An update is now available for Red Hat JBoss Enterprise Web Server 2.1 forRHEL 6.Red Hat Product Security has rated this update as having a security impactof Important.

A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.
Red Hat JBoss Web Server is a fully integrated and certified set ofcomponents for hosting Java web applications.
It is comprised of the ApacheHTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the TomcatNative library.This release serves as a replacement for Red Hat JBoss Web Server 2.1.0,and includes several bug fixes. Refer to the Red Hat JBoss Web Server 2.1.1Release Notes, linked to in the References section, for information on themost significant of these changes.All users of Red Hat JBoss Web Server 2.1.0 on Red Hat Enterprise Linux 6are advised to upgrade to Red Hat JBoss Web Server 2.1.1.

The JBoss serverprocess must be restarted for this update to take effect.Security Fix(es):* It was discovered that httpd used the value of the Proxy header from HTTPrequests to initialize the HTTP_PROXY environment variable for CGI scripts,which in turn was incorrectly used by certain HTTP client implementationsto configure the proxy for outgoing HTTP requests.

A remote attacker couldpossibly use this flaw to redirect HTTP requests performed by a CGI scriptto an attacker-controlled proxy via a malicious HTTP request.(CVE-2016-5387)* An integer overflow flaw, leading to a buffer overflow, was found in theway the EVP_EncodeUpdate() function of OpenSSL parsed very large amounts ofinput data.

A remote attacker could use this flaw to crash an applicationusing OpenSSL or, possibly, execute arbitrary code with the permissions ofthe user running that application. (CVE-2016-2105)* An integer overflow flaw, leading to a buffer overflow, was found in theway the EVP_EncryptUpdate() function of OpenSSL parsed very large amountsof input data.

A remote attacker could use this flaw to crash anapplication using OpenSSL or, possibly, execute arbitrary code with thepermissions of the user running that application. (CVE-2016-2106)* It was discovered that it is possible to remotely Segfault Apache httpserver with a specially crafted string sent to the mod_cluster via servicemessages (MCMP). (CVE-2016-3110)Red Hat would like to thank Scott Geary (VendHQ) for reportingCVE-2016-5387; the OpenSSL project for reporting CVE-2016-2105 andCVE-2016-2106; and Michal Karm Babacek for reporting CVE-2016-3110.Upstream acknowledges Guido Vranken as the original reporter ofCVE-2016-2105 and CVE-2016-2106.
Before applying the update, back up your existing Red Hat JBoss Web Serverinstallation (including all applications and configuration files).For details on how to apply this update, which includes the changesdescribed in this advisory, refer to:https://access.redhat.com/articles/11258For the update to take effect, all services linked to the OpenSSL librarymust be restarted, or the system rebooted.

After installing the updatedpackages, the httpd daemon will be restarted automatically.Refer to the Red Hat JBoss Enterprise Web Server 2.1.1 Release Notes for alist of non security related fixes.JBoss Enterprise Web Server v2 EL6

SRPMS:
httpd-2.2.26-54.ep6.el6.src.rpm
    MD5: eea764698b146f592541c89c33f1750fSHA-256: 500e2f71d7ec5bfdc3a06bc409c1c153295dc9ac19d3cb94b104dd4636492110
jbcs-httpd24-openssl-1.0.2h-4.jbcs.el6.src.rpm
    MD5: 963dc03d1a02d317a679000b14fac02aSHA-256: ac5b23430a44667cd0792bb73c6f3c366d4450d6239e7025095bcc72fb165513
mod_cluster-1.2.13-1.Final_redhat_1.1.ep6.el6.src.rpm
    MD5: 8050428d6463af5430e28e70c3d7b474SHA-256: 3a72fb0b75092e961a40017f108538ac289199dfef358bf50597f22f64f9d505
mod_cluster-native-1.2.13-3.Final_redhat_2.ep6.el6.src.rpm
    MD5: 7398b0838abe76a7fef1ef7978b274beSHA-256: 13f719c9842b1ff8c1bf8a216599ca2e53cb412fec11035cc83ae20e3fe9ade8
mod_jk-1.2.41-2.redhat_3.ep6.el6.src.rpm
    MD5: d6596e425e28c4e92b2261a820dd0e0aSHA-256: 071f674b58df13281c7c39dde9a2b14b99272795373a5ce7d628d704d191df01
tomcat-native-1.1.34-5.redhat_1.ep6.el6.src.rpm
    MD5: d28d971ae5736394f7fbb125b0e05ed0SHA-256: f36bf2dafa5e715c97cf1a516f944bb4c6f2b98be1199f15b7508191d100b8ad
 
IA-32:
httpd-2.2.26-54.ep6.el6.i386.rpm
    MD5: 2f620897fde7952deda0559fd9f9249dSHA-256: 2ef8cdddf64eee31651657bad31abec8e607dc46b7f4c698351d74a261462d61
httpd-devel-2.2.26-54.ep6.el6.i386.rpm
    MD5: b32fe0a48b47ff99c52df86da99d17b3SHA-256: 04722287bb04ab20e50386340906e15279f5acc197ec64adf1ebbc406586e335
httpd-manual-2.2.26-54.ep6.el6.i386.rpm
    MD5: acfd1db3e2a03fb7572c761363845758SHA-256: 953df274cb9193c9cab480f8ecd8af48dda6e2d63de6bd4a3dd39e2c0499cd9a
httpd-tools-2.2.26-54.ep6.el6.i386.rpm
    MD5: 02d0d90b97b00d7d2973040e8e5ed6ecSHA-256: ea1765628eb3e4d08020227c0506b5b3adfa021b31e774f8879af06921b3ecff
jbcs-httpd24-1-3.jbcs.el6.noarch.rpm
    MD5: 55c3c3b5f68c76fac313b7ca0e184511SHA-256: 4ad48d853b5aa9b54e724c78e144bbde6deeb7a04ae023cf99e7bb04f079f6ff
jbcs-httpd24-openssl-1.0.2h-4.jbcs.el6.i686.rpm
    MD5: 7f161860ac4557d0d1ac61a8bfe3852aSHA-256: 45b0aad95e6c5e6031e26e36865970c1948cf1a881b0c4e5680468e1a06c49d7
jbcs-httpd24-openssl-devel-1.0.2h-4.jbcs.el6.i686.rpm
    MD5: 2b2acec99c551418e47a6fe8223c16bdSHA-256: f5ddc2a4bc86f5ec40f932aceeaf4d87eb1c012a300b4e2ffd11bfd2fecd7ba8
jbcs-httpd24-openssl-libs-1.0.2h-4.jbcs.el6.i686.rpm
    MD5: 66978755c0f3ff07731c6e7de5017920SHA-256: ec9f2c353d7f1b3ebbe453ff5eb170304839f6ba4b98d903b1008100e98faa60
jbcs-httpd24-openssl-perl-1.0.2h-4.jbcs.el6.i686.rpm
    MD5: 688b86a5500ec07141d70794c6633408SHA-256: e093d1532b16a8ad66a36413fcbfcd0e2b190d555c40308ca70f984cfa35d22d
jbcs-httpd24-openssl-static-1.0.2h-4.jbcs.el6.i686.rpm
    MD5: fb5353cbf563d1d9c999709f4bcad07aSHA-256: 4e06824b17e7bfe3a69c968517b2573bb38977b93ed1cc6ec3bd9616ab3c4101
jbcs-httpd24-runtime-1-3.jbcs.el6.noarch.rpm
    MD5: 26a66efa482cd82904ebdb713607bca3SHA-256: 8ac86a3df21bd84036eaeedcf6a780bc81d36b74924fc05a308cbb3fc0241865
mod_cluster-1.2.13-1.Final_redhat_1.1.ep6.el6.noarch.rpm
    MD5: 726be4ff11c8d5071f5b7a05a15df4acSHA-256: fb69cc69b1ddbf4253f0b8232c9ee8191b4e1c1c9baa27eb0dd247ed0a654151
mod_cluster-native-1.2.13-3.Final_redhat_2.ep6.el6.i386.rpm
    MD5: 0960a08b41ef13c51794bc2b3fcb7056SHA-256: ed043fcb58bce264b360afbd457eddfd9039dab8ff491d8f46ccdf567c6e6caf
mod_cluster-tomcat6-1.2.13-1.Final_redhat_1.1.ep6.el6.noarch.rpm
    MD5: 343b039081656533e9eaa79f39704ad7SHA-256: fe6253a930f33cf98a8eae8be88440559edabc13dbdb409a99517e9017fb6c4a
mod_cluster-tomcat7-1.2.13-1.Final_redhat_1.1.ep6.el6.noarch.rpm
    MD5: fd5163a84832db605e8fc01558c580f1SHA-256: dde11443657f40051c1b698086ad5bab49663bab081636d1a8b4571fe0aa2dc6
mod_jk-ap22-1.2.41-2.redhat_3.ep6.el6.i386.rpm
    MD5: 584f2b9b2d6d104c4cca872c92ccca28SHA-256: a8038e44ab60da75b612201793949a5079c6863f0337536589166885649d85c5
mod_jk-manual-1.2.41-2.redhat_3.ep6.el6.i386.rpm
    MD5: d9cf6573fbceaf0bfd77ddd0992ca501SHA-256: bb2f5b6bb3907d866e3fea62aea319730aa06a55f13f716ce2cecfc418f8d334
mod_ssl-2.2.26-54.ep6.el6.i386.rpm
    MD5: ad1a0f3f8f4f5203d4171c787f90dcb0SHA-256: 2a5fd27067edc19626604ef553a5490f8a7eba49da369c3043d7a4a7c306779e
tomcat-native-1.1.34-5.redhat_1.ep6.el6.i386.rpm
    MD5: f5ea8e1260998850436ff0c0d84e63b7SHA-256: d6e7500e9781ff94436a46aec1b0facc37d61429f80bcc9d4696ecfafe7aaac4
 
x86_64:
httpd-2.2.26-54.ep6.el6.x86_64.rpm
    MD5: 91556faf775acf8a5f130099cb076275SHA-256: 65a1e179b6e455b73a9aa23929f65fda99c2283cf33e0f6cb96f362efd9b2197
httpd-devel-2.2.26-54.ep6.el6.x86_64.rpm
    MD5: b00a921577b49c18ea2578e2444b4278SHA-256: 4e5e0e62a3e47307ca75d23e9fb8a97a117163a46d11911e7f926210a86a5a43
httpd-manual-2.2.26-54.ep6.el6.x86_64.rpm
    MD5: 456777fc9cfbc7052cab5513cac10c49SHA-256: 8b0470615c47fafc22b9b08eecde0eca9f88371822869e76bbc2935a178a17fa
httpd-tools-2.2.26-54.ep6.el6.x86_64.rpm
    MD5: b5451282b70f72e3ffb4e850837b83edSHA-256: 4aeb4ecadcca0e06707fd6ef87a629067f353061dd4016c2bbe2115e51f00774
jbcs-httpd24-1-3.jbcs.el6.noarch.rpm
    MD5: 55c3c3b5f68c76fac313b7ca0e184511SHA-256: 4ad48d853b5aa9b54e724c78e144bbde6deeb7a04ae023cf99e7bb04f079f6ff
jbcs-httpd24-openssl-1.0.2h-4.jbcs.el6.x86_64.rpm
    MD5: 411ce2397cddf77a882ddbebcd8a0762SHA-256: 86225769181a6677c8ec92ac74db4281b41e73f0a782cb426867a50b6a0289ac
jbcs-httpd24-openssl-devel-1.0.2h-4.jbcs.el6.x86_64.rpm
    MD5: a8cdf0f72326e9801671c00af0594d4cSHA-256: 2f558d2b55fa44f8df23471b4d6e2bb67dbf6b05348d2fbe9d414248a93e687d
jbcs-httpd24-openssl-libs-1.0.2h-4.jbcs.el6.x86_64.rpm
    MD5: 03a954c4787d3ccce6dbb131b922f110SHA-256: 62186db1184d1a37129d44771eeab73630109c5e3fa54f7d2e38e35ad1a98712
jbcs-httpd24-openssl-perl-1.0.2h-4.jbcs.el6.x86_64.rpm
    MD5: 7598560deaba3370c3c85f83d6ab980eSHA-256: 588505e83e4e8d4e75d54b7faa1d4e727159d0a98f83b2dad73b6aa2026bb379
jbcs-httpd24-openssl-static-1.0.2h-4.jbcs.el6.x86_64.rpm
    MD5: 5f827452f347852789e667798d8964beSHA-256: 744051dbab7f5ad2d3157fdfa904452f51974219f1d66ca4976012e5142a5719
jbcs-httpd24-runtime-1-3.jbcs.el6.noarch.rpm
    MD5: 26a66efa482cd82904ebdb713607bca3SHA-256: 8ac86a3df21bd84036eaeedcf6a780bc81d36b74924fc05a308cbb3fc0241865
mod_cluster-1.2.13-1.Final_redhat_1.1.ep6.el6.noarch.rpm
    MD5: 726be4ff11c8d5071f5b7a05a15df4acSHA-256: fb69cc69b1ddbf4253f0b8232c9ee8191b4e1c1c9baa27eb0dd247ed0a654151
mod_cluster-native-1.2.13-3.Final_redhat_2.ep6.el6.x86_64.rpm
    MD5: 6781a0b7d7c6fbaa720289b367e169ebSHA-256: e67be895b7a3e8f2eec5211052d2dccb6dfd3323ad9884d4abe520b7c881c537
mod_cluster-tomcat6-1.2.13-1.Final_redhat_1.1.ep6.el6.noarch.rpm
    MD5: 343b039081656533e9eaa79f39704ad7SHA-256: fe6253a930f33cf98a8eae8be88440559edabc13dbdb409a99517e9017fb6c4a
mod_cluster-tomcat7-1.2.13-1.Final_redhat_1.1.ep6.el6.noarch.rpm
    MD5: fd5163a84832db605e8fc01558c580f1SHA-256: dde11443657f40051c1b698086ad5bab49663bab081636d1a8b4571fe0aa2dc6
mod_jk-ap22-1.2.41-2.redhat_3.ep6.el6.x86_64.rpm
    MD5: ac5114b1ab597246b3cbdc1628f4dba1SHA-256: dd7dd5f7bd57c078160587a45c225ed97e6f713f5ede61468611d3e69f63d9a5
mod_jk-manual-1.2.41-2.redhat_3.ep6.el6.x86_64.rpm
    MD5: 768bc1f160d26d9175c901837b0f305aSHA-256: 11ecf9a96e1d788bb4f16492e9688d91ab564f1ec684834f599e9964258c50d1
mod_ssl-2.2.26-54.ep6.el6.x86_64.rpm
    MD5: 6d218955f6ac6f6bb493467e2b9d6606SHA-256: e345df4f891e8278366a86e5db014d660c8306877aaa3357e9bb6e3af5cab6f4
tomcat-native-1.1.34-5.redhat_1.ep6.el6.x86_64.rpm
    MD5: 272492dd826b88ad6bdb5e60d114b42dSHA-256: c66e650acf0a08d8088bec04e59c683358a115185820b1801ca677b7d612f71b
 
(The unlinked packages above are only available from the Red Hat Network)

1326320 – CVE-2016-3110 mod_cluster: remotely Segfault Apache http server1331441 – CVE-2016-2105 openssl: EVP_EncodeUpdate overflow1331536 – CVE-2016-2106 openssl: EVP_EncryptUpdate overflow1337151 – CVE-2016-2105 openssl: EVP_EncodeUpdate overflow [jbews-2.1.0]1337155 – CVE-2016-2106 openssl: EVP_EncryptUpdate overflow [jbews-2.1.0]1337396 – EWS 2.1.1 Tracker Bug for EL61353755 – CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplied Proxy request header1358118 – CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplied Proxy request header [jbews-2.1.0]1366541 – RPM: RHEL6: httpd service is not starting, LD_LIBRARY_PATH needs to be set

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

Leave a Reply