rhsa-2014_0842
Vulnerability from csaf_redhat
Published
2014-07-07 14:49
Modified
2024-09-15 21:33
Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.2.4 security update

Notes

Topic
An update for Red Hat JBoss Enterprise Application Platform 6.2.4 that fixes multiple security issues is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.
Details
Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was discovered that JBoss Web did not limit the length of chunk sizes when using chunked transfer encoding. A remote attacker could use this flaw to perform a denial of service attack against JBoss Web by streaming an unlimited quantity of data, leading to excessive consumption of server resources. (CVE-2014-0075) It was found that JBoss Web did not check for overflowing values when parsing request content length headers. A remote attacker could use this flaw to perform an HTTP request smuggling attack on a JBoss Web server located behind a reverse proxy that processed the content length header correctly. (CVE-2014-0099) It was found that the org.apache.catalina.servlets.DefaultServlet implementation in JBoss Web allowed the definition of XML External Entities (XXEs) in provided XSLTs. A malicious application could use this to circumvent intended security restrictions to disclose sensitive information. (CVE-2014-0096) It was found that, in certain circumstances, it was possible for a malicious web application to replace the XML parsers used by JBoss Web to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs), and tag plug-in configuration files. The injected XML parser(s) could then bypass the limits imposed on XML external entities and/or gain access to the XML files processed for other web applications deployed on the same JBoss Web instance. (CVE-2014-0119) The CVE-2014-0075 issue was discovered by David Jorm of Red Hat Product Security. All users of Red Hat JBoss Enterprise Application Platform 6.2.4 as provided from the Red Hat Customer Portal are advised to apply this update. The JBoss server process must be restarted for the update to take effect.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.


To clipboard 

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for Red Hat JBoss Enterprise Application Platform 6.2.4 that\nfixes multiple security issues is now available from the Red Hat Customer\nPortal.\n\nThe Red Hat Security Response Team has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base scores,\nwhich give detailed severity ratings, are available for each vulnerability\nfrom the CVE links in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat JBoss Enterprise Application Platform 6 is a platform for Java\napplications based on JBoss Application Server 7.\n\nIt was discovered that JBoss Web did not limit the length of chunk sizes\nwhen using chunked transfer encoding. A remote attacker could use this flaw\nto perform a denial of service attack against JBoss Web by streaming an\nunlimited quantity of data, leading to excessive consumption of server\nresources. (CVE-2014-0075)\n\nIt was found that JBoss Web did not check for overflowing values when\nparsing request content length headers. A remote attacker could use this\nflaw to perform an HTTP request smuggling attack on a JBoss Web server\nlocated behind a reverse proxy that processed the content length header\ncorrectly. (CVE-2014-0099)\n\nIt was found that the org.apache.catalina.servlets.DefaultServlet\nimplementation in JBoss Web allowed the definition of XML External Entities\n(XXEs) in provided XSLTs. A malicious application could use this to\ncircumvent intended security restrictions to disclose sensitive\ninformation. (CVE-2014-0096)\n\nIt was found that, in certain circumstances, it was possible for a\nmalicious web application to replace the XML parsers used by JBoss Web to\nprocess XSLTs for the default servlet, JSP documents, tag library\ndescriptors (TLDs), and tag plug-in configuration files. The injected XML\nparser(s) could then bypass the limits imposed on XML external entities\nand/or gain access to the XML files processed for other web applications\ndeployed on the same JBoss Web instance. (CVE-2014-0119)\n\nThe CVE-2014-0075 issue was discovered by David Jorm of Red Hat Product\nSecurity.\n\nAll users of Red Hat JBoss Enterprise Application Platform 6.2.4 as\nprovided from the Red Hat Customer Portal are advised to apply this update.\nThe JBoss server process must be restarted for the update to take effect.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2014:0842",
        "url": "https://access.redhat.com/errata/RHSA-2014:0842"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=securityPatches\u0026version=6.2.0",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=securityPatches\u0026version=6.2.0"
      },
      {
        "category": "external",
        "summary": "1072776",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1072776"
      },
      {
        "category": "external",
        "summary": "1088342",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1088342"
      },
      {
        "category": "external",
        "summary": "1102030",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1102030"
      },
      {
        "category": "external",
        "summary": "1102038",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1102038"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://access.redhat.com/security/data/csaf/v2/advisories/2014/rhsa-2014_0842.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.2.4 security update",
    "tracking": {
      "current_release_date": "2024-09-15T21:33:17+00:00",
      "generator": {
        "date": "2024-09-15T21:33:17+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "3.33.3"
        }
      },
      "id": "RHSA-2014:0842",
      "initial_release_date": "2014-07-07T14:49:59+00:00",
      "revision_history": [
        {
          "date": "2014-07-07T14:49:59+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2019-02-20T12:33:27+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-09-15T21:33:17+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss Enterprise Application Platform 6.2",
                "product": {
                  "name": "Red Hat JBoss Enterprise Application Platform 6.2",
                  "product_id": "Red Hat JBoss Enterprise Application Platform 6.2",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6.2.4"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Enterprise Application Platform"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "David Jorm"
          ],
          "organization": "Red Hat Product Security",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2014-0075",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2014-02-28T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1072776"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was discovered that JBoss Web / Apache Tomcat did not limit the length of chunk sizes when using chunked transfer encoding. A remote attacker could use this flaw to perform a denial of service attack against JBoss Web / Apache Tomcat by streaming an unlimited quantity of data, leading to excessive consumption of server resources.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Tomcat/JBossWeb: Limited DoS in chunked transfer encoding input filter",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue does affect JBossWeb as shipped in Red Hat JBoss Enterprise Application Platform 5. Red Hat Product Security has rated this issue as having Moderate security impact. Red Hat JBoss Enterprise Application Platform 5 is currently in reduced support phase (Phase 2: Maintenance Support), receiving only Critical and Important security updates, hence this issue is not currently planned to be addressed in future updates for  Red Hat Enterprise Application Platform 5. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/ and the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 6.2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-0075"
        },
        {
          "category": "external",
          "summary": "RHBZ#1072776",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1072776"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0075",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-0075"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0075",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0075"
        }
      ],
      "release_date": "2014-05-27T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting Red Hat JBoss Enterprise Application Platform installation and\ndeployed applications.",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 6.2"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:0842"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 6.2"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "Tomcat/JBossWeb: Limited DoS in chunked transfer encoding input filter"
    },
    {
      "cve": "CVE-2014-0096",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "discovery_date": "2014-04-16T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1088342"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was found that the org.apache.catalina.servlets.DefaultServlet implementation in JBoss Web / Apache Tomcat allowed the definition of XML External Entities (XXEs) in provided XSLTs. A malicious application could use this to circumvent intended security restrictions to disclose sensitive information.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Tomcat/JBossWeb: XXE vulnerability via user supplied XSLTs",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue does affect JBossWeb as shipped in Red Hat JBoss Enterprise Application Platform 5. Red Hat Product Security has rated this issue as having Low security impact. Red Hat JBoss Enterprise Application Platform 5 is currently in reduced support phase (Phase 2: Maintenance Support), receiving only Critical and Important security updates, hence this issue is not currently planned to be addressed in future updates for  Red Hat Enterprise Application Platform 5. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/ and the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 6.2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-0096"
        },
        {
          "category": "external",
          "summary": "RHBZ#1088342",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1088342"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0096",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-0096"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0096",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0096"
        }
      ],
      "release_date": "2014-05-27T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting Red Hat JBoss Enterprise Application Platform installation and\ndeployed applications.",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 6.2"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:0842"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 2.1,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:H/Au:S/C:P/I:N/A:N",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 6.2"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "Tomcat/JBossWeb: XXE vulnerability via user supplied XSLTs"
    },
    {
      "cve": "CVE-2014-0099",
      "cwe": {
        "id": "CWE-444",
        "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
      },
      "discovery_date": "2014-05-27T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1102030"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was found that JBoss Web / Apache Tomcat did not check for overflowing values when parsing request content length headers. A remote attacker could use this flaw to perform an HTTP request smuggling attack on a JBoss Web / Apache Tomcat server located behind a reverse proxy that processed the content length header correctly.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Tomcat/JBossWeb: Request smuggling via malicious content length header",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue does affect JBossWeb as shipped in Red Hat JBoss Enterprise Application Platform 5. Red Hat Product Security has rated this issue as having Moderate security impact. Red Hat JBoss Enterprise Application Platform 5 is currently in reduced support phase (Phase 2: Maintenance Support), receiving only Critical and Important security updates, hence this issue is not currently planned to be addressed in future updates for  Red Hat Enterprise Application Platform 5. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/ and the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 6.2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-0099"
        },
        {
          "category": "external",
          "summary": "RHBZ#1102030",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1102030"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0099",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-0099"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0099",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0099"
        }
      ],
      "release_date": "2014-05-27T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting Red Hat JBoss Enterprise Application Platform installation and\ndeployed applications.",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 6.2"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:0842"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 6.2"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "Tomcat/JBossWeb: Request smuggling via malicious content length header"
    },
    {
      "cve": "CVE-2014-0119",
      "cwe": {
        "id": "CWE-470",
        "name": "Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)"
      },
      "discovery_date": "2014-05-27T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1102038"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was found that, in certain circumstances, it was possible for a malicious web application to replace the XML parsers used by JBoss Web / Apache Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs), and tag plug-in configuration files. The injected XML parser(s) could then bypass the limits imposed on XML external entities and/or gain access to the XML files processed for other web applications deployed on the same JBoss Web / Apache Tomcat instance.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Tomcat/JBossWeb: XML parser hijack by malicious web application",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 6.2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-0119"
        },
        {
          "category": "external",
          "summary": "RHBZ#1102038",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1102038"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0119",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-0119"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0119",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0119"
        }
      ],
      "release_date": "2014-05-27T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting Red Hat JBoss Enterprise Application Platform installation and\ndeployed applications.",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 6.2"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:0842"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 2.1,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:H/Au:S/C:P/I:N/A:N",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 6.2"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "Tomcat/JBossWeb: XML parser hijack by malicious web application"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.