rhsa-2014_0212
Vulnerability from csaf_redhat
Published
2014-02-25 16:41
Modified
2024-11-22 07:29
Summary
Red Hat Security Advisory: Red Hat JBoss SOA Platform 5.3.1 update

Notes

Topic
Red Hat JBoss SOA Platform 5.3.1 roll up patch 4, which fixes two security issues and various bugs, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.
Details
Red Hat JBoss SOA Platform is the next-generation ESB and business process automation infrastructure. Red Hat JBoss SOA Platform allows IT to leverage existing (MoM and EAI), modern (SOA and BPM-Rules), and future (EDA and CEP) integration methodologies to dramatically improve business process execution speed and quality. This roll up patch serves as a cumulative upgrade for Red Hat JBoss SOA Platform 5.3.1. It includes various bug fixes. The following security issues are also fixed with this release: A flaw was found in the way Apache Santuario XML Security for Java validated XML signatures. Santuario allowed a signature to specify an arbitrary canonicalization algorithm, which would be applied to the SignedInfo XML fragment. A remote attacker could exploit this to spoof an XML signature via a specially-crafted XML signature block. (CVE-2013-2172) It was discovered that the Spring OXM wrapper did not expose any property for disabling entity resolution when using the JAXB unmarshaller. A remote attacker could use this flaw to conduct XML External Entity (XXE) attacks on web sites, and read files in the context of the user running the application server. The patch for this flaw disables external entity processing by default, and provides a configuration directive to re-enable it. (CVE-2013-4152) Warning: Before applying the update, back up your existing Red Hat JBoss SOA Platform installation (including its databases, applications, configuration files, and so on). All users of Red Hat JBoss SOA Platform 5.3.1 as provided from the Red Hat Customer Portal are advised to apply this roll up patch.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.



{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Red Hat JBoss SOA Platform 5.3.1 roll up patch 4, which fixes two security\nissues and various bugs, is now available from the Red Hat Customer Portal.\n\nThe Red Hat Security Response Team has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base scores,\nwhich give detailed severity ratings, are available for each vulnerability\nfrom the CVE links in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat JBoss SOA Platform is the next-generation ESB and business process\nautomation infrastructure. Red Hat JBoss SOA Platform allows IT to leverage\nexisting (MoM and EAI), modern (SOA and BPM-Rules), and future (EDA and\nCEP) integration methodologies to dramatically improve business process\nexecution speed and quality.\n\nThis roll up patch serves as a cumulative upgrade for Red Hat JBoss SOA\nPlatform 5.3.1. It includes various bug fixes. The following security\nissues are also fixed with this release:\n\nA flaw was found in the way Apache Santuario XML Security for Java\nvalidated XML signatures. Santuario allowed a signature to specify an\narbitrary canonicalization algorithm, which would be applied to the\nSignedInfo XML fragment. A remote attacker could exploit this to spoof an\nXML signature via a specially-crafted XML signature block. (CVE-2013-2172)\n\nIt was discovered that the Spring OXM wrapper did not expose any property\nfor disabling entity resolution when using the JAXB unmarshaller. A remote\nattacker could use this flaw to conduct XML External Entity (XXE) attacks\non web sites, and read files in the context of the user running the\napplication server. The patch for this flaw disables external entity\nprocessing by default, and provides a configuration directive to re-enable\nit. (CVE-2013-4152)\n\nWarning: Before applying the update, back up your existing Red Hat JBoss\nSOA Platform installation (including its databases, applications,\nconfiguration files, and so on).\n\nAll users of Red Hat JBoss SOA Platform 5.3.1 as provided from the Red Hat\nCustomer Portal are advised to apply this roll up patch.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2014:0212",
        "url": "https://access.redhat.com/errata/RHSA-2014:0212"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform\u0026downloadType=securityPatches\u0026version=5.3.1+GA",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform\u0026downloadType=securityPatches\u0026version=5.3.1+GA"
      },
      {
        "category": "external",
        "summary": "999263",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=999263"
      },
      {
        "category": "external",
        "summary": "1000186",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1000186"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0212.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat JBoss SOA Platform 5.3.1 update",
    "tracking": {
      "current_release_date": "2024-11-22T07:29:22+00:00",
      "generator": {
        "date": "2024-11-22T07:29:22+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2014:0212",
      "initial_release_date": "2014-02-25T16:41:26+00:00",
      "revision_history": [
        {
          "date": "2014-02-25T16:41:26+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2019-02-20T12:33:00+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T07:29:22+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss SOA Platform 5.3",
                "product": {
                  "name": "Red Hat JBoss SOA Platform 5.3",
                  "product_id": "Red Hat JBoss SOA Platform 5.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:5.3"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss SOA Platform"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2013-2172",
      "cwe": {
        "id": "CWE-290",
        "name": "Authentication Bypass by Spoofing"
      },
      "discovery_date": "2013-08-20T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "999263"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the way Apache Santuario XML Security for Java validated XML signatures. Santuario allowed a signature to specify an arbitrary canonicalization algorithm, which would be applied to the SignedInfo XML fragment. A remote attacker could exploit this to spoof an XML signature via a specially crafted XML signature block.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Java: XML signature spoofing",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss SOA Platform 5.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2013-2172"
        },
        {
          "category": "external",
          "summary": "RHBZ#999263",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=999263"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2013-2172",
          "url": "https://www.cve.org/CVERecord?id=CVE-2013-2172"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-2172",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2172"
        },
        {
          "category": "external",
          "summary": "http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc",
          "url": "http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc"
        }
      ],
      "release_date": "2013-06-25T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-02-25T16:41:26+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting Red Hat JBoss SOA Platform installation (including its databases,\napplications, configuration files, and so on).\n\nNote that it is recommended to halt the Red Hat JBoss SOA Platform server\nby stopping the JBoss Application Server process before installing this\nupdate, and then after installing the update, restart the Red Hat JBoss SOA\nPlatform server by starting the JBoss Application Server process.",
          "product_ids": [
            "Red Hat JBoss SOA Platform 5.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:0212"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss SOA Platform 5.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "Java: XML signature spoofing"
    },
    {
      "cve": "CVE-2013-4152",
      "discovery_date": "2013-08-22T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1000186"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Framework: XML External Entity (XXE) injection flaw",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss SOA Platform 5.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2013-4152"
        },
        {
          "category": "external",
          "summary": "RHBZ#1000186",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1000186"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2013-4152",
          "url": "https://www.cve.org/CVERecord?id=CVE-2013-4152"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-4152",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4152"
        },
        {
          "category": "external",
          "summary": "http://www.gopivotal.com/security/cve-2013-4152",
          "url": "http://www.gopivotal.com/security/cve-2013-4152"
        },
        {
          "category": "external",
          "summary": "https://github.com/SpringSource/spring-framework/pull/317",
          "url": "https://github.com/SpringSource/spring-framework/pull/317"
        },
        {
          "category": "external",
          "summary": "https://jira.springsource.org/browse/SPR-10806",
          "url": "https://jira.springsource.org/browse/SPR-10806"
        }
      ],
      "release_date": "2013-08-22T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-02-25T16:41:26+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting Red Hat JBoss SOA Platform installation (including its databases,\napplications, configuration files, and so on).\n\nNote that it is recommended to halt the Red Hat JBoss SOA Platform server\nby stopping the JBoss Application Server process before installing this\nupdate, and then after installing the update, restart the Red Hat JBoss SOA\nPlatform server by starting the JBoss Application Server process.",
          "product_ids": [
            "Red Hat JBoss SOA Platform 5.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:0212"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss SOA Platform 5.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "Framework: XML External Entity (XXE) injection flaw"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.