rhsa-2014_0910
Vulnerability from csaf_redhat
Published
2014-07-21 18:35
Modified
2024-09-15 21:36
Summary
Red Hat Security Advisory: Red Hat JBoss Operations Network 3.2.2 update

Notes

Topic
Red Hat JBoss Operations Network 3.2.2, which fixes multiple security issues and several bugs, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.
Details
Red Hat JBoss Operations Network is a middleware management solution that provides a single point of control to deploy, manage, and monitor JBoss Enterprise Middleware, applications, and services. This JBoss Operations Network 3.2.2 release serves as a replacement for JBoss Operations Network 3.2.1, and includes several bug fixes. Refer to the JBoss Operations Network 3.2.2 Release Notes for information on the most significant of these changes. The Release Notes will be available shortly from https://access.redhat.com/documentation/en-US/ The following security issues are also fixed with this release: It was found that the implementation of the org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory() method provided a DocumentBuilderFactory that would expand entity references. A remote, unauthenticated attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. (CVE-2014-3530) It was found that Mojarra JavaServer Faces did not properly escape user-supplied content in certain circumstances. Contents of outputText tags and raw EL expressions that immediately follow script or style elements were not escaped. A remote attacker could use a specially crafted URL to execute arbitrary web script in the user's browser. (CVE-2013-5855) It was found that the security audit functionality, provided by JBoss Operations Network, logged request parameters in plain text. This may have caused passwords to be included in the audit log files when using BASIC or FORM-based authentication. A local attacker with access to audit log files could possibly use this flaw to obtain application or server authentication credentials. Refer to the Solution section of this advisory for additional information on the fix for this issue. (CVE-2014-0058) A flaw was found in the WebSocket08FrameDecoder implementation that could allow a remote attacker to trigger an Out Of Memory Exception by issuing a series of TextWebSocketFrame and ContinuationWebSocketFrames. Depending on the server configuration, this could lead to a denial of service. (CVE-2014-0193) Red Hat would like to thank Alexander Papadakis for reporting CVE-2014-3530, and James Roper of Typesafe for reporting CVE-2014-0193. All users of JBoss Operations Network 3.2.1 as provided from the Red Hat Customer Portal are advised to upgrade to JBoss Operations Network 3.2.2.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.


To clipboard 

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Red Hat JBoss Operations Network 3.2.2, which fixes multiple security\nissues and several bugs, is now available from the Red Hat Customer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat JBoss Operations Network is a middleware management solution that\nprovides a single point of control to deploy, manage, and monitor JBoss\nEnterprise Middleware, applications, and services.\n\nThis JBoss Operations Network 3.2.2 release serves as a replacement for\nJBoss Operations Network 3.2.1, and includes several bug fixes. Refer to\nthe JBoss Operations Network 3.2.2 Release Notes for information on the\nmost significant of these changes. The Release Notes will be available\nshortly from https://access.redhat.com/documentation/en-US/\n\nThe following security issues are also fixed with this release:\n\nIt was found that the implementation of the\norg.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory() method\nprovided a DocumentBuilderFactory that would expand entity references.\nA remote, unauthenticated attacker could use this flaw to read files\naccessible to the user running the application server, and potentially\nperform other more advanced XXE attacks. (CVE-2014-3530)\n\nIt was found that Mojarra JavaServer Faces did not properly escape\nuser-supplied content in certain circumstances. Contents of outputText tags\nand raw EL expressions that immediately follow script or style elements\nwere not escaped. A remote attacker could use a specially crafted URL to\nexecute arbitrary web script in the user\u0027s browser. (CVE-2013-5855)\n\nIt was found that the security audit functionality, provided by JBoss\nOperations Network, logged request parameters in plain text. This may have\ncaused passwords to be included in the audit log files when using BASIC or\nFORM-based authentication. A local attacker with access to audit log files\ncould possibly use this flaw to obtain application or server authentication\ncredentials. Refer to the Solution section of this advisory for additional\ninformation on the fix for this issue. (CVE-2014-0058)\n\nA flaw was found in the WebSocket08FrameDecoder implementation that could\nallow a remote attacker to trigger an Out Of Memory Exception by issuing a\nseries of TextWebSocketFrame and ContinuationWebSocketFrames. Depending on\nthe server configuration, this could lead to a denial of service. (CVE-2014-0193)\n\nRed Hat would like to thank Alexander Papadakis for reporting\nCVE-2014-3530, and James Roper of Typesafe for reporting CVE-2014-0193.\n\nAll users of JBoss Operations Network 3.2.1 as provided from the Red Hat\nCustomer Portal are advised to upgrade to JBoss Operations Network 3.2.2.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2014:0910",
        "url": "https://access.redhat.com/errata/RHSA-2014:0910"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em\u0026downloadType=securityPatches\u0026version=3.2.0",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em\u0026downloadType=securityPatches\u0026version=3.2.0"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Operations_Network/",
        "url": "https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Operations_Network/"
      },
      {
        "category": "external",
        "summary": "1063641",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1063641"
      },
      {
        "category": "external",
        "summary": "1065139",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1065139"
      },
      {
        "category": "external",
        "summary": "1092783",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1092783"
      },
      {
        "category": "external",
        "summary": "1112987",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1112987"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://access.redhat.com/security/data/csaf/v2/advisories/2014/rhsa-2014_0910.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat JBoss Operations Network 3.2.2 update",
    "tracking": {
      "current_release_date": "2024-09-15T21:36:28+00:00",
      "generator": {
        "date": "2024-09-15T21:36:28+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "3.33.3"
        }
      },
      "id": "RHSA-2014:0910",
      "initial_release_date": "2014-07-21T18:35:10+00:00",
      "revision_history": [
        {
          "date": "2014-07-21T18:35:10+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2014-07-21T18:35:10+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-09-15T21:36:28+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss Operations Network 3.2",
                "product": {
                  "name": "Red Hat JBoss Operations Network 3.2",
                  "product_id": "Red Hat JBoss Operations Network 3.2",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_operations_network:3.2.2"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Operations Network"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2013-5855",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "discovery_date": "2014-02-14T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1065139"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was found that Mojarra JavaServer Faces did not properly escape user-supplied content in certain circumstances. Contents of outputText tags and raw EL expressions that immediately follow script or style elements were not escaped. A remote attacker could use a specially crafted URL to execute arbitrary web script in the user\u0027s browser.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "JSF: XSS due to insufficient escaping of user-supplied content in outputText tags and EL expressions",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Operations Network 3.2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2013-5855"
        },
        {
          "category": "external",
          "summary": "RHBZ#1065139",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1065139"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2013-5855",
          "url": "https://www.cve.org/CVERecord?id=CVE-2013-5855"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-5855",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-5855"
        },
        {
          "category": "external",
          "summary": "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/JSF-outputText-tag-the-good-the-bad-and-the-ugly/bc-p/6370209",
          "url": "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/JSF-outputText-tag-the-good-the-bad-and-the-ugly/bc-p/6370209"
        }
      ],
      "release_date": "2014-02-07T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Operations Network installation (including its databases,\napplications, configuration files, the JBoss Operations Network server\u0027s\nfile system directory, and so on).\n\nRefer to the JBoss Operations Network 3.2.2 Release Notes for\ninstallation information.\n\nThe provided patch to fix CVE-2014-0058 also allows greater control over\nwhich of the following components of web requests are captured in audit\nlogs:\n\n- parameters\n- cookies\n- headers\n- attributes\n\nIt is also possible to selectively mask some elements of headers,\nparameters, cookies, and attributes using masks. This capability is\nprovided by two system properties, which are introduced by this patch:\n\n1) org.jboss.security.web.audit\n\nDescription:\nThis property controls the granularity of the security auditing of web\nrequests.\n\nPossible values:\noff = Disables auditing of web requests\nheaders = Audits only the headers of web requests\ncookies = Audits only the cookies of web requests\nparameters = Audits only the parameters of web requests\nattributes = Audits only the attributes of web requests\nheaders,cookies,parameters = Audits the headers, cookies, and parameters of\nweb requests\nheaders,cookies = Audits the headers and cookies of web requests\n\nDefault Value:\nheaders, parameters\n\nExamples:\nSetting \"org.jboss.security.web.audit=off\" disables security auditing of\nweb requests entirely.\nSetting \"org.jboss.security.web.audit=headers\" enables security auditing of\nonly headers in web requests.\n\n2) org.jboss.security.web.audit.mask\n\nDescription:\nThis property can be used to specify a list of strings to be matched\nagainst headers, parameters, cookies, and attributes of web requests.\nAny element matching the specified masks will be excluded from security\naudit logging.\n\nPossible values:\nAny comma separated string indicating keys of headers, parameters, cookies,\nand attributes.\n\nDefault Value:\nj_password, authorization\n\nNote that currently the matching of the masks is fuzzy rather than strict.\nFor example, a mask of \"authorization\" will mask both the header called\nauthorization and the parameter called \"custom_authorization\". A future\nrelease may introduce strict masks.",
          "product_ids": [
            "Red Hat JBoss Operations Network 3.2"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:0910"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Operations Network 3.2"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "JSF: XSS due to insufficient escaping of user-supplied content in outputText tags and EL expressions"
    },
    {
      "cve": "CVE-2014-0058",
      "discovery_date": "2014-02-11T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1063641"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was found that the security audit functionality logged request parameters in plain text. This may have caused passwords to be included in the audit log files when using BASIC or FORM-based authentication. A local attacker with access to audit log files could possibly use this flaw to obtain application or server authentication credentials.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "EAP6: Plain text password logging during security audit",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Operations Network 3.2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-0058"
        },
        {
          "category": "external",
          "summary": "RHBZ#1063641",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1063641"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0058",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-0058"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0058",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0058"
        }
      ],
      "release_date": "2014-02-24T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Operations Network installation (including its databases,\napplications, configuration files, the JBoss Operations Network server\u0027s\nfile system directory, and so on).\n\nRefer to the JBoss Operations Network 3.2.2 Release Notes for\ninstallation information.\n\nThe provided patch to fix CVE-2014-0058 also allows greater control over\nwhich of the following components of web requests are captured in audit\nlogs:\n\n- parameters\n- cookies\n- headers\n- attributes\n\nIt is also possible to selectively mask some elements of headers,\nparameters, cookies, and attributes using masks. This capability is\nprovided by two system properties, which are introduced by this patch:\n\n1) org.jboss.security.web.audit\n\nDescription:\nThis property controls the granularity of the security auditing of web\nrequests.\n\nPossible values:\noff = Disables auditing of web requests\nheaders = Audits only the headers of web requests\ncookies = Audits only the cookies of web requests\nparameters = Audits only the parameters of web requests\nattributes = Audits only the attributes of web requests\nheaders,cookies,parameters = Audits the headers, cookies, and parameters of\nweb requests\nheaders,cookies = Audits the headers and cookies of web requests\n\nDefault Value:\nheaders, parameters\n\nExamples:\nSetting \"org.jboss.security.web.audit=off\" disables security auditing of\nweb requests entirely.\nSetting \"org.jboss.security.web.audit=headers\" enables security auditing of\nonly headers in web requests.\n\n2) org.jboss.security.web.audit.mask\n\nDescription:\nThis property can be used to specify a list of strings to be matched\nagainst headers, parameters, cookies, and attributes of web requests.\nAny element matching the specified masks will be excluded from security\naudit logging.\n\nPossible values:\nAny comma separated string indicating keys of headers, parameters, cookies,\nand attributes.\n\nDefault Value:\nj_password, authorization\n\nNote that currently the matching of the masks is fuzzy rather than strict.\nFor example, a mask of \"authorization\" will mask both the header called\nauthorization and the parameter called \"custom_authorization\". A future\nrelease may introduce strict masks.",
          "product_ids": [
            "Red Hat JBoss Operations Network 3.2"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:0910"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 1.9,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Operations Network 3.2"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "EAP6: Plain text password logging during security audit"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "James Roper"
          ],
          "organization": "Typesafe"
        }
      ],
      "cve": "CVE-2014-0193",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2014-04-28T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1092783"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the WebSocket08FrameDecoder implementation that could allow a remote attacker to trigger an Out Of Memory Exception by issuing a series of TextWebSocketFrame and ContinuationWebSocketFrames. Depending on the server configuration, this could lead to a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "netty: DoS via memory exhaustion during data aggregation",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Operations Network 3.2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-0193"
        },
        {
          "category": "external",
          "summary": "RHBZ#1092783",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1092783"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0193",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-0193"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0193",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0193"
        }
      ],
      "release_date": "2014-05-01T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Operations Network installation (including its databases,\napplications, configuration files, the JBoss Operations Network server\u0027s\nfile system directory, and so on).\n\nRefer to the JBoss Operations Network 3.2.2 Release Notes for\ninstallation information.\n\nThe provided patch to fix CVE-2014-0058 also allows greater control over\nwhich of the following components of web requests are captured in audit\nlogs:\n\n- parameters\n- cookies\n- headers\n- attributes\n\nIt is also possible to selectively mask some elements of headers,\nparameters, cookies, and attributes using masks. This capability is\nprovided by two system properties, which are introduced by this patch:\n\n1) org.jboss.security.web.audit\n\nDescription:\nThis property controls the granularity of the security auditing of web\nrequests.\n\nPossible values:\noff = Disables auditing of web requests\nheaders = Audits only the headers of web requests\ncookies = Audits only the cookies of web requests\nparameters = Audits only the parameters of web requests\nattributes = Audits only the attributes of web requests\nheaders,cookies,parameters = Audits the headers, cookies, and parameters of\nweb requests\nheaders,cookies = Audits the headers and cookies of web requests\n\nDefault Value:\nheaders, parameters\n\nExamples:\nSetting \"org.jboss.security.web.audit=off\" disables security auditing of\nweb requests entirely.\nSetting \"org.jboss.security.web.audit=headers\" enables security auditing of\nonly headers in web requests.\n\n2) org.jboss.security.web.audit.mask\n\nDescription:\nThis property can be used to specify a list of strings to be matched\nagainst headers, parameters, cookies, and attributes of web requests.\nAny element matching the specified masks will be excluded from security\naudit logging.\n\nPossible values:\nAny comma separated string indicating keys of headers, parameters, cookies,\nand attributes.\n\nDefault Value:\nj_password, authorization\n\nNote that currently the matching of the masks is fuzzy rather than strict.\nFor example, a mask of \"authorization\" will mask both the header called\nauthorization and the parameter called \"custom_authorization\". A future\nrelease may introduce strict masks.",
          "product_ids": [
            "Red Hat JBoss Operations Network 3.2"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:0910"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Operations Network 3.2"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "netty: DoS via memory exhaustion during data aggregation"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Alexander Papadakis"
          ]
        }
      ],
      "cve": "CVE-2014-3530",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "discovery_date": "2014-06-24T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1112987"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was found that the implementation of the org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory() method provided a DocumentBuilderFactory that would expand entity references. A remote, unauthenticated attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "PicketLink: XXE via insecure DocumentBuilderFactory usage",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This flaw could allow remote, unauthenticated attackers to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. All systems hosting PicketLink applications using SAML Identity Providers and Service Providers may be affected. It is strongly advised that anyone running an affected system applies patches to address this flaw.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Operations Network 3.2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-3530"
        },
        {
          "category": "external",
          "summary": "RHBZ#1112987",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1112987"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-3530",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-3530"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-3530",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3530"
        }
      ],
      "release_date": "2014-07-15T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Operations Network installation (including its databases,\napplications, configuration files, the JBoss Operations Network server\u0027s\nfile system directory, and so on).\n\nRefer to the JBoss Operations Network 3.2.2 Release Notes for\ninstallation information.\n\nThe provided patch to fix CVE-2014-0058 also allows greater control over\nwhich of the following components of web requests are captured in audit\nlogs:\n\n- parameters\n- cookies\n- headers\n- attributes\n\nIt is also possible to selectively mask some elements of headers,\nparameters, cookies, and attributes using masks. This capability is\nprovided by two system properties, which are introduced by this patch:\n\n1) org.jboss.security.web.audit\n\nDescription:\nThis property controls the granularity of the security auditing of web\nrequests.\n\nPossible values:\noff = Disables auditing of web requests\nheaders = Audits only the headers of web requests\ncookies = Audits only the cookies of web requests\nparameters = Audits only the parameters of web requests\nattributes = Audits only the attributes of web requests\nheaders,cookies,parameters = Audits the headers, cookies, and parameters of\nweb requests\nheaders,cookies = Audits the headers and cookies of web requests\n\nDefault Value:\nheaders, parameters\n\nExamples:\nSetting \"org.jboss.security.web.audit=off\" disables security auditing of\nweb requests entirely.\nSetting \"org.jboss.security.web.audit=headers\" enables security auditing of\nonly headers in web requests.\n\n2) org.jboss.security.web.audit.mask\n\nDescription:\nThis property can be used to specify a list of strings to be matched\nagainst headers, parameters, cookies, and attributes of web requests.\nAny element matching the specified masks will be excluded from security\naudit logging.\n\nPossible values:\nAny comma separated string indicating keys of headers, parameters, cookies,\nand attributes.\n\nDefault Value:\nj_password, authorization\n\nNote that currently the matching of the masks is fuzzy rather than strict.\nFor example, a mask of \"authorization\" will mask both the header called\nauthorization and the parameter called \"custom_authorization\". A future\nrelease may introduce strict masks.",
          "product_ids": [
            "Red Hat JBoss Operations Network 3.2"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:0910"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Operations Network 3.2"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "PicketLink: XXE via insecure DocumentBuilderFactory usage"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.