===================================================================== CERT-Renater Note d'Information No. 2011/VULN214 _____________________________________________________________________ DATE : 10/03/2011 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running JBoss Enterprise SOA Platform version 4.3.CP04, 5.0.2, JBoss Enterprise Portal Platform version 4.3.CP06, 5.1.0. ====================================================================== https://rhn.redhat.com/errata/RHSA-2011-0333.html https://rhn.redhat.com/errata/RHSA-2011-0334.html ______________________________________________________________________ ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Enterprise SOA Platform 4.3.CP04 and 5.0.2 security update Advisory ID: RHSA-2011:0333-01 Product: JBoss Enterprise Middleware Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-0333.html Issue date: 2011-03-09 CVE Names: CVE-2010-4476 ===================================================================== 1. Summary: Updated jbossweb-2.0.0.jar and jbossweb-2.1.10.jar files for JBoss Enterprise SOA Platform 4.3.CP04 and 5.0.2 that fix one security issue are now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: JBoss Enterprise SOA Platform is the next-generation ESB and business process automation infrastructure. JBoss Enterprise SOA Platform allows IT to leverage existing (MoM and EAI), modern (SOA and BPM-Rules), and future (EDA and CEP) integration methodologies to dramatically improve business process execution speed and quality. A denial of service flaw was found in the way certain strings were converted to Double objects. A remote attacker could use this flaw to cause JBoss Web Server to hang via a specially-crafted HTTP request. (CVE-2010-4476) All users of JBoss Enterprise SOA Platform 4.3.CP04 and 5.0.2 as provided from the Red Hat Customer Portal are advised to install this update. Refer to the Solution section of this erratum for update instructions. 3. Solution: Updated jbossweb-2.0.0.jar (for 4.3.CP04) and jbossweb-2.1.10.jar (for 5.0.2) files that fix CVE-2010-4476 for JBoss Enterprise SOA Platform 4.3.CP04 and 5.0.2 are available from the Red Hat Customer Portal. To download and install the updated files: 1) Log into the Customer Portal: https://access.redhat.com/login 2) Navigate to https://access.redhat.com/jbossnetwork/restricted/listSoftware.html 3) On the left-hand side menu, under "JBoss Enterprise Platforms" click "SOA Platform". Then, using the "Version:" drop down menu, select the SOA Platform version you are using, such as "4.3.0.GA_CP04" or "5.0.2 GA". 4) From the "Security Advisories" tab, click the "CVE-2010-4476 JBossweb update fixing JDK double bug..." link in the "Download File" column. The "Software Details" page is displayed, where you can download the update and view installation instructions. 5) Backup your existing jbossweb.jar file (refer to the "Software Details" page, from step 4, for the location of this file). 6) After downloading the update, ensure you backed up your existing jbossweb.jar file as per step 5, and then follow the manual installation step on the "Software Details" page. Note that it is recommended to halt the JBoss Enterprise SOA Platform server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the JBoss Enterprise SOA Platform server by starting the JBoss Application Server process. 4. Bugs fixed (http://bugzilla.redhat.com/): 674336 - CVE-2010-4476 JDK Double.parseDouble Denial-Of-Service 5. References: https://www.redhat.com/security/data/cve/CVE-2010-4476.html https://access.redhat.com/security/updates/classification/#important 6. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2011 Red Hat, Inc. _______________________________________________________________________ ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Enterprise Portal Platform 4.3.CP06 and 5.1.0 security update Advisory ID: RHSA-2011:0334-01 Product: JBoss Enterprise Middleware Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-0334.html Issue date: 2011-03-09 CVE Names: CVE-2010-4476 ===================================================================== 1. Summary: Updated jbossweb-2.0.0.jar and jbossweb-2.1.10.jar files for JBoss Enterprise Portal Platform 4.3.CP06 and 5.1.0 that fix one security issue are now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: JBoss Enterprise Portal Platform is the open source implementation of the Java EE suite of services and Portal services running atop JBoss Enterprise Application Platform. It comprises a set of offerings for enterprise customers who are looking for pre-configured profiles of JBoss Enterprise Middleware components that have been tested and certified together to provide an integrated experience. A denial of service flaw was found in the way certain strings were converted to Double objects. A remote attacker could use this flaw to cause JBoss Web Server to hang via a specially-crafted HTTP request. (CVE-2010-4476) All users of JBoss Enterprise Portal Platform 4.3.CP06 and 5.1.0 as provided from the Red Hat Customer Portal are advised to install this update. Refer to the Solution section of this erratum for update instructions. 3. Solution: Updated jbossweb-2.0.0.jar (for 4.3.CP06) and jbossweb-2.1.10.jar (for 5.1.0) files that fix CVE-2010-4476 for JBoss Enterprise Portal Platform 4.3.CP06 and 5.1.0 are available from the Red Hat Customer Portal. To download and install the updated files: 1) Log into the Customer Portal: https://access.redhat.com/login 2) Navigate to https://access.redhat.com/jbossnetwork/restricted/listSoftware.html 3) On the left-hand side menu, under "JBoss Enterprise Platforms" click "Portal Platform". Then, using the "Version:" drop down menu, select the Portal Platform version you are using, such as "4.3 CP06" or "5.1.0". 4) From the "Security Advisories" tab, click the "CVE-2010-4476 JBossweb update fixing JDK double bug..." link in the "Download File" column. The "Software Details" page is displayed, where you can download the update and view installation instructions. 5) Backup your existing jbossweb.jar file (refer to the "Software Details" page, from step 4, for the location of this file). 6) After downloading the update, ensure you backed up your existing jbossweb.jar file as per step 5, and then follow the manual installation step on the "Software Details" page. After installing the update, the JBoss server process must be restarted for the update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 674336 - CVE-2010-4476 JDK Double.parseDouble Denial-Of-Service 5. References: https://www.redhat.com/security/data/cve/CVE-2010-4476.html https://access.redhat.com/security/updates/classification/#important 6. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2011 Red Hat, Inc. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================