Updated Red Hat JBoss Enterprise Application Platform 6.3.2 packages thatfix three security issues are now available for Red Hat Enterprise Linux 5,6, and 7.Red Hat Product Security has rated this update as having Important securityimpact. Common Vulnerability Scoring System (CVSS) base scores, which givedetailed severity ratings, are available for each vulnerability from theCVE links in the References section.

Red Hat JBoss Enterprise Application Platform 6 is a platform for Javaapplications based on JBoss Application Server 7.It was discovered that the Apache CXF incorrectly extracted the host namefrom an X.509 certificate subject’s Common Name (CN) field.A man-in-the-middle attacker could use this flaw to spoof an SSL serverusing a specially crafted X.509 certificate. (CVE-2012-6153, CVE-2014-3577)It was found that Apache WSS4J (Web Services Security for Java), as used byApache CXF with the TransportBinding, did not, by default, properly enforceall security requirements associated with SAML SubjectConfirmation methods.A remote attacker could use this flaw to perform various types of spoofingattacks on web service endpoints secured by WSS4j that rely on SAML forauthentication. (CVE-2014-3623)The CVE-2012-6153 issue was discovered by Florian Weimer of Red HatProduct Security.All users of Red Hat JBoss Enterprise Application Platform 6.3.2 on RedHat Enterprise Linux 5, 6, and 7 are advised to upgrade to these updatedpackages. The JBoss server process must be restarted for the update totake effect.
Before applying this update, make sure all previously released erratarelevant to your system have been applied. Also, back up any customized RedHat JBoss Enterprise Application Platform 6 configuration files. On update,the configuration files that have been locally modified will not beupdated. The updated version of such files will be stored as the rpmnewfiles. Make sure to locate any such files after the update and merge anychanges manually.This update is available via the Red Hat Network. Details on how to use theRed Hat Network to apply this update are available athttps://access.redhat.com/articles/11258JBoss Enterprise Application Platform 6 EL5

SRPMS:
apache-cxf-2.7.12-1.SP1_redhat_5.1.ep6.el5.src.rpm
    MD5: 6711f550cf87b3d2cd6e834712b3c84aSHA-256: b7bc561ff9edfb8cc2e1847454590ebe2c24d2e0ff050218dfdef57c5b4b37f1
wss4j-1.6.16-2.redhat_3.1.ep6.el5.src.rpm
    MD5: 5f9960b2d42e914e96c70f524c06fe23SHA-256: aae4d62565ad2b412b63a4224a29b4279757f10a733f0acb97f1c6692ad38600
 
IA-32:
apache-cxf-2.7.12-1.SP1_redhat_5.1.ep6.el5.noarch.rpm
    MD5: 75afb41fe20af29dad6486afb4cef19fSHA-256: 741a138651af4df372e3305edc881c17fa1a5a9b769c245c283565d30f28859c
wss4j-1.6.16-2.redhat_3.1.ep6.el5.noarch.rpm
    MD5: f714d1ccbe870f2fde72146934c9470eSHA-256: 0bb7867c08494c1a450a01b70d9b4a4449b8644e871e5833147d702688a908ed
 
x86_64:
apache-cxf-2.7.12-1.SP1_redhat_5.1.ep6.el5.noarch.rpm
    MD5: 75afb41fe20af29dad6486afb4cef19fSHA-256: 741a138651af4df372e3305edc881c17fa1a5a9b769c245c283565d30f28859c
wss4j-1.6.16-2.redhat_3.1.ep6.el5.noarch.rpm
    MD5: f714d1ccbe870f2fde72146934c9470eSHA-256: 0bb7867c08494c1a450a01b70d9b4a4449b8644e871e5833147d702688a908ed
 
JBoss Enterprise Application Platform 6 EL6

SRPMS:
apache-cxf-2.7.12-1.SP1_redhat_5.1.ep6.el6.src.rpm
    MD5: a5c4d69464cb069c36b5b683791a35d4SHA-256: 1e9bd69596d6415dd8840ab3d93e5f85ffb1daada098ab73c6714415159c4194
wss4j-1.6.16-2.redhat_3.1.ep6.el6.src.rpm
    MD5: 4deacd1db184ec0710228437748e196eSHA-256: bf0c4cf6aba7016bfb24c11b52c7ad8a5364c259796478835851e24f5854c5d5
 
IA-32:
apache-cxf-2.7.12-1.SP1_redhat_5.1.ep6.el6.noarch.rpm
    MD5: 8b5715331f2845d8078d3989028ac13fSHA-256: 1001306d459ab5110b860f6158f9aae648251f2b7cd2f699158e53a5df1c816e
wss4j-1.6.16-2.redhat_3.1.ep6.el6.noarch.rpm
    MD5: 723ef53bb892529ff5de05e08e6892cdSHA-256: c4a71a98f9c6b7deea6bc436025caf921e7d341b6a8e52c63df3e23b9be51934
 
PPC:
apache-cxf-2.7.12-1.SP1_redhat_5.1.ep6.el6.noarch.rpm
    MD5: 8b5715331f2845d8078d3989028ac13fSHA-256: 1001306d459ab5110b860f6158f9aae648251f2b7cd2f699158e53a5df1c816e
wss4j-1.6.16-2.redhat_3.1.ep6.el6.noarch.rpm
    MD5: 723ef53bb892529ff5de05e08e6892cdSHA-256: c4a71a98f9c6b7deea6bc436025caf921e7d341b6a8e52c63df3e23b9be51934
 
x86_64:
apache-cxf-2.7.12-1.SP1_redhat_5.1.ep6.el6.noarch.rpm
    MD5: 8b5715331f2845d8078d3989028ac13fSHA-256: 1001306d459ab5110b860f6158f9aae648251f2b7cd2f699158e53a5df1c816e
wss4j-1.6.16-2.redhat_3.1.ep6.el6.noarch.rpm
    MD5: 723ef53bb892529ff5de05e08e6892cdSHA-256: c4a71a98f9c6b7deea6bc436025caf921e7d341b6a8e52c63df3e23b9be51934
 
(The unlinked packages above are only available from the Red Hat Network)
1129074 – CVE-2014-3577 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-6153 fix1129916 – CVE-2012-6153 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-5783 fix1157304 – CVE-2014-3623 Apache WSS4J / Apache CXF: Improper security semantics enforcement of SAML SubjectConfirmation methods

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from:

Leave a Reply