rhea-2015_0955
Vulnerability from csaf_redhat
Published
2015-05-13 13:36
Modified
2024-11-22 08:50
Summary
Red Hat Enhancement Advisory: Red Hat JBoss Web Server 3.0.0 enhancement update

Notes

Topic
Updated Red Hat JBoss Web Server 3.0.0 packages are now available for Red Hat Enterprise Linux 6 and 7, Solaris, and Microsoft Windows.
Details
Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. * This enhancement update adds the Red Hat JBoss Web Server 3.0.0 packages to Red Hat Enterprise Linux 6 and 7, Solaris, and Microsoft Windows. These packages provide a number of enhancements over the previous version of Red Hat JBoss Web Server. (BZ#1164678) Users of Red Hat JBoss Web Server are advised to upgrade to these updated packages, which add this enhancement.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.



{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Updated Red Hat JBoss Web Server 3.0.0 packages are now available for Red Hat Enterprise Linux 6 and 7, Solaris, and Microsoft Windows.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat JBoss Web Server is a fully integrated and certified set of\ncomponents for hosting Java web applications. It is comprised of the Apache\nHTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector\n(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat\nNative library.\n\n* This enhancement update adds the Red Hat JBoss Web Server 3.0.0 packages to Red Hat Enterprise Linux 6 and 7, Solaris, and Microsoft Windows. These packages provide a number of enhancements over the previous version of Red Hat JBoss Web Server. (BZ#1164678)\n\nUsers of Red Hat JBoss Web Server are advised to upgrade to these updated packages, which add this enhancement.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHEA-2015:0955",
        "url": "https://access.redhat.com/errata/RHEA-2015:0955"
      },
      {
        "category": "external",
        "summary": "1164678",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1164678"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhea-2015_0955.json"
      }
    ],
    "title": "Red Hat Enhancement Advisory: Red Hat JBoss Web Server 3.0.0  enhancement update",
    "tracking": {
      "current_release_date": "2024-11-22T08:50:07+00:00",
      "generator": {
        "date": "2024-11-22T08:50:07+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHEA-2015:0955",
      "initial_release_date": "2015-05-13T13:36:13+00:00",
      "revision_history": [
        {
          "date": "2015-05-13T13:36:13+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2015-05-13T13:36:13+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T08:50:07+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss Web Server 3.0",
                "product": {
                  "name": "Red Hat JBoss Web Server 3.0",
                  "product_id": "Red Hat JBoss Web Server 3.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3.0"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Web Server"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2015-0204",
      "cwe": {
        "id": "CWE-757",
        "name": "Selection of Less-Secure Algorithm During Negotiation (\u0027Algorithm Downgrade\u0027)"
      },
      "discovery_date": "2015-01-08T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1180184"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was discovered that OpenSSL would accept ephemeral RSA keys when using non-export RSA cipher suites. A malicious server could make a TLS/SSL client using OpenSSL use a weaker key exchange method.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "openssl: only allow ephemeral RSA keys in export ciphersuites (FREAK)",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue affects versions of openssl as shipped with Red Hat Enterprise Linux 5, 6 and 7. Errata have been released to correct this issue.\n\nThis issue affects the version of openssl098e as shipped with Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this issue as having Moderate security impact and does not plan to address this flaw for the openssl098e component in any future security updates.\n\nThis issue affects the version of openssl097a as shipped with Red Hat Enterprise Linux 5. Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Web Server 3.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2015-0204"
        },
        {
          "category": "external",
          "summary": "RHBZ#1180184",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1180184"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2015-0204",
          "url": "https://www.cve.org/CVERecord?id=CVE-2015-0204"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-0204",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0204"
        },
        {
          "category": "external",
          "summary": "https://securityblog.redhat.com/2015/03/04/factoring-rsa-export-keys-freak-cve-2015-0204/",
          "url": "https://securityblog.redhat.com/2015/03/04/factoring-rsa-export-keys-freak-cve-2015-0204/"
        },
        {
          "category": "external",
          "summary": "https://www.openssl.org/news/secadv_20150108.txt",
          "url": "https://www.openssl.org/news/secadv_20150108.txt"
        }
      ],
      "release_date": "2015-01-06T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2015-05-13T13:36:13+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied and back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat JBoss Web Server 3.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHEA-2015:0955"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "Red Hat JBoss Web Server 3.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "openssl: only allow ephemeral RSA keys in export ciphersuites (FREAK)"
    },
    {
      "cve": "CVE-2015-0298",
      "discovery_date": "2015-03-02T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1197769"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the way the mod_cluster manager processed certain MCMP messages. An attacker with access to the network from which MCMP messages are allowed to be sent could use this flaw to execute arbitrary JavaScript code in the mod_cluster manager web interface.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "mod_cluster: JavaScript code injection is possible via MCMP mod_manager messages",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Web Server 3.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2015-0298"
        },
        {
          "category": "external",
          "summary": "RHBZ#1197769",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1197769"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2015-0298",
          "url": "https://www.cve.org/CVERecord?id=CVE-2015-0298"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-0298",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0298"
        }
      ],
      "release_date": "2015-05-05T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2015-05-13T13:36:13+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied and back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat JBoss Web Server 3.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHEA-2015:0955"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "ADJACENT_NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.2,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Web Server 3.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "mod_cluster: JavaScript code injection is possible via MCMP mod_manager messages"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.