- Issued:
- 2016-10-06
- Updated:
- 2016-10-06
RHSA-2016:2036 - Important: Red Hat JBoss A-MQ 6.3 security update
Synopsis
Important: Red Hat JBoss A-MQ 6.3 security update
Type/Severity
Security Advisory Important
Topic
Red Hat JBoss A-MQ 6.3, which fixes multiple security issues and includes several bug fixes and enhancements, is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant messaging system that is tailored for use in mission critical applications.
Red Hat JBoss A-MQ 6.3 is a minor product release that updates Red Hat JBoss A-MQ 6.2.1, and includes several bug fixes and enhancements. Refer to the Release Notes document, available from the Product Documentation link in the References section, for a list of these changes.
Security Fix(es):
It was found that Apache Shiro uses a default cipher key for its "remember me" feature. An attacker could use this to devise a malicious request parameter and gain access to unauthorized content. (CVE-2016-4437)
A denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed. (CVE-2015-3192)
It was found that bouncycastle is vulnerable to an invalid curve attack. An attacker could extract private keys used in elliptic curve cryptography with a few thousand queries. (CVE-2015-7940)
Refer to the Product Documentation link in the References section for installation instructions.
Solution
The References section of this erratum contains a download link (you must log in to download the update).
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat JBoss Middleware | Text-Only Advisories | x86_64 |
Fixes
- This content is not included.BZ - 1239002
- This content is not included.BZ - 1276272
- This content is not included.BZ - 1343346
CVEs
References
- https://access.redhat.com/security/updates/classification/#important
- This content is not included.This content is not included.https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq&downloadType=distributions&version=6.3.0
- This content is not included.This content is not included.https://access.redhat.com/documentation/en/red-hat-jboss-fuse/?version=6.3
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.