{
   document: {
      aggregate_severity: {
         namespace: "https://access.redhat.com/security/updates/classification/",
         text: "Important",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright © Red Hat, Inc. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "An updated activemq package that fixes multiple security issues is now\navailable for Red Hat OpenShift Enterprise 1.2.7.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.",
            title: "Topic",
         },
         {
            category: "general",
            text: "Apache ActiveMQ provides a SOA infrastructure to connect processes across\nheterogeneous systems.\n\nA flaw was found in Apache Camel's parsing of the FILE_NAME header.\nA remote attacker able to submit messages to a Camel route, which would\nwrite the provided message to a file, could provide expression language\n(EL) expressions in the FILE_NAME header, which would be evaluated on the\nserver. This could lead to arbitrary remote code execution in the context\nof the Camel server process. (CVE-2013-4330)\n\nIt was found that the Apache Camel XSLT component allowed XSL stylesheets\nto call external Java methods. A remote attacker able to submit messages to\na Camel route could use this flaw to perform arbitrary remote code\nexecution in the context of the Camel server process. (CVE-2014-0003)\n\nIt was discovered that the Spring OXM wrapper did not expose any property\nfor disabling entity resolution when using the JAXB unmarshaller. A remote\nattacker could use this flaw to conduct XML External Entity (XXE) attacks\non web sites, and read files in the context of the user running the\napplication server. The patch for this flaw disables external entity\nprocessing by default, and provides a configuration directive to re-enable\nit. (CVE-2013-4152)\n\nThe HawtJNI Library class wrote native libraries to a predictable file name\nin /tmp/ when the native libraries were bundled in a JAR file, and no\ncustom library path was specified. A local attacker could overwrite these\nnative libraries with malicious versions during the window between when\nHawtJNI writes them and when they are executed. (CVE-2013-2035)\n\nThe CVE-2013-2035 issue was discovered by Florian Weimer of the Red Hat\nProduct Security Team, and the CVE-2014-0003 issue was discovered by David\nJorm of the Red Hat Security Response Team.\n\nAll users of Red Hat OpenShift Enterprise 1.2.7 are advised to upgrade to\nthis updated package, which corrects these issues.",
            title: "Details",
         },
         {
            category: "legal_disclaimer",
            text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
            title: "Terms of Use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://access.redhat.com/security/team/contact/",
         issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
         name: "Red Hat Product Security",
         namespace: "https://www.redhat.com",
      },
      references: [
         {
            category: "self",
            summary: "https://access.redhat.com/errata/RHSA-2014:0254",
            url: "https://access.redhat.com/errata/RHSA-2014:0254",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/security/updates/classification/#important",
            url: "https://access.redhat.com/security/updates/classification/#important",
         },
         {
            category: "external",
            summary: "958618",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=958618",
         },
         {
            category: "external",
            summary: "1000186",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1000186",
         },
         {
            category: "external",
            summary: "1011726",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1011726",
         },
         {
            category: "external",
            summary: "1049692",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1049692",
         },
         {
            category: "self",
            summary: "Canonical URL",
            url: "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0254.json",
         },
      ],
      title: "Red Hat Security Advisory: activemq security update",
      tracking: {
         current_release_date: "2024-11-22T07:38:53+00:00",
         generator: {
            date: "2024-11-22T07:38:53+00:00",
            engine: {
               name: "Red Hat SDEngine",
               version: "4.2.1",
            },
         },
         id: "RHSA-2014:0254",
         initial_release_date: "2014-03-05T19:05:16+00:00",
         revision_history: [
            {
               date: "2014-03-05T19:05:16+00:00",
               number: "1",
               summary: "Initial version",
            },
            {
               date: "2014-03-05T19:05:16+00:00",
               number: "2",
               summary: "Last updated version",
            },
            {
               date: "2024-11-22T07:38:53+00:00",
               number: "3",
               summary: "Last generated version",
            },
         ],
         status: "final",
         version: "3",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "RHOSE Infrastructure 1.2",
                        product: {
                           name: "RHOSE Infrastructure 1.2",
                           product_id: "6Server-RHOSE-INFRA-1.2",
                           product_identification_helper: {
                              cpe: "cpe:/a:redhat:openshift:1.2::el6",
                           },
                        },
                     },
                     {
                        category: "product_name",
                        name: "Red Hat OpenShift Enterprise Node",
                        product: {
                           name: "Red Hat OpenShift Enterprise Node",
                           product_id: "6Server-RHOSE-NODE-1.2",
                           product_identification_helper: {
                              cpe: "cpe:/a:redhat:openshift:1.2::el6",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "Red Hat OpenShift Enterprise",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "activemq-0:5.9.0-4.redhat.610328.el6op.src",
                        product: {
                           name: "activemq-0:5.9.0-4.redhat.610328.el6op.src",
                           product_id: "activemq-0:5.9.0-4.redhat.610328.el6op.src",
                           product_identification_helper: {
                              purl: "pkg:rpm/redhat/activemq@5.9.0-4.redhat.610328.el6op?arch=src",
                           },
                        },
                     },
                  ],
                  category: "architecture",
                  name: "src",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "activemq-client-0:5.9.0-4.redhat.610328.el6op.x86_64",
                        product: {
                           name: "activemq-client-0:5.9.0-4.redhat.610328.el6op.x86_64",
                           product_id: "activemq-client-0:5.9.0-4.redhat.610328.el6op.x86_64",
                           product_identification_helper: {
                              purl: "pkg:rpm/redhat/activemq-client@5.9.0-4.redhat.610328.el6op?arch=x86_64",
                           },
                        },
                     },
                     {
                        category: "product_version",
                        name: "activemq-0:5.9.0-4.redhat.610328.el6op.x86_64",
                        product: {
                           name: "activemq-0:5.9.0-4.redhat.610328.el6op.x86_64",
                           product_id: "activemq-0:5.9.0-4.redhat.610328.el6op.x86_64",
                           product_identification_helper: {
                              purl: "pkg:rpm/redhat/activemq@5.9.0-4.redhat.610328.el6op?arch=x86_64",
                           },
                        },
                     },
                  ],
                  category: "architecture",
                  name: "x86_64",
               },
            ],
            category: "vendor",
            name: "Red Hat",
         },
      ],
      relationships: [
         {
            category: "default_component_of",
            full_product_name: {
               name: "activemq-0:5.9.0-4.redhat.610328.el6op.src as a component of RHOSE Infrastructure 1.2",
               product_id: "6Server-RHOSE-INFRA-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.src",
            },
            product_reference: "activemq-0:5.9.0-4.redhat.610328.el6op.src",
            relates_to_product_reference: "6Server-RHOSE-INFRA-1.2",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "activemq-0:5.9.0-4.redhat.610328.el6op.x86_64 as a component of RHOSE Infrastructure 1.2",
               product_id: "6Server-RHOSE-INFRA-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.x86_64",
            },
            product_reference: "activemq-0:5.9.0-4.redhat.610328.el6op.x86_64",
            relates_to_product_reference: "6Server-RHOSE-INFRA-1.2",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "activemq-client-0:5.9.0-4.redhat.610328.el6op.x86_64 as a component of RHOSE Infrastructure 1.2",
               product_id: "6Server-RHOSE-INFRA-1.2:activemq-client-0:5.9.0-4.redhat.610328.el6op.x86_64",
            },
            product_reference: "activemq-client-0:5.9.0-4.redhat.610328.el6op.x86_64",
            relates_to_product_reference: "6Server-RHOSE-INFRA-1.2",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "activemq-0:5.9.0-4.redhat.610328.el6op.src as a component of Red Hat OpenShift Enterprise Node",
               product_id: "6Server-RHOSE-NODE-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.src",
            },
            product_reference: "activemq-0:5.9.0-4.redhat.610328.el6op.src",
            relates_to_product_reference: "6Server-RHOSE-NODE-1.2",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "activemq-0:5.9.0-4.redhat.610328.el6op.x86_64 as a component of Red Hat OpenShift Enterprise Node",
               product_id: "6Server-RHOSE-NODE-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.x86_64",
            },
            product_reference: "activemq-0:5.9.0-4.redhat.610328.el6op.x86_64",
            relates_to_product_reference: "6Server-RHOSE-NODE-1.2",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "activemq-client-0:5.9.0-4.redhat.610328.el6op.x86_64 as a component of Red Hat OpenShift Enterprise Node",
               product_id: "6Server-RHOSE-NODE-1.2:activemq-client-0:5.9.0-4.redhat.610328.el6op.x86_64",
            },
            product_reference: "activemq-client-0:5.9.0-4.redhat.610328.el6op.x86_64",
            relates_to_product_reference: "6Server-RHOSE-NODE-1.2",
         },
      ],
   },
   vulnerabilities: [
      {
         acknowledgments: [
            {
               names: [
                  "Florian Weimer",
               ],
               organization: "Red Hat Product Security Team",
               summary: "This issue was discovered by Red Hat.",
            },
         ],
         cve: "CVE-2013-2035",
         cwe: {
            id: "CWE-377",
            name: "Insecure Temporary File",
         },
         discovery_date: "2013-04-26T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "958618",
            },
         ],
         notes: [
            {
               category: "description",
               text: "The HawtJNI Library class wrote native libraries to a predictable file name in /tmp when the native libraries were bundled in a JAR file, and no custom library path was specified. A local attacker could overwrite these native libraries with malicious versions during the window between when HawtJNI writes them and when they are executed.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "HawtJNI: predictable temporary file name leading to local arbitrary code execution",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "6Server-RHOSE-INFRA-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.src",
               "6Server-RHOSE-INFRA-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.x86_64",
               "6Server-RHOSE-INFRA-1.2:activemq-client-0:5.9.0-4.redhat.610328.el6op.x86_64",
               "6Server-RHOSE-NODE-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.src",
               "6Server-RHOSE-NODE-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.x86_64",
               "6Server-RHOSE-NODE-1.2:activemq-client-0:5.9.0-4.redhat.610328.el6op.x86_64",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2013-2035",
            },
            {
               category: "external",
               summary: "RHBZ#958618",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=958618",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2013-2035",
               url: "https://www.cve.org/CVERecord?id=CVE-2013-2035",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-2035",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2013-2035",
            },
         ],
         release_date: "2013-05-13T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2014-03-05T19:05:16+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
               product_ids: [
                  "6Server-RHOSE-INFRA-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.src",
                  "6Server-RHOSE-INFRA-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.x86_64",
                  "6Server-RHOSE-INFRA-1.2:activemq-client-0:5.9.0-4.redhat.610328.el6op.x86_64",
                  "6Server-RHOSE-NODE-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.src",
                  "6Server-RHOSE-NODE-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.x86_64",
                  "6Server-RHOSE-NODE-1.2:activemq-client-0:5.9.0-4.redhat.610328.el6op.x86_64",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2014:0254",
            },
         ],
         scores: [
            {
               cvss_v2: {
                  accessComplexity: "MEDIUM",
                  accessVector: "LOCAL",
                  authentication: "NONE",
                  availabilityImpact: "NONE",
                  baseScore: 3.3,
                  confidentialityImpact: "PARTIAL",
                  integrityImpact: "PARTIAL",
                  vectorString: "AV:L/AC:M/Au:N/C:P/I:P/A:N",
                  version: "2.0",
               },
               products: [
                  "6Server-RHOSE-INFRA-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.src",
                  "6Server-RHOSE-INFRA-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.x86_64",
                  "6Server-RHOSE-INFRA-1.2:activemq-client-0:5.9.0-4.redhat.610328.el6op.x86_64",
                  "6Server-RHOSE-NODE-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.src",
                  "6Server-RHOSE-NODE-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.x86_64",
                  "6Server-RHOSE-NODE-1.2:activemq-client-0:5.9.0-4.redhat.610328.el6op.x86_64",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Low",
            },
         ],
         title: "HawtJNI: predictable temporary file name leading to local arbitrary code execution",
      },
      {
         cve: "CVE-2013-4152",
         discovery_date: "2013-08-22T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1000186",
            },
         ],
         notes: [
            {
               category: "description",
               text: "The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "Framework: XML External Entity (XXE) injection flaw",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "6Server-RHOSE-INFRA-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.src",
               "6Server-RHOSE-INFRA-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.x86_64",
               "6Server-RHOSE-INFRA-1.2:activemq-client-0:5.9.0-4.redhat.610328.el6op.x86_64",
               "6Server-RHOSE-NODE-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.src",
               "6Server-RHOSE-NODE-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.x86_64",
               "6Server-RHOSE-NODE-1.2:activemq-client-0:5.9.0-4.redhat.610328.el6op.x86_64",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2013-4152",
            },
            {
               category: "external",
               summary: "RHBZ#1000186",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1000186",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2013-4152",
               url: "https://www.cve.org/CVERecord?id=CVE-2013-4152",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-4152",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2013-4152",
            },
            {
               category: "external",
               summary: "http://www.gopivotal.com/security/cve-2013-4152",
               url: "http://www.gopivotal.com/security/cve-2013-4152",
            },
            {
               category: "external",
               summary: "https://github.com/SpringSource/spring-framework/pull/317",
               url: "https://github.com/SpringSource/spring-framework/pull/317",
            },
            {
               category: "external",
               summary: "https://jira.springsource.org/browse/SPR-10806",
               url: "https://jira.springsource.org/browse/SPR-10806",
            },
         ],
         release_date: "2013-08-22T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2014-03-05T19:05:16+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
               product_ids: [
                  "6Server-RHOSE-INFRA-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.src",
                  "6Server-RHOSE-INFRA-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.x86_64",
                  "6Server-RHOSE-INFRA-1.2:activemq-client-0:5.9.0-4.redhat.610328.el6op.x86_64",
                  "6Server-RHOSE-NODE-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.src",
                  "6Server-RHOSE-NODE-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.x86_64",
                  "6Server-RHOSE-NODE-1.2:activemq-client-0:5.9.0-4.redhat.610328.el6op.x86_64",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2014:0254",
            },
         ],
         scores: [
            {
               cvss_v2: {
                  accessComplexity: "LOW",
                  accessVector: "NETWORK",
                  authentication: "NONE",
                  availabilityImpact: "NONE",
                  baseScore: 5,
                  confidentialityImpact: "PARTIAL",
                  integrityImpact: "NONE",
                  vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N",
                  version: "2.0",
               },
               products: [
                  "6Server-RHOSE-INFRA-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.src",
                  "6Server-RHOSE-INFRA-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.x86_64",
                  "6Server-RHOSE-INFRA-1.2:activemq-client-0:5.9.0-4.redhat.610328.el6op.x86_64",
                  "6Server-RHOSE-NODE-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.src",
                  "6Server-RHOSE-NODE-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.x86_64",
                  "6Server-RHOSE-NODE-1.2:activemq-client-0:5.9.0-4.redhat.610328.el6op.x86_64",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "Framework: XML External Entity (XXE) injection flaw",
      },
      {
         cve: "CVE-2013-4330",
         discovery_date: "2013-09-11T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1011726",
            },
         ],
         notes: [
            {
               category: "description",
               text: "Apache Camel before 2.9.7, 2.10.0 before 2.10.7, 2.11.0 before 2.11.2, and 2.12.0 allows remote attackers to execute arbitrary simple language expressions by including \"$simple{}\" in a CamelFileName message header to a (1) FILE or (2) FTP producer.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "Camel: remote code execution via header field manipulation",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "6Server-RHOSE-INFRA-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.src",
               "6Server-RHOSE-INFRA-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.x86_64",
               "6Server-RHOSE-INFRA-1.2:activemq-client-0:5.9.0-4.redhat.610328.el6op.x86_64",
               "6Server-RHOSE-NODE-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.src",
               "6Server-RHOSE-NODE-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.x86_64",
               "6Server-RHOSE-NODE-1.2:activemq-client-0:5.9.0-4.redhat.610328.el6op.x86_64",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2013-4330",
            },
            {
               category: "external",
               summary: "RHBZ#1011726",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1011726",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2013-4330",
               url: "https://www.cve.org/CVERecord?id=CVE-2013-4330",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-4330",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2013-4330",
            },
         ],
         release_date: "2013-09-30T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2014-03-05T19:05:16+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
               product_ids: [
                  "6Server-RHOSE-INFRA-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.src",
                  "6Server-RHOSE-INFRA-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.x86_64",
                  "6Server-RHOSE-INFRA-1.2:activemq-client-0:5.9.0-4.redhat.610328.el6op.x86_64",
                  "6Server-RHOSE-NODE-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.src",
                  "6Server-RHOSE-NODE-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.x86_64",
                  "6Server-RHOSE-NODE-1.2:activemq-client-0:5.9.0-4.redhat.610328.el6op.x86_64",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2014:0254",
            },
         ],
         scores: [
            {
               cvss_v2: {
                  accessComplexity: "MEDIUM",
                  accessVector: "NETWORK",
                  authentication: "NONE",
                  availabilityImpact: "PARTIAL",
                  baseScore: 6.8,
                  confidentialityImpact: "PARTIAL",
                  integrityImpact: "PARTIAL",
                  vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P",
                  version: "2.0",
               },
               products: [
                  "6Server-RHOSE-INFRA-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.src",
                  "6Server-RHOSE-INFRA-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.x86_64",
                  "6Server-RHOSE-INFRA-1.2:activemq-client-0:5.9.0-4.redhat.610328.el6op.x86_64",
                  "6Server-RHOSE-NODE-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.src",
                  "6Server-RHOSE-NODE-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.x86_64",
                  "6Server-RHOSE-NODE-1.2:activemq-client-0:5.9.0-4.redhat.610328.el6op.x86_64",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Important",
            },
         ],
         title: "Camel: remote code execution via header field manipulation",
      },
      {
         acknowledgments: [
            {
               names: [
                  "David Jorm",
               ],
               organization: "Red Hat Security Response Team",
               summary: "This issue was discovered by Red Hat.",
            },
         ],
         cve: "CVE-2014-0003",
         discovery_date: "2014-01-07T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1049692",
            },
         ],
         notes: [
            {
               category: "description",
               text: "The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before 2.12.3, and possibly earlier versions allows remote attackers to execute arbitrary Java methods via a crafted message.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "Camel: remote code execution via XSL",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "6Server-RHOSE-INFRA-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.src",
               "6Server-RHOSE-INFRA-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.x86_64",
               "6Server-RHOSE-INFRA-1.2:activemq-client-0:5.9.0-4.redhat.610328.el6op.x86_64",
               "6Server-RHOSE-NODE-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.src",
               "6Server-RHOSE-NODE-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.x86_64",
               "6Server-RHOSE-NODE-1.2:activemq-client-0:5.9.0-4.redhat.610328.el6op.x86_64",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2014-0003",
            },
            {
               category: "external",
               summary: "RHBZ#1049692",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1049692",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2014-0003",
               url: "https://www.cve.org/CVERecord?id=CVE-2014-0003",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0003",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0003",
            },
            {
               category: "external",
               summary: "http://camel.apache.org/security-advisories.data/CVE-2014-0003.txt.asc",
               url: "http://camel.apache.org/security-advisories.data/CVE-2014-0003.txt.asc",
            },
         ],
         release_date: "2014-02-28T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2014-03-05T19:05:16+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
               product_ids: [
                  "6Server-RHOSE-INFRA-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.src",
                  "6Server-RHOSE-INFRA-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.x86_64",
                  "6Server-RHOSE-INFRA-1.2:activemq-client-0:5.9.0-4.redhat.610328.el6op.x86_64",
                  "6Server-RHOSE-NODE-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.src",
                  "6Server-RHOSE-NODE-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.x86_64",
                  "6Server-RHOSE-NODE-1.2:activemq-client-0:5.9.0-4.redhat.610328.el6op.x86_64",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2014:0254",
            },
         ],
         scores: [
            {
               cvss_v2: {
                  accessComplexity: "MEDIUM",
                  accessVector: "NETWORK",
                  authentication: "SINGLE",
                  availabilityImpact: "PARTIAL",
                  baseScore: 6,
                  confidentialityImpact: "PARTIAL",
                  integrityImpact: "PARTIAL",
                  vectorString: "AV:N/AC:M/Au:S/C:P/I:P/A:P",
                  version: "2.0",
               },
               products: [
                  "6Server-RHOSE-INFRA-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.src",
                  "6Server-RHOSE-INFRA-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.x86_64",
                  "6Server-RHOSE-INFRA-1.2:activemq-client-0:5.9.0-4.redhat.610328.el6op.x86_64",
                  "6Server-RHOSE-NODE-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.src",
                  "6Server-RHOSE-NODE-1.2:activemq-0:5.9.0-4.redhat.610328.el6op.x86_64",
                  "6Server-RHOSE-NODE-1.2:activemq-client-0:5.9.0-4.redhat.610328.el6op.x86_64",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Important",
            },
         ],
         title: "Camel: remote code execution via XSL",
      },
   ],
}

{
   document: {
      aggregate_severity: {
         namespace: "https://access.redhat.com/security/updates/classification/",
         text: "Important",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright © Red Hat, Inc. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "Red Hat JBoss Fuse Service Works 6.0.0 roll up patch 3, which fixes\nmultiple security issues and various bugs, is now available from the Red\nHat Customer Portal.\n\nRed Hat Product Security has rated this update as having Important security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.",
            title: "Topic",
         },
         {
            category: "general",
            text: "Red Hat JBoss Fuse Service Works is the next-generation ESB and business\nprocess automation infrastructure.\n\nThis roll up patch serves as a cumulative upgrade for Red Hat JBoss Fuse\nService Works 6.0.0. It includes various bug fixes, which are listed in the\nREADME file included with the patch files.\n\nThe following security issues are fixed with this release:\n\nIt was found that the secure processing feature of Xalan-Java had\ninsufficient restrictions defined for certain properties and features.\nA remote attacker able to provide Extensible Stylesheet Language\nTransformations (XSLT) content to be processed by an application using\nXalan-Java could use this flaw to bypass the intended constraints of the\nsecure processing feature. Depending on the components available in the\nclasspath, this could lead to arbitrary remote code execution in the\ncontext of the application server running the application that uses\nXalan-Java. (CVE-2014-0107)\n\nIt was found that the ParserPool and Decrypter classes in the OpenSAML Java\nimplementation resolved external entities, permitting XML External Entity\n(XXE) attacks. A remote attacker could use this flaw to read files\naccessible to the user running the application server, and potentially\nperform other more advanced XXE attacks. (CVE-2013-6440)\n\nIt was found that Java Security Manager permissions configured via a policy\nfile were not properly applied, causing all deployed applications to be\ngranted the java.security.AllPermission permission. In certain cases, an\nattacker could use this flaw to circumvent expected security measures to\nperform actions which would otherwise be restricted. (CVE-2014-0093)\n\nThe HawtJNI Library class wrote native libraries to a predictable file name\nin /tmp/ when the native libraries were bundled in a JAR file, and no\ncustom library path was specified. A local attacker could overwrite these\nnative libraries with malicious versions during the window between when\nHawtJNI writes them and when they are executed. (CVE-2013-2035)\n\nIn Red Hat JBoss Enterprise Application Platform, when running under a\nsecurity manager, it was possible for deployed code to get access to the\nModular Service Container (MSC) service registry without any permission\nchecks. This could allow malicious deployments to modify the internal state\nof the server in various ways. (CVE-2014-0018)\n\nIt was found that the security audit functionality logged request\nparameters in plain text. This may have caused passwords to be included in\nthe audit log files when using BASIC or FORM-based authentication. A local\nattacker with access to audit log files could possibly use this flaw to\nobtain application or server authentication credentials. (CVE-2014-0058)\n\nThe CVE-2013-6440 issue was discovered by David Illsley, Ron Gutierrez of\nGotham Digital Science, and David Jorm of Red Hat Product Security; the\nCVE-2014-0093 issue was discovered by Josef Cacek of the Red Hat JBoss EAP\nQuality Engineering team; the CVE-2013-2035 issue was discovered by Florian\nWeimer of Red Hat Product Security; and the CVE-2014-0018 issue was\ndiscovered by Stuart Douglas of Red Hat.\n\nAll users of Red Hat JBoss Fuse Service Works 6.0.0 as provided from the\nRed Hat Customer Portal are advised to apply this roll up patch.",
            title: "Details",
         },
         {
            category: "legal_disclaimer",
            text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
            title: "Terms of Use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://access.redhat.com/security/team/contact/",
         issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
         name: "Red Hat Product Security",
         namespace: "https://www.redhat.com",
      },
      references: [
         {
            category: "self",
            summary: "https://access.redhat.com/errata/RHSA-2014:1995",
            url: "https://access.redhat.com/errata/RHSA-2014:1995",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/security/updates/classification/#important",
            url: "https://access.redhat.com/security/updates/classification/#important",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse.serviceworks&downloadType=securityPatches&version=6.0.0",
            url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse.serviceworks&downloadType=securityPatches&version=6.0.0",
         },
         {
            category: "external",
            summary: "958618",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=958618",
         },
         {
            category: "external",
            summary: "1043332",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1043332",
         },
         {
            category: "external",
            summary: "1052783",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1052783",
         },
         {
            category: "external",
            summary: "1063641",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1063641",
         },
         {
            category: "external",
            summary: "1070046",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1070046",
         },
         {
            category: "external",
            summary: "1080248",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1080248",
         },
         {
            category: "self",
            summary: "Canonical URL",
            url: "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_1995.json",
         },
      ],
      title: "Red Hat Security Advisory: Red Hat JBoss Fuse Service Works 6.0.0 security update",
      tracking: {
         current_release_date: "2024-11-22T08:14:23+00:00",
         generator: {
            date: "2024-11-22T08:14:23+00:00",
            engine: {
               name: "Red Hat SDEngine",
               version: "4.2.1",
            },
         },
         id: "RHSA-2014:1995",
         initial_release_date: "2014-12-15T20:35:32+00:00",
         revision_history: [
            {
               date: "2014-12-15T20:35:32+00:00",
               number: "1",
               summary: "Initial version",
            },
            {
               date: "2019-02-20T12:33:36+00:00",
               number: "2",
               summary: "Last updated version",
            },
            {
               date: "2024-11-22T08:14:23+00:00",
               number: "3",
               summary: "Last generated version",
            },
         ],
         status: "final",
         version: "3",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "Red Hat JBoss Fuse Service Works 6.0",
                        product: {
                           name: "Red Hat JBoss Fuse Service Works 6.0",
                           product_id: "Red Hat JBoss Fuse Service Works 6.0",
                           product_identification_helper: {
                              cpe: "cpe:/a:redhat:jboss_fuse_service_works:6.0",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "Red Hat JBoss Fuse Service Works",
               },
            ],
            category: "vendor",
            name: "Red Hat",
         },
      ],
   },
   vulnerabilities: [
      {
         acknowledgments: [
            {
               names: [
                  "Florian Weimer",
               ],
               organization: "Red Hat Product Security Team",
               summary: "This issue was discovered by Red Hat.",
            },
         ],
         cve: "CVE-2013-2035",
         cwe: {
            id: "CWE-377",
            name: "Insecure Temporary File",
         },
         discovery_date: "2013-04-26T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "958618",
            },
         ],
         notes: [
            {
               category: "description",
               text: "The HawtJNI Library class wrote native libraries to a predictable file name in /tmp when the native libraries were bundled in a JAR file, and no custom library path was specified. A local attacker could overwrite these native libraries with malicious versions during the window between when HawtJNI writes them and when they are executed.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "HawtJNI: predictable temporary file name leading to local arbitrary code execution",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat JBoss Fuse Service Works 6.0",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2013-2035",
            },
            {
               category: "external",
               summary: "RHBZ#958618",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=958618",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2013-2035",
               url: "https://www.cve.org/CVERecord?id=CVE-2013-2035",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-2035",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2013-2035",
            },
         ],
         release_date: "2013-05-13T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2014-12-15T20:35:32+00:00",
               details: "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting Red Hat JBoss Fuse Service Works installation (including its\ndatabases, applications, configuration files, and so on).\n\nNote that it is recommended to halt the Red Hat JBoss Fuse Service Works\nserver by stopping the JBoss Application Server process before installing\nthis update, and then after installing the update, restart the Red Hat\nJBoss Fuse Service Works server by starting the JBoss Application\nServer process.",
               product_ids: [
                  "Red Hat JBoss Fuse Service Works 6.0",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2014:1995",
            },
         ],
         scores: [
            {
               cvss_v2: {
                  accessComplexity: "MEDIUM",
                  accessVector: "LOCAL",
                  authentication: "NONE",
                  availabilityImpact: "NONE",
                  baseScore: 3.3,
                  confidentialityImpact: "PARTIAL",
                  integrityImpact: "PARTIAL",
                  vectorString: "AV:L/AC:M/Au:N/C:P/I:P/A:N",
                  version: "2.0",
               },
               products: [
                  "Red Hat JBoss Fuse Service Works 6.0",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Low",
            },
         ],
         title: "HawtJNI: predictable temporary file name leading to local arbitrary code execution",
      },
      {
         acknowledgments: [
            {
               names: [
                  "David Illsley",
               ],
            },
            {
               names: [
                  "Ron Gutierrez",
               ],
               organization: "Gotham Digital Science",
            },
            {
               names: [
                  "David Jorm",
               ],
               organization: "Red Hat Security Response Team",
               summary: "This issue was discovered by Red Hat.",
            },
         ],
         cve: "CVE-2013-6440",
         cwe: {
            id: "CWE-611",
            name: "Improper Restriction of XML External Entity Reference",
         },
         discovery_date: "2013-12-11T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1043332",
            },
         ],
         notes: [
            {
               category: "description",
               text: "It was found that the ParserPool and Decrypter classes in the OpenSAML Java implementation resolved external entities, permitting XML External Entity (XXE) attacks. A remote attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "Java: XML eXternal Entity (XXE) flaw in ParserPool and Decrypter",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat JBoss Fuse Service Works 6.0",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2013-6440",
            },
            {
               category: "external",
               summary: "RHBZ#1043332",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1043332",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2013-6440",
               url: "https://www.cve.org/CVERecord?id=CVE-2013-6440",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-6440",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2013-6440",
            },
            {
               category: "external",
               summary: "http://blog.sendsafely.com/post/69590974866/web-based-single-sign-on-and-the-dangers-of-saml-xml",
               url: "http://blog.sendsafely.com/post/69590974866/web-based-single-sign-on-and-the-dangers-of-saml-xml",
            },
         ],
         release_date: "2013-12-11T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2014-12-15T20:35:32+00:00",
               details: "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting Red Hat JBoss Fuse Service Works installation (including its\ndatabases, applications, configuration files, and so on).\n\nNote that it is recommended to halt the Red Hat JBoss Fuse Service Works\nserver by stopping the JBoss Application Server process before installing\nthis update, and then after installing the update, restart the Red Hat\nJBoss Fuse Service Works server by starting the JBoss Application\nServer process.",
               product_ids: [
                  "Red Hat JBoss Fuse Service Works 6.0",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2014:1995",
            },
         ],
         scores: [
            {
               cvss_v2: {
                  accessComplexity: "LOW",
                  accessVector: "NETWORK",
                  authentication: "NONE",
                  availabilityImpact: "NONE",
                  baseScore: 5,
                  confidentialityImpact: "PARTIAL",
                  integrityImpact: "NONE",
                  vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N",
                  version: "2.0",
               },
               products: [
                  "Red Hat JBoss Fuse Service Works 6.0",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "Java: XML eXternal Entity (XXE) flaw in ParserPool and Decrypter",
      },
      {
         acknowledgments: [
            {
               names: [
                  "Stuart Douglas",
               ],
               organization: "Red Hat",
               summary: "This issue was discovered by Red Hat.",
            },
         ],
         cve: "CVE-2014-0018",
         discovery_date: "2014-01-13T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1052783",
            },
         ],
         notes: [
            {
               category: "description",
               text: "In Red Hat JBoss Enterprise Application Platform, when running under a security manager, it was possible for deployed code to get access to the Modular Service Container (MSC) service registry without any permission checks. This could allow malicious deployments to modify the internal state of the server in various ways.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "jboss-as-server: Unchecked access to MSC Service Registry under JSM",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat JBoss Fuse Service Works 6.0",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2014-0018",
            },
            {
               category: "external",
               summary: "RHBZ#1052783",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1052783",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2014-0018",
               url: "https://www.cve.org/CVERecord?id=CVE-2014-0018",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0018",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0018",
            },
         ],
         release_date: "2014-01-11T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2014-12-15T20:35:32+00:00",
               details: "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting Red Hat JBoss Fuse Service Works installation (including its\ndatabases, applications, configuration files, and so on).\n\nNote that it is recommended to halt the Red Hat JBoss Fuse Service Works\nserver by stopping the JBoss Application Server process before installing\nthis update, and then after installing the update, restart the Red Hat\nJBoss Fuse Service Works server by starting the JBoss Application\nServer process.",
               product_ids: [
                  "Red Hat JBoss Fuse Service Works 6.0",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2014:1995",
            },
         ],
         scores: [
            {
               cvss_v2: {
                  accessComplexity: "MEDIUM",
                  accessVector: "LOCAL",
                  authentication: "NONE",
                  availabilityImpact: "NONE",
                  baseScore: 1.9,
                  confidentialityImpact: "NONE",
                  integrityImpact: "PARTIAL",
                  vectorString: "AV:L/AC:M/Au:N/C:N/I:P/A:N",
                  version: "2.0",
               },
               products: [
                  "Red Hat JBoss Fuse Service Works 6.0",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Low",
            },
         ],
         title: "jboss-as-server: Unchecked access to MSC Service Registry under JSM",
      },
      {
         cve: "CVE-2014-0058",
         discovery_date: "2014-02-11T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1063641",
            },
         ],
         notes: [
            {
               category: "description",
               text: "It was found that the security audit functionality logged request parameters in plain text. This may have caused passwords to be included in the audit log files when using BASIC or FORM-based authentication. A local attacker with access to audit log files could possibly use this flaw to obtain application or server authentication credentials.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "EAP6: Plain text password logging during security audit",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat JBoss Fuse Service Works 6.0",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2014-0058",
            },
            {
               category: "external",
               summary: "RHBZ#1063641",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1063641",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2014-0058",
               url: "https://www.cve.org/CVERecord?id=CVE-2014-0058",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0058",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0058",
            },
         ],
         release_date: "2014-02-24T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2014-12-15T20:35:32+00:00",
               details: "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting Red Hat JBoss Fuse Service Works installation (including its\ndatabases, applications, configuration files, and so on).\n\nNote that it is recommended to halt the Red Hat JBoss Fuse Service Works\nserver by stopping the JBoss Application Server process before installing\nthis update, and then after installing the update, restart the Red Hat\nJBoss Fuse Service Works server by starting the JBoss Application\nServer process.",
               product_ids: [
                  "Red Hat JBoss Fuse Service Works 6.0",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2014:1995",
            },
         ],
         scores: [
            {
               cvss_v2: {
                  accessComplexity: "MEDIUM",
                  accessVector: "LOCAL",
                  authentication: "NONE",
                  availabilityImpact: "NONE",
                  baseScore: 1.9,
                  confidentialityImpact: "PARTIAL",
                  integrityImpact: "NONE",
                  vectorString: "AV:L/AC:M/Au:N/C:P/I:N/A:N",
                  version: "2.0",
               },
               products: [
                  "Red Hat JBoss Fuse Service Works 6.0",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Low",
            },
         ],
         title: "EAP6: Plain text password logging during security audit",
      },
      {
         acknowledgments: [
            {
               names: [
                  "Josef Cacek",
               ],
               organization: "Red Hat JBoss EAP Quality Engineering team",
               summary: "This issue was discovered by Red Hat.",
            },
         ],
         cve: "CVE-2014-0093",
         discovery_date: "2014-02-26T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1070046",
            },
         ],
         notes: [
            {
               category: "description",
               text: "It was found that Java Security Manager permissions configured via a policy file were not properly applied, causing all deployed applications to be granted the java.security.AllPermission permission. In certain cases, an attacker could use this flaw to circumvent expected security measures to perform actions which would otherwise be restricted.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "6: JSM policy not respected by deployed applications",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat JBoss Fuse Service Works 6.0",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2014-0093",
            },
            {
               category: "external",
               summary: "RHBZ#1070046",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1070046",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2014-0093",
               url: "https://www.cve.org/CVERecord?id=CVE-2014-0093",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0093",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0093",
            },
         ],
         release_date: "2014-02-21T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2014-12-15T20:35:32+00:00",
               details: "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting Red Hat JBoss Fuse Service Works installation (including its\ndatabases, applications, configuration files, and so on).\n\nNote that it is recommended to halt the Red Hat JBoss Fuse Service Works\nserver by stopping the JBoss Application Server process before installing\nthis update, and then after installing the update, restart the Red Hat\nJBoss Fuse Service Works server by starting the JBoss Application\nServer process.",
               product_ids: [
                  "Red Hat JBoss Fuse Service Works 6.0",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2014:1995",
            },
         ],
         scores: [
            {
               cvss_v2: {
                  accessComplexity: "HIGH",
                  accessVector: "NETWORK",
                  authentication: "NONE",
                  availabilityImpact: "NONE",
                  baseScore: 4,
                  confidentialityImpact: "PARTIAL",
                  integrityImpact: "PARTIAL",
                  vectorString: "AV:N/AC:H/Au:N/C:P/I:P/A:N",
                  version: "2.0",
               },
               products: [
                  "Red Hat JBoss Fuse Service Works 6.0",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "6: JSM policy not respected by deployed applications",
      },
      {
         cve: "CVE-2014-0107",
         cwe: {
            id: "CWE-358",
            name: "Improperly Implemented Security Check for Standard",
         },
         discovery_date: "2014-03-24T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1080248",
            },
         ],
         notes: [
            {
               category: "description",
               text: "It was found that the secure processing feature of Xalan-Java had insufficient restrictions defined for certain properties and features. A remote attacker able to provide Extensible Stylesheet Language Transformations (XSLT) content to be processed by an application using Xalan-Java could use this flaw to bypass the intended constraints of the secure processing feature. Depending on the components available in the classpath, this could lead to arbitrary remote code execution in the context of the application server running the application that uses Xalan-Java.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "Xalan-Java: insufficient constraints in secure processing feature",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat JBoss Fuse Service Works 6.0",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2014-0107",
            },
            {
               category: "external",
               summary: "RHBZ#1080248",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1080248",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2014-0107",
               url: "https://www.cve.org/CVERecord?id=CVE-2014-0107",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0107",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0107",
            },
            {
               category: "external",
               summary: "http://www.ocert.org/advisories/ocert-2014-002.html",
               url: "http://www.ocert.org/advisories/ocert-2014-002.html",
            },
         ],
         release_date: "2014-03-24T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2014-12-15T20:35:32+00:00",
               details: "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting Red Hat JBoss Fuse Service Works installation (including its\ndatabases, applications, configuration files, and so on).\n\nNote that it is recommended to halt the Red Hat JBoss Fuse Service Works\nserver by stopping the JBoss Application Server process before installing\nthis update, and then after installing the update, restart the Red Hat\nJBoss Fuse Service Works server by starting the JBoss Application\nServer process.",
               product_ids: [
                  "Red Hat JBoss Fuse Service Works 6.0",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2014:1995",
            },
         ],
         scores: [
            {
               cvss_v2: {
                  accessComplexity: "MEDIUM",
                  accessVector: "NETWORK",
                  authentication: "NONE",
                  availabilityImpact: "PARTIAL",
                  baseScore: 6.8,
                  confidentialityImpact: "PARTIAL",
                  integrityImpact: "PARTIAL",
                  vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P",
                  version: "2.0",
               },
               products: [
                  "Red Hat JBoss Fuse Service Works 6.0",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Important",
            },
         ],
         title: "Xalan-Java: insufficient constraints in secure processing feature",
      },
   ],
}

{
   document: {
      aggregate_severity: {
         namespace: "https://access.redhat.com/security/updates/classification/",
         text: "Important",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright © Red Hat, Inc. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "Red Hat JBoss BRMS 6.0.3, which fixes multiple security issues, several\nbugs, and adds various enhancements, is now available from the Red Hat\nCustomer Portal.\n\nRed Hat Product Security has rated this update as having Important security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.",
            title: "Topic",
         },
         {
            category: "general",
            text: "Red Hat JBoss BRMS is a business rules management system for the\nmanagement, storage, creation, modification, and deployment of JBoss Rules.\n\nThis release of Red Hat JBoss BRMS 6.0.3 serves as a replacement for Red\nHat JBoss BRMS 6.0.2, and includes bug fixes and enhancements. Refer to the\nRed Hat JBoss BRMS 6.0.3 Release Notes for information on the most\nsignificant of these changes. The Release Notes are available at\nhttps://access.redhat.com/documentation/en-US/Red_Hat_JBoss_BRMS/\n\nThe following security issues are fixed with this release:\n\nIt was found that the secure processing feature of Xalan-Java had\ninsufficient restrictions defined for certain properties and features.\nA remote attacker able to provide Extensible Stylesheet Language\nTransformations (XSLT) content to be processed by an application using\nXalan-Java could use this flaw to bypass the intended constraints of the\nsecure processing feature. Depending on the components available in the\nclasspath, this could lead to arbitrary remote code execution in the\ncontext of the application server running the application that uses\nXalan-Java. (CVE-2014-0107)\n\nIt was found that the ParserPool and Decrypter classes in the OpenSAML\nJava implementation resolved external entities, permitting XML External\nEntity (XXE) attacks. A remote attacker could use this flaw to read files\naccessible to the user running the application server, and potentially\nperform other more advanced XXE attacks. (CVE-2013-6440)\n\nIt was found that Java Security Manager permissions configured via a policy\nfile were not properly applied, causing all deployed applications to be\ngranted the java.security.AllPermission permission. In certain cases, an\nattacker could use this flaw to circumvent expected security measures to\nperform actions which would otherwise be restricted. (CVE-2014-0093)\n\nThe HawtJNI Library class wrote native libraries to a predictable file name\nin /tmp/ when the native libraries were bundled in a JAR file, and no\ncustom library path was specified. A local attacker could overwrite these\nnative libraries with malicious versions during the window between when\nHawtJNI writes them and when they are executed. (CVE-2013-2035)\n\nIn Red Hat JBoss Enterprise Application Platform, when running under a\nsecurity manager, it was possible for deployed code to get access to the\nModular Service Container (MSC) service registry without any permission\nchecks. This could allow malicious deployments to modify the internal state\nof the server in various ways. (CVE-2014-0018)\n\nIt was found that the security audit functionality logged request\nparameters in plain text. This may have caused passwords to be included in\nthe audit log files when using BASIC or FORM-based authentication. A local\nattacker with access to audit log files could possibly use this flaw to\nobtain application or server authentication credentials. (CVE-2014-0058)\n\nThe CVE-2013-6440 issue was discovered by David Illsley, Ron Gutierrez of\nGotham Digital Science, and David Jorm of Red Hat Product Security; the\nCVE-2014-0093 issue was discovered by Josef Cacek of the Red Hat JBoss EAP\nQuality Engineering team; the CVE-2013-2035 issue was discovered by Florian\nWeimer of Red Hat Product Security; and the CVE-2014-0018 issue was\ndiscovered by Stuart Douglas of Red Hat.\n\nAll users of Red Hat JBoss BRMS 6.0.2 as provided from the Red Hat Customer\nPortal are advised to upgrade to Red Hat JBoss BRMS 6.0.3.",
            title: "Details",
         },
         {
            category: "legal_disclaimer",
            text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
            title: "Terms of Use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://access.redhat.com/security/team/contact/",
         issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
         name: "Red Hat Product Security",
         namespace: "https://www.redhat.com",
      },
      references: [
         {
            category: "self",
            summary: "https://access.redhat.com/errata/RHSA-2014:1290",
            url: "https://access.redhat.com/errata/RHSA-2014:1290",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/security/updates/classification/#important",
            url: "https://access.redhat.com/security/updates/classification/#important",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=distributions&version=6.0.3",
            url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=distributions&version=6.0.3",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_BRMS/",
            url: "https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_BRMS/",
         },
         {
            category: "external",
            summary: "958618",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=958618",
         },
         {
            category: "external",
            summary: "1043332",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1043332",
         },
         {
            category: "external",
            summary: "1052783",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1052783",
         },
         {
            category: "external",
            summary: "1063641",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1063641",
         },
         {
            category: "external",
            summary: "1070046",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1070046",
         },
         {
            category: "external",
            summary: "1080248",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1080248",
         },
         {
            category: "self",
            summary: "Canonical URL",
            url: "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_1290.json",
         },
      ],
      title: "Red Hat Security Advisory: Red Hat JBoss BRMS 6.0.3 update",
      tracking: {
         current_release_date: "2025-02-06T19:05:30+00:00",
         generator: {
            date: "2025-02-06T19:05:30+00:00",
            engine: {
               name: "Red Hat SDEngine",
               version: "4.3.0",
            },
         },
         id: "RHSA-2014:1290",
         initial_release_date: "2014-09-23T20:19:55+00:00",
         revision_history: [
            {
               date: "2014-09-23T20:19:55+00:00",
               number: "1",
               summary: "Initial version",
            },
            {
               date: "2019-02-20T12:33:47+00:00",
               number: "2",
               summary: "Last updated version",
            },
            {
               date: "2025-02-06T19:05:30+00:00",
               number: "3",
               summary: "Last generated version",
            },
         ],
         status: "final",
         version: "3",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "Red Hat JBoss BRMS 6.0",
                        product: {
                           name: "Red Hat JBoss BRMS 6.0",
                           product_id: "Red Hat JBoss BRMS 6.0",
                           product_identification_helper: {
                              cpe: "cpe:/a:redhat:jboss_brms:6.0",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "Red Hat Decision Manager",
               },
            ],
            category: "vendor",
            name: "Red Hat",
         },
      ],
   },
   vulnerabilities: [
      {
         acknowledgments: [
            {
               names: [
                  "Florian Weimer",
               ],
               organization: "Red Hat Product Security Team",
               summary: "This issue was discovered by Red Hat.",
            },
         ],
         cve: "CVE-2013-2035",
         cwe: {
            id: "CWE-377",
            name: "Insecure Temporary File",
         },
         discovery_date: "2013-04-26T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "958618",
            },
         ],
         notes: [
            {
               category: "description",
               text: "The HawtJNI Library class wrote native libraries to a predictable file name in /tmp when the native libraries were bundled in a JAR file, and no custom library path was specified. A local attacker could overwrite these native libraries with malicious versions during the window between when HawtJNI writes them and when they are executed.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "HawtJNI: predictable temporary file name leading to local arbitrary code execution",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat JBoss BRMS 6.0",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2013-2035",
            },
            {
               category: "external",
               summary: "RHBZ#958618",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=958618",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2013-2035",
               url: "https://www.cve.org/CVERecord?id=CVE-2013-2035",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-2035",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2013-2035",
            },
         ],
         release_date: "2013-05-13T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2014-09-23T20:19:55+00:00",
               details: "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server\nprocess.",
               product_ids: [
                  "Red Hat JBoss BRMS 6.0",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2014:1290",
            },
         ],
         scores: [
            {
               cvss_v2: {
                  accessComplexity: "MEDIUM",
                  accessVector: "LOCAL",
                  authentication: "NONE",
                  availabilityImpact: "NONE",
                  baseScore: 3.3,
                  confidentialityImpact: "PARTIAL",
                  integrityImpact: "PARTIAL",
                  vectorString: "AV:L/AC:M/Au:N/C:P/I:P/A:N",
                  version: "2.0",
               },
               products: [
                  "Red Hat JBoss BRMS 6.0",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Low",
            },
         ],
         title: "HawtJNI: predictable temporary file name leading to local arbitrary code execution",
      },
      {
         acknowledgments: [
            {
               names: [
                  "David Illsley",
               ],
            },
            {
               names: [
                  "Ron Gutierrez",
               ],
               organization: "Gotham Digital Science",
            },
            {
               names: [
                  "David Jorm",
               ],
               organization: "Red Hat Security Response Team",
               summary: "This issue was discovered by Red Hat.",
            },
         ],
         cve: "CVE-2013-6440",
         cwe: {
            id: "CWE-611",
            name: "Improper Restriction of XML External Entity Reference",
         },
         discovery_date: "2013-12-11T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1043332",
            },
         ],
         notes: [
            {
               category: "description",
               text: "It was found that the ParserPool and Decrypter classes in the OpenSAML Java implementation resolved external entities, permitting XML External Entity (XXE) attacks. A remote attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "Java: XML eXternal Entity (XXE) flaw in ParserPool and Decrypter",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat JBoss BRMS 6.0",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2013-6440",
            },
            {
               category: "external",
               summary: "RHBZ#1043332",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1043332",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2013-6440",
               url: "https://www.cve.org/CVERecord?id=CVE-2013-6440",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-6440",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2013-6440",
            },
            {
               category: "external",
               summary: "http://blog.sendsafely.com/post/69590974866/web-based-single-sign-on-and-the-dangers-of-saml-xml",
               url: "http://blog.sendsafely.com/post/69590974866/web-based-single-sign-on-and-the-dangers-of-saml-xml",
            },
         ],
         release_date: "2013-12-11T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2014-09-23T20:19:55+00:00",
               details: "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server\nprocess.",
               product_ids: [
                  "Red Hat JBoss BRMS 6.0",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2014:1290",
            },
         ],
         scores: [
            {
               cvss_v2: {
                  accessComplexity: "LOW",
                  accessVector: "NETWORK",
                  authentication: "NONE",
                  availabilityImpact: "NONE",
                  baseScore: 5,
                  confidentialityImpact: "PARTIAL",
                  integrityImpact: "NONE",
                  vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N",
                  version: "2.0",
               },
               products: [
                  "Red Hat JBoss BRMS 6.0",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "Java: XML eXternal Entity (XXE) flaw in ParserPool and Decrypter",
      },
      {
         acknowledgments: [
            {
               names: [
                  "Stuart Douglas",
               ],
               organization: "Red Hat",
               summary: "This issue was discovered by Red Hat.",
            },
         ],
         cve: "CVE-2014-0018",
         discovery_date: "2014-01-13T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1052783",
            },
         ],
         notes: [
            {
               category: "description",
               text: "In Red Hat JBoss Enterprise Application Platform, when running under a security manager, it was possible for deployed code to get access to the Modular Service Container (MSC) service registry without any permission checks. This could allow malicious deployments to modify the internal state of the server in various ways.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "jboss-as-server: Unchecked access to MSC Service Registry under JSM",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat JBoss BRMS 6.0",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2014-0018",
            },
            {
               category: "external",
               summary: "RHBZ#1052783",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1052783",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2014-0018",
               url: "https://www.cve.org/CVERecord?id=CVE-2014-0018",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0018",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0018",
            },
         ],
         release_date: "2014-01-11T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2014-09-23T20:19:55+00:00",
               details: "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server\nprocess.",
               product_ids: [
                  "Red Hat JBoss BRMS 6.0",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2014:1290",
            },
         ],
         scores: [
            {
               cvss_v2: {
                  accessComplexity: "MEDIUM",
                  accessVector: "LOCAL",
                  authentication: "NONE",
                  availabilityImpact: "NONE",
                  baseScore: 1.9,
                  confidentialityImpact: "NONE",
                  integrityImpact: "PARTIAL",
                  vectorString: "AV:L/AC:M/Au:N/C:N/I:P/A:N",
                  version: "2.0",
               },
               products: [
                  "Red Hat JBoss BRMS 6.0",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Low",
            },
         ],
         title: "jboss-as-server: Unchecked access to MSC Service Registry under JSM",
      },
      {
         cve: "CVE-2014-0058",
         discovery_date: "2014-02-11T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1063641",
            },
         ],
         notes: [
            {
               category: "description",
               text: "It was found that the security audit functionality logged request parameters in plain text. This may have caused passwords to be included in the audit log files when using BASIC or FORM-based authentication. A local attacker with access to audit log files could possibly use this flaw to obtain application or server authentication credentials.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "EAP6: Plain text password logging during security audit",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat JBoss BRMS 6.0",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2014-0058",
            },
            {
               category: "external",
               summary: "RHBZ#1063641",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1063641",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2014-0058",
               url: "https://www.cve.org/CVERecord?id=CVE-2014-0058",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0058",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0058",
            },
         ],
         release_date: "2014-02-24T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2014-09-23T20:19:55+00:00",
               details: "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server\nprocess.",
               product_ids: [
                  "Red Hat JBoss BRMS 6.0",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2014:1290",
            },
         ],
         scores: [
            {
               cvss_v2: {
                  accessComplexity: "MEDIUM",
                  accessVector: "LOCAL",
                  authentication: "NONE",
                  availabilityImpact: "NONE",
                  baseScore: 1.9,
                  confidentialityImpact: "PARTIAL",
                  integrityImpact: "NONE",
                  vectorString: "AV:L/AC:M/Au:N/C:P/I:N/A:N",
                  version: "2.0",
               },
               products: [
                  "Red Hat JBoss BRMS 6.0",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Low",
            },
         ],
         title: "EAP6: Plain text password logging during security audit",
      },
      {
         acknowledgments: [
            {
               names: [
                  "Josef Cacek",
               ],
               organization: "Red Hat JBoss EAP Quality Engineering team",
               summary: "This issue was discovered by Red Hat.",
            },
         ],
         cve: "CVE-2014-0093",
         discovery_date: "2014-02-26T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1070046",
            },
         ],
         notes: [
            {
               category: "description",
               text: "It was found that Java Security Manager permissions configured via a policy file were not properly applied, causing all deployed applications to be granted the java.security.AllPermission permission. In certain cases, an attacker could use this flaw to circumvent expected security measures to perform actions which would otherwise be restricted.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "6: JSM policy not respected by deployed applications",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat JBoss BRMS 6.0",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2014-0093",
            },
            {
               category: "external",
               summary: "RHBZ#1070046",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1070046",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2014-0093",
               url: "https://www.cve.org/CVERecord?id=CVE-2014-0093",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0093",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0093",
            },
         ],
         release_date: "2014-02-21T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2014-09-23T20:19:55+00:00",
               details: "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server\nprocess.",
               product_ids: [
                  "Red Hat JBoss BRMS 6.0",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2014:1290",
            },
         ],
         scores: [
            {
               cvss_v2: {
                  accessComplexity: "HIGH",
                  accessVector: "NETWORK",
                  authentication: "NONE",
                  availabilityImpact: "NONE",
                  baseScore: 4,
                  confidentialityImpact: "PARTIAL",
                  integrityImpact: "PARTIAL",
                  vectorString: "AV:N/AC:H/Au:N/C:P/I:P/A:N",
                  version: "2.0",
               },
               products: [
                  "Red Hat JBoss BRMS 6.0",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "6: JSM policy not respected by deployed applications",
      },
      {
         cve: "CVE-2014-0107",
         cwe: {
            id: "CWE-358",
            name: "Improperly Implemented Security Check for Standard",
         },
         discovery_date: "2014-03-24T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1080248",
            },
         ],
         notes: [
            {
               category: "description",
               text: "It was found that the secure processing feature of Xalan-Java had insufficient restrictions defined for certain properties and features. A remote attacker able to provide Extensible Stylesheet Language Transformations (XSLT) content to be processed by an application using Xalan-Java could use this flaw to bypass the intended constraints of the secure processing feature. Depending on the components available in the classpath, this could lead to arbitrary remote code execution in the context of the application server running the application that uses Xalan-Java.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "Xalan-Java: insufficient constraints in secure processing feature",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat JBoss BRMS 6.0",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2014-0107",
            },
            {
               category: "external",
               summary: "RHBZ#1080248",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1080248",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2014-0107",
               url: "https://www.cve.org/CVERecord?id=CVE-2014-0107",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0107",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0107",
            },
            {
               category: "external",
               summary: "http://www.ocert.org/advisories/ocert-2014-002.html",
               url: "http://www.ocert.org/advisories/ocert-2014-002.html",
            },
         ],
         release_date: "2014-03-24T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2014-09-23T20:19:55+00:00",
               details: "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server\nprocess.",
               product_ids: [
                  "Red Hat JBoss BRMS 6.0",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2014:1290",
            },
         ],
         scores: [
            {
               cvss_v2: {
                  accessComplexity: "MEDIUM",
                  accessVector: "NETWORK",
                  authentication: "NONE",
                  availabilityImpact: "PARTIAL",
                  baseScore: 6.8,
                  confidentialityImpact: "PARTIAL",
                  integrityImpact: "PARTIAL",
                  vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P",
                  version: "2.0",
               },
               products: [
                  "Red Hat JBoss BRMS 6.0",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Important",
            },
         ],
         title: "Xalan-Java: insufficient constraints in secure processing feature",
      },
   ],
}

{
   document: {
      aggregate_severity: {
         namespace: "https://access.redhat.com/security/updates/classification/",
         text: "Moderate",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright © Red Hat, Inc. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "Red Hat JBoss Fuse 6.1.0, which fixes multiple security issues, several\nbugs, and adds various enhancements, is now available from the Red Hat\nCustomer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nModerate security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nRed Hat JBoss Fuse 6.1.0 is a minor product release that updates Red Hat\nJBoss Fuse 6.0.0, and includes several bug fixes and enhancements. Refer to\nthe Release Notes document, available from the link in the References\nsection, for a list of changes.",
            title: "Topic",
         },
         {
            category: "general",
            text: "Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,\nflexible, open source enterprise service bus and integration platform.\n\nSecurity fixes:\n\nA flaw was found in the way Apache Santuario XML Security for Java\nvalidated XML signatures. Santuario allowed a signature to specify an\narbitrary canonicalization algorithm, which would be applied to the\nSignedInfo XML fragment. A remote attacker could exploit this to spoof an\nXML signature via a specially crafted XML signature block. (CVE-2013-2172)\n\nA flaw was found in the Apache Hadoop RPC protocol. A man-in-the-middle\nattacker could possibly use this flaw to unilaterally disable bidirectional\nauthentication between a client and a server, forcing a downgrade to simple\n(unidirectional) authentication. This flaw only affected users who have\nenabled Hadoop's Kerberos security features. (CVE-2013-2192)\n\nIt was discovered that the Spring OXM wrapper did not expose any property\nfor disabling entity resolution when using the JAXB unmarshaller. A remote\nattacker could use this flaw to conduct XML External Entity (XXE) attacks\non web sites, and read files in the context of the user running the\napplication server. (CVE-2013-4152)\n\nIt was discovered that the Apache Santuario XML Security for Java project\nallowed Document Type Definitions (DTDs) to be processed when applying\nTransforms even when secure validation was enabled. A remote attacker could\nuse this flaw to exhaust all available memory on the system, causing a\ndenial of service. (CVE-2013-4517)\n\nIt was found that the Spring MVC SourceHttpMessageConverter enabled entity\nresolution by default. A remote attacker could use this flaw to conduct XXE\nattacks on web sites, and read files in the context of the user running the\napplication server. (CVE-2013-6429)\n\nThe Spring JavaScript escape method insufficiently escaped some characters.\nApplications using this method to escape user-supplied content, which would\nbe rendered in HTML5 documents, could be exposed to cross-site scripting\n(XSS) flaws. (CVE-2013-6430)\n\nA denial of service flaw was found in the way Apache Commons FileUpload\nhandled small-sized buffers used by MultipartStream. A remote attacker\ncould use this flaw to create a malformed Content-Type header for a\nmultipart request, causing Apache Commons FileUpload to enter an infinite\nloop when processing such an incoming request. (CVE-2014-0050)\n\nIt was found that fixes for the CVE-2013-4152 and CVE-2013-6429 XXE issues\nin Spring were incomplete. Spring MVC processed user-provided XML and\nneither disabled XML external entities nor provided an option to disable\nthem, possibly allowing a remote attacker to conduct XXE attacks.\n(CVE-2014-0054)\n\nA cross-site scripting (XSS) flaw was found in the Spring Framework when\nusing Spring MVC. When the action was not specified in a Spring form, the\naction field would be populated with the requested URI, allowing an\nattacker to inject malicious content into the form. (CVE-2014-1904)\n\nThe HawtJNI Library class wrote native libraries to a predictable file name\nin /tmp when the native libraries were bundled in a JAR file, and no custom\nlibrary path was specified. A local attacker could overwrite these native\nlibraries with malicious versions during the window between when HawtJNI\nwrites them and when they are executed. (CVE-2013-2035)\n\nAn information disclosure flaw was found in the way Apache Zookeeper stored\nthe password of an administrative user in the log files. A local user with\naccess to these log files could use the exposed sensitive information to\ngain administrative access to an application using Apache Zookeeper.\n(CVE-2014-0085)\n\nThe CVE-2013-6430 issue was discovered by Jon Passki of Coverity SRL and\nArun Neelicattu of the Red Hat Security Response Team, the CVE-2013-2035\nissue was discovered by Florian Weimer of the Red Hat Product Security\nTeam, and the CVE-2014-0085 issue was discovered by Graeme Colman of\nRed Hat.",
            title: "Details",
         },
         {
            category: "legal_disclaimer",
            text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
            title: "Terms of Use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://access.redhat.com/security/team/contact/",
         issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
         name: "Red Hat Product Security",
         namespace: "https://www.redhat.com",
      },
      references: [
         {
            category: "self",
            summary: "https://access.redhat.com/errata/RHSA-2014:0400",
            url: "https://access.redhat.com/errata/RHSA-2014:0400",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/security/updates/classification/#moderate",
            url: "https://access.redhat.com/security/updates/classification/#moderate",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=6.1.0",
            url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=6.1.0",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_Fuse/",
            url: "https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_Fuse/",
         },
         {
            category: "external",
            summary: "958618",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=958618",
         },
         {
            category: "external",
            summary: "999263",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=999263",
         },
         {
            category: "external",
            summary: "1000186",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1000186",
         },
         {
            category: "external",
            summary: "1001326",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1001326",
         },
         {
            category: "external",
            summary: "1039783",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1039783",
         },
         {
            category: "external",
            summary: "1045257",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1045257",
         },
         {
            category: "external",
            summary: "1053290",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1053290",
         },
         {
            category: "external",
            summary: "1062337",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1062337",
         },
         {
            category: "external",
            summary: "1067265",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067265",
         },
         {
            category: "external",
            summary: "1075296",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1075296",
         },
         {
            category: "external",
            summary: "1075328",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1075328",
         },
         {
            category: "self",
            summary: "Canonical URL",
            url: "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0400.json",
         },
      ],
      title: "Red Hat Security Advisory: Red Hat JBoss Fuse 6.1.0 update",
      tracking: {
         current_release_date: "2025-04-09T15:45:26+00:00",
         generator: {
            date: "2025-04-09T15:45:26+00:00",
            engine: {
               name: "Red Hat SDEngine",
               version: "4.4.2",
            },
         },
         id: "RHSA-2014:0400",
         initial_release_date: "2014-04-14T13:46:50+00:00",
         revision_history: [
            {
               date: "2014-04-14T13:46:50+00:00",
               number: "1",
               summary: "Initial version",
            },
            {
               date: "2014-04-14T14:27:37+00:00",
               number: "2",
               summary: "Last updated version",
            },
            {
               date: "2025-04-09T15:45:26+00:00",
               number: "3",
               summary: "Last generated version",
            },
         ],
         status: "final",
         version: "3",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "Red Hat JBoss Fuse 6.1",
                        product: {
                           name: "Red Hat JBoss Fuse 6.1",
                           product_id: "Red Hat JBoss Fuse 6.1",
                           product_identification_helper: {
                              cpe: "cpe:/a:redhat:jboss_fuse:6.1.0",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "Fuse Enterprise Middleware",
               },
            ],
            category: "vendor",
            name: "Red Hat",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2013-1624",
         cwe: {
            id: "CWE-385",
            name: "Covert Timing Channel",
         },
         discovery_date: "2013-02-04T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "908428",
            },
         ],
         notes: [
            {
               category: "description",
               text: "It was discovered that bouncycastle leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "bouncycastle: TLS CBC padding timing attack",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat JBoss Fuse 6.1",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2013-1624",
            },
            {
               category: "external",
               summary: "RHBZ#908428",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=908428",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2013-1624",
               url: "https://www.cve.org/CVERecord?id=CVE-2013-1624",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-1624",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2013-1624",
            },
            {
               category: "external",
               summary: "http://www.isg.rhul.ac.uk/tls/",
               url: "http://www.isg.rhul.ac.uk/tls/",
            },
            {
               category: "external",
               summary: "http://www.isg.rhul.ac.uk/tls/TLStiming.pdf",
               url: "http://www.isg.rhul.ac.uk/tls/TLStiming.pdf",
            },
         ],
         release_date: "2013-02-04T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2014-04-14T13:46:50+00:00",
               details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).",
               product_ids: [
                  "Red Hat JBoss Fuse 6.1",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2014:0400",
            },
         ],
         scores: [
            {
               cvss_v2: {
                  accessComplexity: "HIGH",
                  accessVector: "NETWORK",
                  authentication: "NONE",
                  availabilityImpact: "PARTIAL",
                  baseScore: 5.1,
                  confidentialityImpact: "PARTIAL",
                  integrityImpact: "PARTIAL",
                  vectorString: "AV:N/AC:H/Au:N/C:P/I:P/A:P",
                  version: "2.0",
               },
               products: [
                  "Red Hat JBoss Fuse 6.1",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "bouncycastle: TLS CBC padding timing attack",
      },
      {
         acknowledgments: [
            {
               names: [
                  "Florian Weimer",
               ],
               organization: "Red Hat Product Security Team",
               summary: "This issue was discovered by Red Hat.",
            },
         ],
         cve: "CVE-2013-2035",
         cwe: {
            id: "CWE-377",
            name: "Insecure Temporary File",
         },
         discovery_date: "2013-04-26T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "958618",
            },
         ],
         notes: [
            {
               category: "description",
               text: "The HawtJNI Library class wrote native libraries to a predictable file name in /tmp when the native libraries were bundled in a JAR file, and no custom library path was specified. A local attacker could overwrite these native libraries with malicious versions during the window between when HawtJNI writes them and when they are executed.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "HawtJNI: predictable temporary file name leading to local arbitrary code execution",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat JBoss Fuse 6.1",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2013-2035",
            },
            {
               category: "external",
               summary: "RHBZ#958618",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=958618",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2013-2035",
               url: "https://www.cve.org/CVERecord?id=CVE-2013-2035",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-2035",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2013-2035",
            },
         ],
         release_date: "2013-05-13T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2014-04-14T13:46:50+00:00",
               details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).",
               product_ids: [
                  "Red Hat JBoss Fuse 6.1",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2014:0400",
            },
         ],
         scores: [
            {
               cvss_v2: {
                  accessComplexity: "MEDIUM",
                  accessVector: "LOCAL",
                  authentication: "NONE",
                  availabilityImpact: "NONE",
                  baseScore: 3.3,
                  confidentialityImpact: "PARTIAL",
                  integrityImpact: "PARTIAL",
                  vectorString: "AV:L/AC:M/Au:N/C:P/I:P/A:N",
                  version: "2.0",
               },
               products: [
                  "Red Hat JBoss Fuse 6.1",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Low",
            },
         ],
         title: "HawtJNI: predictable temporary file name leading to local arbitrary code execution",
      },
      {
         cve: "CVE-2013-2172",
         cwe: {
            id: "CWE-290",
            name: "Authentication Bypass by Spoofing",
         },
         discovery_date: "2013-08-20T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "999263",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in the way Apache Santuario XML Security for Java validated XML signatures. Santuario allowed a signature to specify an arbitrary canonicalization algorithm, which would be applied to the SignedInfo XML fragment. A remote attacker could exploit this to spoof an XML signature via a specially crafted XML signature block.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "Java: XML signature spoofing",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat JBoss Fuse 6.1",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2013-2172",
            },
            {
               category: "external",
               summary: "RHBZ#999263",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=999263",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2013-2172",
               url: "https://www.cve.org/CVERecord?id=CVE-2013-2172",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-2172",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2013-2172",
            },
            {
               category: "external",
               summary: "http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc",
               url: "http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc",
            },
         ],
         release_date: "2013-06-25T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2014-04-14T13:46:50+00:00",
               details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).",
               product_ids: [
                  "Red Hat JBoss Fuse 6.1",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2014:0400",
            },
         ],
         scores: [
            {
               cvss_v2: {
                  accessComplexity: "MEDIUM",
                  accessVector: "NETWORK",
                  authentication: "NONE",
                  availabilityImpact: "NONE",
                  baseScore: 5.8,
                  confidentialityImpact: "PARTIAL",
                  integrityImpact: "PARTIAL",
                  vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:N",
                  version: "2.0",
               },
               products: [
                  "Red Hat JBoss Fuse 6.1",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "Java: XML signature spoofing",
      },
      {
         cve: "CVE-2013-2192",
         discovery_date: "2013-08-26T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1001326",
            },
         ],
         notes: [
            {
               category: "description",
               text: "The RPC protocol implementation in Apache Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1, when the Kerberos security features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information by forcing a downgrade to simple authentication.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "hadoop: man-in-the-middle vulnerability",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat JBoss Fuse 6.1",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2013-2192",
            },
            {
               category: "external",
               summary: "RHBZ#1001326",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1001326",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2013-2192",
               url: "https://www.cve.org/CVERecord?id=CVE-2013-2192",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-2192",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2013-2192",
            },
         ],
         release_date: "2013-08-23T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2014-04-14T13:46:50+00:00",
               details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).",
               product_ids: [
                  "Red Hat JBoss Fuse 6.1",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2014:0400",
            },
         ],
         scores: [
            {
               cvss_v2: {
                  accessComplexity: "HIGH",
                  accessVector: "ADJACENT_NETWORK",
                  authentication: "NONE",
                  availabilityImpact: "NONE",
                  baseScore: 3.2,
                  confidentialityImpact: "PARTIAL",
                  integrityImpact: "PARTIAL",
                  vectorString: "AV:A/AC:H/Au:N/C:P/I:P/A:N",
                  version: "2.0",
               },
               products: [
                  "Red Hat JBoss Fuse 6.1",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "hadoop: man-in-the-middle vulnerability",
      },
      {
         cve: "CVE-2013-4152",
         discovery_date: "2013-08-22T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1000186",
            },
         ],
         notes: [
            {
               category: "description",
               text: "The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "Framework: XML External Entity (XXE) injection flaw",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat JBoss Fuse 6.1",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2013-4152",
            },
            {
               category: "external",
               summary: "RHBZ#1000186",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1000186",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2013-4152",
               url: "https://www.cve.org/CVERecord?id=CVE-2013-4152",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-4152",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2013-4152",
            },
            {
               category: "external",
               summary: "http://www.gopivotal.com/security/cve-2013-4152",
               url: "http://www.gopivotal.com/security/cve-2013-4152",
            },
            {
               category: "external",
               summary: "https://github.com/SpringSource/spring-framework/pull/317",
               url: "https://github.com/SpringSource/spring-framework/pull/317",
            },
            {
               category: "external",
               summary: "https://jira.springsource.org/browse/SPR-10806",
               url: "https://jira.springsource.org/browse/SPR-10806",
            },
         ],
         release_date: "2013-08-22T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2014-04-14T13:46:50+00:00",
               details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).",
               product_ids: [
                  "Red Hat JBoss Fuse 6.1",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2014:0400",
            },
         ],
         scores: [
            {
               cvss_v2: {
                  accessComplexity: "LOW",
                  accessVector: "NETWORK",
                  authentication: "NONE",
                  availabilityImpact: "NONE",
                  baseScore: 5,
                  confidentialityImpact: "PARTIAL",
                  integrityImpact: "NONE",
                  vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N",
                  version: "2.0",
               },
               products: [
                  "Red Hat JBoss Fuse 6.1",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "Framework: XML External Entity (XXE) injection flaw",
      },
      {
         cve: "CVE-2013-4517",
         cwe: {
            id: "CWE-400",
            name: "Uncontrolled Resource Consumption",
         },
         discovery_date: "2013-12-20T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1045257",
            },
         ],
         notes: [
            {
               category: "description",
               text: "It was discovered that the Apache Santuario XML Security for Java project allowed Document Type Definitions (DTDs) to be processed when applying Transforms even when secure validation was enabled. A remote attacker could use this flaw to exhaust all available memory on the system, causing a denial of service.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "Java: Java XML Signature DoS Attack",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "Fuse ESB 4, Fuse Message Broker 5.2, 5.3, 5.4, Fuse Mediation Router 2.7, 2.8 and Fuse Services Framework 2.3, 2.4 are now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/\n\nFuse ESB Enterprise is now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/\n\nRed Hat JBoss BRMS 5; Red Hat JBoss Enterprise Application Platform 4;  Red Hat JBoss Enterprise Data Services Platform 5; Red Hat JBoss Enterprise Portal Platform 4 and 5; and Red Hat JBoss Enterprise SOA Platform 4 and 5 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat JBoss Fuse 6.1",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2013-4517",
            },
            {
               category: "external",
               summary: "RHBZ#1045257",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1045257",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2013-4517",
               url: "https://www.cve.org/CVERecord?id=CVE-2013-4517",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-4517",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2013-4517",
            },
         ],
         release_date: "2013-11-01T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2014-04-14T13:46:50+00:00",
               details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).",
               product_ids: [
                  "Red Hat JBoss Fuse 6.1",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2014:0400",
            },
         ],
         scores: [
            {
               cvss_v2: {
                  accessComplexity: "LOW",
                  accessVector: "NETWORK",
                  authentication: "NONE",
                  availabilityImpact: "PARTIAL",
                  baseScore: 5,
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P",
                  version: "2.0",
               },
               products: [
                  "Red Hat JBoss Fuse 6.1",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "Java: Java XML Signature DoS Attack",
      },
      {
         cve: "CVE-2013-6429",
         cwe: {
            id: "CWE-611",
            name: "Improper Restriction of XML External Entity Reference",
         },
         discovery_date: "2014-01-14T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1053290",
            },
         ],
         notes: [
            {
               category: "description",
               text: "The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "Framework: XML External Entity (XXE) injection flaw",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat JBoss Fuse 6.1",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2013-6429",
            },
            {
               category: "external",
               summary: "RHBZ#1053290",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1053290",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2013-6429",
               url: "https://www.cve.org/CVERecord?id=CVE-2013-6429",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-6429",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2013-6429",
            },
            {
               category: "external",
               summary: "http://www.gopivotal.com/security/cve-2013-6429",
               url: "http://www.gopivotal.com/security/cve-2013-6429",
            },
         ],
         release_date: "2014-01-14T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2014-04-14T13:46:50+00:00",
               details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).",
               product_ids: [
                  "Red Hat JBoss Fuse 6.1",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2014:0400",
            },
         ],
         scores: [
            {
               cvss_v2: {
                  accessComplexity: "LOW",
                  accessVector: "NETWORK",
                  authentication: "NONE",
                  availabilityImpact: "NONE",
                  baseScore: 5,
                  confidentialityImpact: "PARTIAL",
                  integrityImpact: "NONE",
                  vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N",
                  version: "2.0",
               },
               products: [
                  "Red Hat JBoss Fuse 6.1",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "Framework: XML External Entity (XXE) injection flaw",
      },
      {
         acknowledgments: [
            {
               names: [
                  "Jon Passki",
               ],
               organization: "Coverity SRL",
            },
            {
               names: [
                  "Arun Neelicattu",
               ],
               organization: "Red Hat Security Response Team",
               summary: "This issue was discovered by Red Hat.",
            },
         ],
         cve: "CVE-2013-6430",
         discovery_date: "2013-12-06T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1039783",
            },
         ],
         notes: [
            {
               category: "description",
               text: "The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a (1) line separator or (2) paragraph separator Unicode character or (3) left or (4) right angle bracket.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "Framework: org.spring.web.util.JavaScriptUtils.javaScriptEscape insufficient escaping of characters",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat JBoss Fuse 6.1",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2013-6430",
            },
            {
               category: "external",
               summary: "RHBZ#1039783",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1039783",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2013-6430",
               url: "https://www.cve.org/CVERecord?id=CVE-2013-6430",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-6430",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2013-6430",
            },
            {
               category: "external",
               summary: "http://www.gopivotal.com/security/cve-2013-6430",
               url: "http://www.gopivotal.com/security/cve-2013-6430",
            },
         ],
         release_date: "2014-01-14T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2014-04-14T13:46:50+00:00",
               details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).",
               product_ids: [
                  "Red Hat JBoss Fuse 6.1",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2014:0400",
            },
         ],
         scores: [
            {
               cvss_v2: {
                  accessComplexity: "MEDIUM",
                  accessVector: "NETWORK",
                  authentication: "NONE",
                  availabilityImpact: "NONE",
                  baseScore: 4.3,
                  confidentialityImpact: "NONE",
                  integrityImpact: "PARTIAL",
                  vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N",
                  version: "2.0",
               },
               products: [
                  "Red Hat JBoss Fuse 6.1",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "Framework: org.spring.web.util.JavaScriptUtils.javaScriptEscape insufficient escaping of characters",
      },
      {
         cve: "CVE-2014-0050",
         discovery_date: "2014-02-06T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1062337",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A denial of service flaw was found in the way Apache Commons FileUpload, which is embedded in Tomcat and JBoss Web, handled small-sized buffers used by MultipartStream. A remote attacker could use this flaw to create a malformed Content-Type header for a multipart request, causing Tomcat to enter an infinite loop when processing such an incoming request.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat JBoss Fuse 6.1",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2014-0050",
            },
            {
               category: "external",
               summary: "RHBZ#1062337",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1062337",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2014-0050",
               url: "https://www.cve.org/CVERecord?id=CVE-2014-0050",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0050",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0050",
            },
         ],
         release_date: "2014-02-06T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2014-04-14T13:46:50+00:00",
               details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).",
               product_ids: [
                  "Red Hat JBoss Fuse 6.1",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2014:0400",
            },
         ],
         scores: [
            {
               cvss_v2: {
                  accessComplexity: "LOW",
                  accessVector: "NETWORK",
                  authentication: "NONE",
                  availabilityImpact: "PARTIAL",
                  baseScore: 5,
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P",
                  version: "2.0",
               },
               products: [
                  "Red Hat JBoss Fuse 6.1",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream",
      },
      {
         cve: "CVE-2014-0054",
         discovery_date: "2014-03-11T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1075328",
            },
         ],
         notes: [
            {
               category: "description",
               text: "The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "Framework: incomplete fix for CVE-2013-7315/CVE-2013-6429",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "The Red Hat Security Response Team has rated this issue as having Moderate security impact. OpenShift Enterprise 1 is currently in the Production 1 phase of its lifecycle, as such this issue is not currently planned to be addressed in future updates. For additional information, refer to the Satellite Life Cycle: https://access.redhat.com/site/support/policy/updates/openshift page.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat JBoss Fuse 6.1",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2014-0054",
            },
            {
               category: "external",
               summary: "RHBZ#1075328",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1075328",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2014-0054",
               url: "https://www.cve.org/CVERecord?id=CVE-2014-0054",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0054",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0054",
            },
            {
               category: "external",
               summary: "http://www.gopivotal.com/security/cve-2014-0054",
               url: "http://www.gopivotal.com/security/cve-2014-0054",
            },
         ],
         release_date: "2014-01-31T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2014-04-14T13:46:50+00:00",
               details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).",
               product_ids: [
                  "Red Hat JBoss Fuse 6.1",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2014:0400",
            },
         ],
         scores: [
            {
               cvss_v2: {
                  accessComplexity: "LOW",
                  accessVector: "NETWORK",
                  authentication: "NONE",
                  availabilityImpact: "NONE",
                  baseScore: 5,
                  confidentialityImpact: "PARTIAL",
                  integrityImpact: "NONE",
                  vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N",
                  version: "2.0",
               },
               products: [
                  "Red Hat JBoss Fuse 6.1",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "Framework: incomplete fix for CVE-2013-7315/CVE-2013-6429",
      },
      {
         acknowledgments: [
            {
               names: [
                  "Graeme Colman",
               ],
               organization: "Red Hat",
               summary: "This issue was discovered by Red Hat.",
            },
         ],
         cve: "CVE-2014-0085",
         cwe: {
            id: "CWE-522",
            name: "Insufficiently Protected Credentials",
         },
         discovery_date: "2014-02-13T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1067265",
            },
         ],
         notes: [
            {
               category: "description",
               text: "JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. This permitted sensitive information disclosure via logging to local users. This issue is a vulnerability in JBoss Fuse's usage of Apache Zookeeper, not in Zookeeper itself as was previously stated.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "Fuse: admin user cleartext password appears in logging",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "This flaw only affects Apache Zookeeper in conjunction with Fuse Fabric. Fuse Fabric was storing cleartext passwords, which would appear as cleartext in Apache Zookeeper's log files. Fuse Fabric now encrypts passwords by default.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat JBoss Fuse 6.1",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2014-0085",
            },
            {
               category: "external",
               summary: "RHBZ#1067265",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067265",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2014-0085",
               url: "https://www.cve.org/CVERecord?id=CVE-2014-0085",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0085",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0085",
            },
         ],
         release_date: "2014-04-14T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2014-04-14T13:46:50+00:00",
               details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).",
               product_ids: [
                  "Red Hat JBoss Fuse 6.1",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2014:0400",
            },
         ],
         scores: [
            {
               cvss_v2: {
                  accessComplexity: "LOW",
                  accessVector: "LOCAL",
                  authentication: "NONE",
                  availabilityImpact: "NONE",
                  baseScore: 2.1,
                  confidentialityImpact: "PARTIAL",
                  integrityImpact: "NONE",
                  vectorString: "AV:L/AC:L/Au:N/C:P/I:N/A:N",
                  version: "2.0",
               },
               products: [
                  "Red Hat JBoss Fuse 6.1",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Low",
            },
         ],
         title: "Fuse: admin user cleartext password appears in logging",
      },
      {
         cve: "CVE-2014-1904",
         cwe: {
            id: "CWE-79",
            name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
         },
         discovery_date: "2014-03-11T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1075296",
            },
         ],
         notes: [
            {
               category: "description",
               text: "Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "Framework: cross-site scripting flaw when using Spring MVC",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "The Red Hat Security Response Team has rated this issue as having Moderate security impact. OpenShift Enterprise 1 is currently in the Production 1 phase of its lifecycle, as such this issue is not currently planned to be addressed in future updates. For additional information, refer to the Satellite Life Cycle: https://access.redhat.com/site/support/policy/updates/openshift page.\n\nFuse ESB Enterprise is now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat JBoss Fuse 6.1",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2014-1904",
            },
            {
               category: "external",
               summary: "RHBZ#1075296",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1075296",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2014-1904",
               url: "https://www.cve.org/CVERecord?id=CVE-2014-1904",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-1904",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2014-1904",
            },
            {
               category: "external",
               summary: "http://www.gopivotal.com/security/cve-2014-1904",
               url: "http://www.gopivotal.com/security/cve-2014-1904",
            },
         ],
         release_date: "2014-02-13T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2014-04-14T13:46:50+00:00",
               details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).",
               product_ids: [
                  "Red Hat JBoss Fuse 6.1",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2014:0400",
            },
         ],
         scores: [
            {
               cvss_v2: {
                  accessComplexity: "MEDIUM",
                  accessVector: "NETWORK",
                  authentication: "NONE",
                  availabilityImpact: "NONE",
                  baseScore: 4.3,
                  confidentialityImpact: "NONE",
                  integrityImpact: "PARTIAL",
                  vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N",
                  version: "2.0",
               },
               products: [
                  "Red Hat JBoss Fuse 6.1",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "Framework: cross-site scripting flaw when using Spring MVC",
      },
      {
         cve: "CVE-2014-3584",
         cwe: {
            id: "CWE-835",
            name: "Loop with Unreachable Exit Condition ('Infinite Loop')",
         },
         discovery_date: "2014-10-27T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1157330",
            },
         ],
         notes: [
            {
               category: "description",
               text: "The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "CXF: Denial of Service (DoS) via invalid JAX-RS SAML tokens",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "This issue did not affect Apache CXF as shipped with Red Hat JBoss Enterprise Application Platform 5 and 6; Red Hat JBoss Enterprise Web Platform 5; Red Hat JBoss SOA Platform 5; Red Hat JBoss Fuse Service Works 6; Red Hat JBoss BRMS 5 and 6; Red Hat JBoss BPM Suite 6; Red Hat JBoss Data Virtualization 6; Red Hat JBoss Operations Network 3 and Red Hat JBoss Portal Platform 6 as the REST Web Services endpoints are not available.\n\nFuse ESB Enterprise 7 is now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat JBoss Fuse 6.1",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2014-3584",
            },
            {
               category: "external",
               summary: "RHBZ#1157330",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1157330",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2014-3584",
               url: "https://www.cve.org/CVERecord?id=CVE-2014-3584",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-3584",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2014-3584",
            },
         ],
         release_date: "2014-10-25T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2014-04-14T13:46:50+00:00",
               details: "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).",
               product_ids: [
                  "Red Hat JBoss Fuse 6.1",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2014:0400",
            },
         ],
         scores: [
            {
               cvss_v2: {
                  accessComplexity: "MEDIUM",
                  accessVector: "NETWORK",
                  authentication: "NONE",
                  availabilityImpact: "PARTIAL",
                  baseScore: 4.3,
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  vectorString: "AV:N/AC:M/Au:N/C:N/I:N/A:P",
                  version: "2.0",
               },
               products: [
                  "Red Hat JBoss Fuse 6.1",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "CXF: Denial of Service (DoS) via invalid JAX-RS SAML tokens",
      },
   ],
}