- Issued:
- 2013-03-04
- Updated:
- 2013-03-04
RHSA-2013:0586 - Important: jbosssx security update
Synopsis
Important: jbosssx security update
Type/Severity
Security Advisory Important
Topic
An update for JBoss Enterprise BRMS Platform 5.3.1, JBoss Enterprise Portal Platform 4.3.0 CP07 and 5.2.2, and JBoss Enterprise SOA Platform 4.2.0 CP05, and 4.3.0 CP05 which fixes one security issue is now available from the Red Hat Customer Portal.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.
Description
JBoss Enterprise BRMS Platform is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules. JBoss Enterprise Portal Platform is the open source implementation of the Java EE suite of services and Portal services running atop JBoss Enterprise Application Platform. JBoss Enterprise SOA Platform is the next-generation ESB and business process automation infrastructure.
When using LDAP authentication with the provided LDAP login modules (LdapLoginModule/LdapExtLoginModule), empty passwords were allowed by default. An attacker could use this flaw to bypass intended authentication by providing an empty password for a valid username, as the LDAP server may recognize this as an 'unauthenticated authentication' (RFC 4513). This update sets the allowEmptyPasswords option for the LDAP login modules to false if the option is not already configured. (CVE-2012-5629)
Warning: Before applying this update, back up your JBoss installation, including any databases, database settings, applications, configuration files, and so on.
All users of JBoss Enterprise BRMS Platform 5.3.1, JBoss Enterprise Portal Platform 4.3.0 CP07 and 5.2.2, and JBoss Enterprise SOA Platform 4.2.0 CP05, and 4.3.0 CP05 as provided from the Red Hat Customer Portal are advised to apply this update.
Solution
The References section of this erratum contains download links (you must log in to download the update). Before applying this update, back up your JBoss installation, including any databases, database settings, applications, configuration files, and so on.
For JBoss Enterprise BRMS Platform, JBoss Enterprise Portal Platform, and JBoss Enterprise SOA Platform, it is recommended to halt the server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the server by starting the JBoss Application Server process.
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat JBoss Middleware | Text-Only Advisories | x86_64 |
Fixes
CVEs
References
- https://access.redhat.com/security/updates/classification/#important
- Content from tools.ietf.org is not included.Content from tools.ietf.org is not included.http://tools.ietf.org/html/rfc4513
- This content is not included.This content is not included.https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=securityPatches&version=5.3.1
- This content is not included.This content is not included.https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal&downloadType=securityPatches&version=4.3+CP07
- This content is not included.This content is not included.https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal&downloadType=securityPatches&version=5.2.2
- This content is not included.This content is not included.https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform&downloadType=securityPatches&version=4.2.0.GA_CP05
- This content is not included.This content is not included.https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=soaplatform&version=4.3.0.GA_CP05
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.