2013-2192"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-2192",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2192"
        }
      ],
      "release_date": "2013-08-23T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-01-21T17:33:29+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
          "product_ids": [
            "6Server-RHEV-S-3.3:jasperreports-server-pro-0:5.5.0-4.el6ev.noarch",
            "6Server-RHEV-S-3.3:jasperreports-server-pro-0:5.5.0-4.el6ev.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:0037"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "HIGH",
            "accessVector": "ADJACENT_NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 3.2,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:A/AC:H/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "6Server-RHEV-S-3.3:jasperreports-server-pro-0:5.5.0-4.el6ev.noarch",
            "6Server-RHEV-S-3.3:jasperreports-server-pro-0:5.5.0-4.el6ev.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "hadoop: man-in-the-middle vulnerability"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.