Kod programskog paketa JBoss Enterprise SOA Platform uočeno je nekoliko sigurnosnih propusta koje zlonamjerni napadači mogu iskoristiti za ugrožavanje integriteta i dostupnosti sustava, otkrivanje osjetljivih informacija, proizvoljno izvršavanje programskog koda i DoS napad.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: JBoss Enterprise SOA Platform 5.3.0 update
Advisory ID:       RHSA-2012:1125-01
Product:           JBoss Enterprise Middleware
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2012-1125.html
Issue date:        2012-07-31
CVE Names:         CVE-2011-3506 CVE-2011-3517 CVE-2011-4605 
                   CVE-2011-4838 CVE-2012-0079 CVE-2012-0818 
                   CVE-2012-2377 
=====================================================================

1. Summary:

JBoss Enterprise SOA Platform 5.3.0, which fixes multiple security issues,
various bugs, and adds enhancements, is now available from the Red Hat
Customer Portal.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

2. Description:

JBoss Enterprise SOA Platform is the next-generation ESB and business
process automation infrastructure.

This release of JBoss Enterprise SOA Platform 5.3.0 serves as a replacement
for JBoss Enterprise SOA Platform 5.2.0. It includes various bug fixes and
enhancements which are detailed in the JBoss Enterprise SOA Platform 5.3.0
Release Notes. The Release Notes will be available shortly from
https://access.redhat.com/knowledge/docs/

The following security issues are also fixed with this release:

It was found that the JBoss JNDI service allowed unauthenticated, remote
write access by default. The JNDI and HA-JNDI services, and the
HAJNDIFactory invoker servlet were all affected. A remote attacker able to
access the JNDI service (port 1099), HA-JNDI service (port 1100), or the
HAJNDIFactory invoker servlet on a JBoss server could use this flaw to add,
delete, and modify items in the JNDI tree. This could have various,
application-specific impacts. (CVE-2011-4605)

A denial of service flaw was found in the implementation of associative
arrays (hashes) in JRuby. An attacker able to supply a large number of
inputs to a JRuby application (such as HTTP POST request parameters sent to
a web application) that are used as keys when inserting data into an array
could trigger multiple hash function collisions, making array operations
take an excessive amount of CPU time. To mitigate this issue, randomization
has been added to the hash function to reduce the chance of an attacker
successfully causing intentional collisions. (CVE-2011-4838)

Note: JBoss Enterprise SOA Platform only provides JRuby as a dependency of
the scripting_chain quickstart example application. The CVE-2011-4838 flaw
is not exposed unless the version of JRuby shipped with that quickstart is
used by a deployed, custom application.

It was found that RESTEasy was vulnerable to XML External Entity (XXE)
attacks. If a remote attacker submitted a request containing an external
XML entity to a RESTEasy endpoint, the entity would be resolved, allowing
the attacker to read files accessible to the user running the application
server. This flaw affected DOM (Document Object Model) Document and JAXB
(Java Architecture for XML Binding) input. The fix for this issue is not
enabled by default. Refer to the Solution section for details.
(CVE-2012-0818)

Multiple flaws were found in the Oracle OpenSSO authentication and
administration components. A remote attacker could use these flaws to
affect the integrity and availability of a service that uses Oracle
OpenSSO. (CVE-2011-3506, CVE-2011-3517, CVE-2012-0079)

Note: JBoss Enterprise SOA Platform only provides Oracle OpenSSO as part of
the opensso quickstart example application. The CVE-2011-3506,
CVE-2011-3517, and CVE-2012-0079 flaws are not exposed unless the opensso
quickstart example application is deployed, or you have created and
deployed a custom application that is packaged with a copy of Oracle
OpenSSO as provided by the opensso quickstart.

The opensso quickstart has been removed in this release to address these
flaws. Users interested in continuing to receive updates for their custom
applications using Oracle OpenSSO are advised to contact Oracle as Red Hat
is no longer supporting OpenSSO.

When a JGroups channel is started, the JGroups diagnostics service would be
enabled by default with no authentication. This service is exposed via IP
multicast. An attacker on an adjacent network could exploit this flaw to
read diagnostics information. (CVE-2012-2377)

Red Hat would like to thank Christian SchlÄ