Issued:: 2015-08-24
Updated:: 2015-08-24

RHSA-2015:1670 - Moderate: Red Hat JBoss Enterprise Application Platform security update

Synopsis

Moderate: Red Hat JBoss Enterprise Application Platform security update

Type/Severity

Security Advisory Moderate

Topic

An updated Red Hat JBoss Enterprise Application Platform 6.4.3 package that fixes a security issue, several bugs and adds various enhancements is now available for Red Hat Enterprise Linux 6.

Description

Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7.

This release serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.2 and includes bug fixes and enhancements. Documentation for these changes is available from the Red Hat JBoss Enterprise Application Platform 6.4.3 Release Notes, linked to in the References.

The following security issue is also fixed with this release:

It was discovered that under specific conditions that PicketLink IDP ignores role based authorization. This could lead to an authenticated user being able to access application resources that are not permitted for a given role. (CVE-2015-3158)

All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 6 are advised to upgrade to this updated package, which fixes these bugs and adds these enhancements. The JBoss server process must be restarted for the update to take effect.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

Product	Version	Arch
JBoss Enterprise Application Platform	6	x86_64
JBoss Enterprise Application Platform	6	ppc64
JBoss Enterprise Application Platform	6	i386
JBoss Enterprise Application Platform	6.4	x86_64
JBoss Enterprise Application Platform	6.4	ppc64
JBoss Enterprise Application Platform	6.4	i386
JBoss Enterprise Application Platform from RHUI	6	x86_64
JBoss Enterprise Application Platform from RHUI	6	i386

Updated Packages

jboss-as-jacorb-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-cli-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-system-jmx-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-hal-2.5.6-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-version-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-network-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-jpa-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-security-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-appclient-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-jaxrs-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
glassfish-jsf-eap6-2.1.28-9.redhat_10.1.ep6.el6.noarch.rpm
hibernate4-infinispan-eap6-4.2.20-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-platform-mbean-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-clustering-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-ee-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jbossas-appclient-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-osgi-service-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-domain-management-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
picketlink-federation-2.5.4-8.SP7_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-sar-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-clustering-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-network-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-core-security-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
resteasy-2.3.12-1.Final_redhat_1.1.ep6.el6.noarch.rpm
glassfish-jsf-eap6-2.1.28-9.redhat_10.1.ep6.el6.src.rpm
jboss-as-naming-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jbossas-javadocs-7.5.3-2.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-messaging-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-jsf-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-web-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-picketlink-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-connector-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-configadmin-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-deployment-scanner-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-jaxr-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
hibernate4-envers-eap6-4.2.20-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-cmp-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-process-controller-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-security-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jbossweb-7.5.10-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-jacorb-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-hal-2.5.6-2.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-domain-http-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-modules-1.3.7-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-pojo-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-ee-deployment-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-client-all-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jbossas-bundles-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-server-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-domain-management-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jbossts-4.17.30-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-xts-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jbossas-appclient-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-jsr77-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-cmp-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
hibernate4-eap6-4.2.20-1.Final_redhat_1.1.ep6.el6.noarch.rpm
picketlink-bindings-2.5.4-8.SP7_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-deployment-scanner-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jbossas-core-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-server-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-modules-1.3.7-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-webservices-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-ee-deployment-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-web-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-core-security-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-remoting-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jbossas-product-eap-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-mail-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-threads-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jbossweb-7.5.10-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-console-2.5.6-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-ee-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-jaxr-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jbossas-standalone-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-deployment-repository-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
hornetq-2.3.25-4.SP3_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-osgi-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-xts-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jbossas-domain-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-client-all-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-naming-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-embedded-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-management-client-content-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-modcluster-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-osgi-configadmin-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-controller-client-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-embedded-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-jaxrs-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-pojo-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-osgi-configadmin-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-transactions-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jbossts-4.17.30-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jbossas-standalone-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-logging-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-connector-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jbossas-domain-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-sar-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jbossas-javadocs-7.5.3-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-controller-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-jdr-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-management-client-content-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
hibernate4-entitymanager-eap6-4.2.20-1.Final_redhat_1.1.ep6.el6.noarch.rpm
hibernate4-eap6-4.2.20-1.Final_redhat_1.1.ep6.el6.src.rpm
jbossas-modules-eap-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-system-jmx-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
picketlink-bindings-2.5.4-8.SP7_redhat_1.1.ep6.el6.src.rpm
jboss-as-picketlink-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-weld-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-cli-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-deployment-repository-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-version-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-controller-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jbossas-product-eap-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
hornetq-2.3.25-4.SP3_redhat_1.1.ep6.el6.src.rpm
jboss-as-protocol-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-remoting-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-controller-client-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-host-controller-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-weld-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-jdr-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-protocol-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-jsf-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-mail-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-threads-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
picketlink-federation-2.5.4-8.SP7_redhat_1.1.ep6.el6.src.rpm
jboss-as-console-2.5.6-2.Final_redhat_2.1.ep6.el6.src.rpm
jbossas-modules-eap-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-ejb3-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-appclient-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-configadmin-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-modcluster-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jbossas-bundles-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-webservices-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-transactions-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jbossas-welcome-content-eap-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-platform-mbean-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-jpa-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
resteasy-2.3.12-1.Final_redhat_1.1.ep6.el6.src.rpm
jbossas-core-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-jmx-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-host-controller-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jbossas-welcome-content-eap-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-domain-http-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-osgi-service-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-messaging-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-logging-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-osgi-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-ejb3-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-jmx-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-process-controller-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm
hibernate4-core-eap6-4.2.20-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-jsr77-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm

Fixes

CVEs

CVE-2015-3158

References

Additional information

The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.