===================================================================== CERT-Renater Note d'Information No. 2011/VULN347 _____________________________________________________________________ DATE : 21/04/2011 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Red Hat running JBoss Enterprise Middleware, JBoss Enterprise Application Platform, . ====================================================================== https://rhn.redhat.com/errata/RHSA-2011-0463.html https://rhn.redhat.com/errata/RHSA-2011-0462.html https://rhn.redhat.com/errata/RHSA-2011-0461.html https://rhn.redhat.com/errata/RHSA-2011-0460.html ______________________________________________________________________ ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Enterprise SOA Platform 4.3.0.CP04 and 5.1.0 security update Advisory ID: RHSA-2011:0463-01 Product: JBoss Enterprise Middleware Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-0463.html Issue date: 2011-04-20 CVE Names: CVE-2011-1484 ===================================================================== 1. Summary: An updated jboss-seam.jar file for JBoss Enterprise SOA Platform 4.3.0.CP04 and 5.1.0 that fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: JBoss Enterprise SOA Platform is the next-generation ESB and business process automation infrastructure. JBoss Enterprise SOA Platform allows IT to leverage existing (MoM and EAI), modern (SOA and BPM-Rules), and future (EDA and CEP) integration methodologies to dramatically improve business process execution speed and quality. It was found that JBoss Seam 2 did not properly block access to JBoss Expression Language (EL) constructs in page exception handling, allowing arbitrary Java methods to be executed. A remote attacker could use this flaw to execute arbitrary code via a specially-crafted URL provided to certain applications based on the JBoss Seam 2 framework. Note: A properly configured and enabled Java Security Manager would prevent exploitation of this flaw. (CVE-2011-1484) Red Hat would like to thank Martin Kouba from IT SYSTEMS a.s. for reporting this issue. All users of JBoss Enterprise SOA Platform 4.3.0.CP04 and 5.1.0 as provided from the Red Hat Customer Portal are advised to install this update. 3. Solution: The References section of this erratum contains download links (you must log in to download the updated file). Before applying the update, backup your existing JBoss Enterprise SOA Platform installation (including its databases, applications, configuration files, and so on). Important: JBoss Enterprise SOA Platform 4.3.0.CP04 ships with both the JBoss Seam and JBoss Seam 2 frameworks. Ensure you only replace version 2 with the updated jboss-seam.jar file. The JBoss Application Server process must be restarted for the update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 692421 - CVE-2011-1484 JBoss Seam privilege escalation caused by EL interpolation in FacesMessages 5. References: https://www.redhat.com/security/data/cve/CVE-2011-1484.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform&downloadType=securityPatches&version=4.3.0.GA_CP04 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform&downloadType=securityPatches&version=5.1.0+GA 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2011 Red Hat, Inc. ________________________________________________________________________ ===================================================================== Red Hat Security Advisory Synopsis: Important: jboss-seam security update Advisory ID: RHSA-2011:0462-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-0462.html Issue date: 2011-04-20 CVE Names: CVE-2011-1484 ===================================================================== 1. Summary: An updated jboss-seam.jar file for JBoss Enterprise Application Platform 4.3.0.CP09 and 5.1.0 that fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: The JBoss Seam 2 framework is an application framework for building web applications in Java. It was found that JBoss Seam 2 did not properly block access to JBoss Expression Language (EL) constructs in page exception handling, allowing arbitrary Java methods to be executed. A remote attacker could use this flaw to execute arbitrary code via a specially-crafted URL provided to certain applications based on the JBoss Seam 2 framework. Note: A properly configured and enabled Java Security Manager would prevent exploitation of this flaw. (CVE-2011-1484) Red Hat would like to thank Martin Kouba from IT SYSTEMS a.s. for reporting this issue. All users of JBoss Enterprise Application Platform 4.3.0.CP09 and 5.1.0 as provided from the Red Hat Customer Portal are advised to install this update. 3. Solution: The References section of this erratum contains download links (you must log in to download the updated file). Before applying the update, backup your existing JBoss Enterprise Application Platform installation (including all applications and configuration files). Important: JBoss Enterprise Application Platform 4.3.0.CP09 ships with both the JBoss Seam and JBoss Seam 2 frameworks. Ensure you only replace version 2 with the updated jboss-seam.jar file. The JBoss server process must be restarted for the update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 692421 - CVE-2011-1484 JBoss Seam privilege escalation caused by EL interpolation in FacesMessages 5. References: https://www.redhat.com/security/data/cve/CVE-2011-1484.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=appplatform&version=5.1.0 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=appplatform&version=4.3.0.GA_CP09 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2011 Red Hat, Inc. _______________________________________________________________________ ===================================================================== Red Hat Security Advisory Synopsis: Important: jboss-seam2 security update Advisory ID: RHSA-2011:0461-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-0461.html Issue date: 2011-04-20 CVE Names: CVE-2011-1484 ===================================================================== 1. Summary: Updated jboss-seam2 packages that fix one security issue are now available for JBoss Enterprise Application Platform 5.1 for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: JBoss Enterprise Application Platform 5 for RHEL 4 AS - noarch JBoss Enterprise Application Platform 5 for RHEL 4 ES - noarch JBoss Enterprise Application Platform 5 for RHEL 5 Server - noarch 3. Description: The JBoss Seam 2 framework is an application framework for building web applications in Java. It was found that JBoss Seam 2 did not properly block access to JBoss Expression Language (EL) constructs in page exception handling, allowing arbitrary Java methods to be executed. A remote attacker could use this flaw to execute arbitrary code via a specially-crafted URL provided to certain applications based on the JBoss Seam 2 framework. Note: A properly configured and enabled Java Security Manager would prevent exploitation of this flaw. (CVE-2011-1484) Red Hat would like to thank Martin Kouba from IT SYSTEMS a.s. for reporting this issue. Users of jboss-seam2 should upgrade to these updated packages, which correct this issue. The JBoss server process must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 692421 - CVE-2011-1484 JBoss Seam privilege escalation caused by EL interpolation in FacesMessages 6. Package List: JBoss Enterprise Application Platform 5 for RHEL 4 AS: Source: ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/jboss-seam2-2.2.2.EAP-17.el4_8.src.rpm noarch: jboss-seam2-2.2.2.EAP-17.el4_8.noarch.rpm jboss-seam2-docs-2.2.2.EAP-17.el4_8.noarch.rpm jboss-seam2-examples-2.2.2.EAP-17.el4_8.noarch.rpm jboss-seam2-runtime-2.2.2.EAP-17.el4_8.noarch.rpm JBoss Enterprise Application Platform 5 for RHEL 4 ES: Source: ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/jboss-seam2-2.2.2.EAP-17.el4_8.src.rpm noarch: jboss-seam2-2.2.2.EAP-17.el4_8.noarch.rpm jboss-seam2-docs-2.2.2.EAP-17.el4_8.noarch.rpm jboss-seam2-examples-2.2.2.EAP-17.el4_8.noarch.rpm jboss-seam2-runtime-2.2.2.EAP-17.el4_8.noarch.rpm JBoss Enterprise Application Platform 5 for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-seam2-2.2.2.EAP-17.ep5.el5.src.rpm noarch: jboss-seam2-2.2.2.EAP-17.ep5.el5.noarch.rpm jboss-seam2-docs-2.2.2.EAP-17.ep5.el5.noarch.rpm jboss-seam2-examples-2.2.2.EAP-17.ep5.el5.noarch.rpm jboss-seam2-runtime-2.2.2.EAP-17.ep5.el5.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2011-1484.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2011 Red Hat, Inc. _______________________________________________________________________ ===================================================================== Red Hat Security Advisory Synopsis: Important: jboss-seam2 security update Advisory ID: RHSA-2011:0460-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-0460.html Issue date: 2011-04-20 CVE Names: CVE-2011-1484 ===================================================================== 1. Summary: Updated jboss-seam2 packages that fix one security issue are now available for JBoss Enterprise Application Platform 4.3 for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: JBoss Enterprise Application Platform 4.3.0 for RHEL 4 AS - noarch JBoss Enterprise Application Platform 4.3.0 for RHEL 4 ES - noarch JBoss Enterprise Application Platform 4.3.0 for RHEL 5 Server - noarch 3. Description: The JBoss Seam 2 framework is an application framework for building web applications in Java. It was found that JBoss Seam 2 did not properly block access to JBoss Expression Language (EL) constructs in page exception handling, allowing arbitrary Java methods to be executed. A remote attacker could use this flaw to execute arbitrary code via a specially-crafted URL provided to certain applications based on the JBoss Seam 2 framework. Note: A properly configured and enabled Java Security Manager would prevent exploitation of this flaw. (CVE-2011-1484) Red Hat would like to thank Martin Kouba from IT SYSTEMS a.s. for reporting this issue. Users of jboss-seam2 should upgrade to these updated packages, which correct this issue. The JBoss server process must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 692421 - CVE-2011-1484 JBoss Seam privilege escalation caused by EL interpolation in FacesMessages 6. Package List: JBoss Enterprise Application Platform 4.3.0 for RHEL 4 AS: Source: ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/jboss-seam2-2.0.2.FP-1.ep1.27.el4.src.rpm noarch: jboss-seam2-2.0.2.FP-1.ep1.27.el4.noarch.rpm jboss-seam2-docs-2.0.2.FP-1.ep1.27.el4.noarch.rpm JBoss Enterprise Application Platform 4.3.0 for RHEL 4 ES: Source: ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/jboss-seam2-2.0.2.FP-1.ep1.27.el4.src.rpm noarch: jboss-seam2-2.0.2.FP-1.ep1.27.el4.noarch.rpm jboss-seam2-docs-2.0.2.FP-1.ep1.27.el4.noarch.rpm JBoss Enterprise Application Platform 4.3.0 for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-seam2-2.0.2.FP-1.ep1.27.el5.src.rpm noarch: jboss-seam2-2.0.2.FP-1.ep1.27.el5.noarch.rpm jboss-seam2-docs-2.0.2.FP-1.ep1.27.el5.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2011-1484.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2011 Red Hat, Inc. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================