Resolution for OpenSSL CCS Injection Vulnerability (CVE-2014-0224) in Red Hat JBoss Middleware Products

Solution Unverified - Updated

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP)
    • 6.x
    • 5.x
  • Red Hat JBoss Enterprise Web Platform (EWP)
    • 5.x
  • Red Hat JBoss Enterprise Web Server (EWS)
    • 2.0.x
  • Using APR connector provided as Native component
  • OpenSSL library provided as Native component for Windows/Solaris

Issue

  • How do I avoid impact to a Red Hat JBoss application from CVE-2014-0224?
  • How do I know if my Red Hat JBoss application is vulnerable to CVE-2014-0224?
  • How does CVE-2014-0224 affect Red Hat JBoss EAP 5 ?
  • There are security advisories for CVE-2014-0224 which can be downloaded for EAP 5.2 and 6.2, but not for other versions. So does this vulnerability affect EAP 5.1.2 or EAP 6.1?
  • For JBOSSEAP 5.2.0, I can't find security advisories of CVE-2104-0224 for Linux platform.

Resolution

The flaw affects servers offering an OpenSSL connection, or clients connecting to vulnerable servers. In order to exploit this flaw, both the server and the client must be using a vulnerable version of OpenSSL; the server must be using OpenSSL version 1.0.1 and above, and the client must be using any version of OpenSSL. Red Hat JBoss Enterprise Application Platform, Red Hat JBoss Enterprise Web Platform, and Red Hat JBoss Web Server include OpenSSL 0.9.8e, so this flaw is only exploitable when OpenSSL is used as a client, communicating with a vulnerable server running OpenSSL version 1.0.1 and above.

In order to avoid exploitation from CVE-2014-0224, ensure that your system is updated in accordance with the following advisories:

AdvisoryApplicable Product / Version
RHSA-2014:0630JBoss EAP 5.2
RHSA-2014:0631JBoss EAP 6.2 CP03 / 6.2.3
RHSA-2014:0632JBoss EWS 2.0.1
This content is not included.RHSA-2014:0633JBoss EWP 5.2

Patch installation instructions are provided in the advisories.

Note that these patches only apply to the Windows and Solaris operating systems, which do not supply their own OpenSSL package. On other operating systems, you can address this flaw by patching the operating system's OpenSSL package. For Red Hat Enterprise Linux, refer to Resolution for OpenSSL CCS Injection Vulnerability (CVE-2014-0224) in Red Hat Enterprise Linux.

EAP versions 4.x are not affected as they never shipped with OpenSSL.

NOTE: To get the more details for other older versions of JBoss EAP, users can contact Red Hat Technical support.

SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.