rhsa-2015_1041
Vulnerability from csaf_redhat
Published
2015-06-01 17:08
Modified
2024-11-22 09:21
Summary
Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.1.0 update

Notes

Topic
Red Hat JBoss Fuse and A-MQ 6.1.0 Patch 4 on Rollup Patch 2 (R2P4), which fixes two security issues, several bugs, and adds various enhancements, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.
Details
Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant messaging system that is tailored for use in mission critical applications. This patch is an update to Red Hat JBoss Fuse 6.1.0 and Red Hat JBoss A-MQ 6.1.0. It includes several bug fixes, which are documented in the readme.txt file included with the patch files. The following security issues are addressed in this release: It was found that Apache Camel's XML converter performed XML External Entity (XXE) expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. (CVE-2015-0263) It was found that Apache Camel performed XML External Entity (XXE) expansion when evaluating invalid XML Strings or invalid XML GenericFile objects. A remote attacker able to submit a crafted XML message could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. (CVE-2015-0264) Refer to the readme.txt file included with the patch files for installation instructions. All users of Red Hat JBoss Fuse 6.1.0 and Red Hat JBoss A-MQ 6.1.0 as provided from the Red Hat Customer Portal are advised to apply this update.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.


To clipboard 

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Red Hat JBoss Fuse and A-MQ 6.1.0 Patch 4 on Rollup Patch 2 (R2P4), which\nfixes two security issues, several bugs, and adds various enhancements, is\nnow available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,\nflexible, open source enterprise service bus and integration platform.\nRed Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant\nmessaging system that is tailored for use in mission critical applications.\n\nThis patch is an update to Red Hat JBoss Fuse 6.1.0 and Red Hat JBoss A-MQ\n6.1.0. It includes several bug fixes, which are documented in the\nreadme.txt file included with the patch files. The following security\nissues are addressed in this release:\n\nIt was found that Apache Camel\u0027s XML converter performed XML External\nEntity (XXE) expansion. A remote attacker able to submit an SAXSource\ncontaining an XXE declaration could use this flaw to read files accessible\nto the user running the application server, and potentially perform other\nmore advanced XXE attacks. (CVE-2015-0263)\n\nIt was found that Apache Camel performed XML External Entity (XXE)\nexpansion when evaluating invalid XML Strings or invalid XML GenericFile\nobjects. A remote attacker able to submit a crafted XML message could use\nthis flaw to read files accessible to the user running the application\nserver, and potentially perform other more advanced XXE attacks.\n(CVE-2015-0264)\n\nRefer to the readme.txt file included with the patch files for\ninstallation instructions.\n\nAll users of Red Hat JBoss Fuse 6.1.0 and Red Hat JBoss A-MQ 6.1.0 as\nprovided from the Red Hat Customer Portal are advised to apply this update.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2015:1041",
        "url": "https://access.redhat.com/errata/RHSA-2015:1041"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse\u0026downloadType=securityPatches\u0026version=6.1.0",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse\u0026downloadType=securityPatches\u0026version=6.1.0"
      },
      {
        "category": "external",
        "summary": "1203341",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203341"
      },
      {
        "category": "external",
        "summary": "1203344",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203344"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_1041.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.1.0 update",
    "tracking": {
      "current_release_date": "2024-11-22T09:21:36+00:00",
      "generator": {
        "date": "2024-11-22T09:21:36+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2015:1041",
      "initial_release_date": "2015-06-01T17:08:08+00:00",
      "revision_history": [
        {
          "date": "2015-06-01T17:08:08+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2019-02-20T12:35:43+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T09:21:36+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss A-MQ 6.1",
                "product": {
                  "name": "Red Hat JBoss A-MQ 6.1",
                  "product_id": "Red Hat JBoss A-MQ 6.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_amq:6.1.0"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat JBoss Fuse 6.1",
                "product": {
                  "name": "Red Hat JBoss Fuse 6.1",
                  "product_id": "Red Hat JBoss Fuse 6.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_fuse:6.1.0"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Fuse"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2015-0263",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "discovery_date": "2015-03-17T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1203344"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was found that Apache Camel\u0027s XML converter performed XML External Entity (XXE) expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Camel: XXE in via SAXSource expansion",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss A-MQ 6.1",
          "Red Hat JBoss Fuse 6.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2015-0263"
        },
        {
          "category": "external",
          "summary": "RHBZ#1203344",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203344"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2015-0263",
          "url": "https://www.cve.org/CVERecord?id=CVE-2015-0263"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-0263",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0263"
        },
        {
          "category": "external",
          "summary": "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc",
          "url": "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc"
        }
      ],
      "release_date": "2015-03-17T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2015-06-01T17:08:08+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update).",
          "product_ids": [
            "Red Hat JBoss A-MQ 6.1",
            "Red Hat JBoss Fuse 6.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2015:1041"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss A-MQ 6.1",
            "Red Hat JBoss Fuse 6.1"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "Camel: XXE in via SAXSource expansion"
    },
    {
      "cve": "CVE-2015-0264",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "discovery_date": "2015-03-17T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1203341"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was found that Apache Camel performed XML External Entity (XXE) expansion when evaluating invalid XML Strings or invalid XML GenericFile objects. A remote attacker able to submit a crafted XML message could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Camel: XXE via XPath expression evaluation",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss A-MQ 6.1",
          "Red Hat JBoss Fuse 6.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2015-0264"
        },
        {
          "category": "external",
          "summary": "RHBZ#1203341",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203341"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2015-0264",
          "url": "https://www.cve.org/CVERecord?id=CVE-2015-0264"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-0264",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0264"
        },
        {
          "category": "external",
          "summary": "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc",
          "url": "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc"
        }
      ],
      "release_date": "2015-03-17T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2015-06-01T17:08:08+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update).",
          "product_ids": [
            "Red Hat JBoss A-MQ 6.1",
            "Red Hat JBoss Fuse 6.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2015:1041"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss A-MQ 6.1",
            "Red Hat JBoss Fuse 6.1"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "Camel: XXE via XPath expression evaluation"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.