Issued:: 2014-04-30
Updated:: 2014-04-30

RHSA-2014:0459 - Important: Red Hat JBoss Fuse Service Works 6.0.0 security update

Synopsis

Important: Red Hat JBoss Fuse Service Works 6.0.0 security update

Type/Severity

Security Advisory Important

Topic

Red Hat JBoss Fuse Service Works 6.0.0 roll up patch 1, which fixes multiple security issues and various bugs, is now available from the Red Hat Customer Portal.

The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Description

Red Hat JBoss Fuse Service Works is the next-generation ESB and business process automation infrastructure. Red Hat JBoss Fuse Service Works allows IT to leverage existing (MoM and EAI), modern (SOA and BPM-Rules), and future (EDA and CEP) integration methodologies to dramatically improve business process execution speed and quality.

This roll up patch serves as a cumulative upgrade for Red Hat JBoss Fuse Service Works 6.0.0. It includes various bug fixes, which are listed in the README file included with the patch files.

The following security issues are also fixed with this release:

It was found that the Apache Camel XSLT component allowed XSL stylesheets to call external Java methods. A remote attacker able to submit messages to a Camel route could use this flaw to perform arbitrary remote code execution in the context of the Camel server process. (CVE-2014-0003)

It was found that when JBoss Web processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encoding header, JBoss Web would incorrectly handle the request. A remote attacker could use this flaw to poison a web cache, perform cross-site scripting (XSS) attacks, or obtain sensitive information from other requests. (CVE-2013-4286)

It was found that the Apache Camel XSLT component would resolve entities in XML messages when transforming them using an XSLT route. A remote attacker able to submit messages to an XSLT Camel route could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML External Entity (XXE) attacks. (CVE-2014-0002)

A denial of service flaw was found in the way Apache Commons FileUpload, which is embedded in the JBoss Web component of JBoss EAP, handled small-sized buffers used by MultipartStream. A remote attacker could use this flaw to create a malformed Content-Type header for a multipart request, causing JBoss Web to enter an infinite loop when processing such an incoming request. (CVE-2014-0050)

The CVE-2014-0002 and CVE-2014-0003 issues were discovered by David Jorm of the Red Hat Security Response Team.

All users of Red Hat JBoss Fuse Service Works 6.0.0 as provided from the Red Hat Customer Portal are advised to apply this roll up patch.

Solution

The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing Red Hat JBoss Fuse Service Works installation (including its databases, applications, configuration files, and so on).

Note that it is recommended to halt the Red Hat JBoss Fuse Service Works server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the Red Hat JBoss Fuse Service Works server by starting the JBoss Application Server process.

Affected Products

Product	Version	Arch
Red Hat JBoss Middleware	Text-Only Advisories	x86_64

Fixes

CVEs

References

Additional information

The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.