U radu programskog paketa JBoss Enterprise Portal Platform uočeni su i ispravljeni nedostaci. Zlonamjerni napadači su ih mogli iskoristiti za izmjenu podataka, podmetanje zlonamjerno oblikovanih datoteka, otkrivanje osjetljivih informacija, proizvoljno pokretanje programskog koda i DoS napad.
Paket:
JBoss Enterprise Portal Platform 5.x
Operacijski sustavi:
Microsoft Windows Server 2008, Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6, Sun Solaris 10
Kritičnost:
5
Problem:
CSRF, nepravilno rukovanje ovlastima, pogreška u programskoj funkciji, pogreška u programskoj komponenti
Uočene su greške u programskim komponentama "XMLScanner.java" i "JNDI", funkcijama "UnhandledDataStructure" i "WebPermissionMapping", neodovarajuće rukovanje ovlastima te CSFR (eng. Cross-Site Request Forgery) ranjivost.
Posljedica:
Posljedice napada uključuju izmjenu podataka, podmetanje zlonamjerno oblikovanih datoteka, čitanje povjerljivih podataka, izvršavanje proizvoljnog programskog koda i napad uskraćivanjem usluga (DoS).
Rješenje:
Kao rješenje problema sigurnosti savjetuje se žurna primjena dostupnih nadogradnji.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: JBoss Enterprise Portal Platform 5.2.2 update
Advisory ID: RHSA-2012:1232-01
Product: JBoss Enterprise Middleware
Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1232.html
Issue date: 2012-09-05
CVE Names: CVE-2009-2625 CVE-2011-2908 CVE-2011-4605
CVE-2012-0213 CVE-2012-1167 CVE-2012-2377
=====================================================================
1. Summary:
JBoss Enterprise Portal Platform 5.2.2, which fixes multiple security
issues and various bugs, is now available from the Red Hat Customer Portal.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
2. Description:
JBoss Enterprise Portal Platform is the open source implementation of the
Java EE suite of services and Portal services running atop JBoss Enterprise
Application Platform. It comprises a set of offerings for enterprise
customers who are looking for pre-configured profiles of JBoss Enterprise
Middleware components that have been tested and certified together to
provide an integrated experience.
This release of JBoss Enterprise Portal Platform 5.2.2 serves as a
replacement for JBoss Enterprise Portal Platform 5.2.1, and includes bug
fixes. Refer to the JBoss Enterprise Portal Platform 5.2.2 Release Notes
for information on the most significant of these changes. The Release Notes
will be available shortly from https://access.redhat.com/knowledge/docs/
The following security issues are also fixed with this release:
It was found that the JBoss JNDI service allowed unauthenticated, remote
write access by default. The JNDI and HA-JNDI services, and the
HAJNDIFactory invoker servlet were all affected. A remote attacker able to
access the JNDI service (port 1099), HA-JNDI service (port 1100), or the
HAJNDIFactory invoker servlet on a JBoss server could use this flaw to add,
delete, and modify items in the JNDI tree. This could have various,
application-specific impacts. (CVE-2011-4605)
A flaw was found in the way the Apache Xerces2 Java Parser processed the
SYSTEM identifier in DTDs. A remote attacker could provide a
specially-crafted XML file, which once parsed by an application using the
Apache Xerces2 Java Parser, would lead to a denial of service (application
hang due to excessive CPU use). (CVE-2009-2625)
It was found that the JMX Console did not protect against Cross-Site
Request Forgery (CSRF) attacks. If a remote attacker could trick a user,
who was logged into the JMX Console, into visiting a specially-crafted URL,
the attacker could perform operations on MBeans, which may lead to
arbitrary code execution in the context of the JBoss server process.
(CVE-2011-2908)
A flaw was found in the way Apache POI, a Java API for manipulating files
created with a Microsoft Office application, handled memory when processing
certain Channel Definition Format (CDF) and Compound File Binary Format
(CFBF) documents. A remote attacker could provide a specially-crafted CDF
or CFBF document to an application using Apache POI, leading to a denial of
service. (CVE-2012-0213)
When a JBoss server is configured to use JaccAuthorizationRealm, the
WebPermissionMapping class creates permissions that are not checked and can
permit access to users without checking their roles. If the
ignoreBaseDecision property is set to true on JBossWebRealm, the web
authorization process is handled exclusively by JBossAuthorizationEngine,
without any input from JBoss Web. This allows any valid user to access an
application, without needing to be assigned the role specified in the
application's web.xml "security-constraint" tag. (CVE-2012-1167)
When a JGroups channel is started, the JGroups diagnostics service would be
enabled by default with no authentication. This service is exposed via IP
multicast. An attacker on an adjacent network could exploit this flaw to
read diagnostics information. (CVE-2012-2377)
Red Hat would like to thank Christian SchlÄ
Posljednje sigurnosne preporuke