Red Hat Security Advisory: Red Hat JBoss Portal 6.2.0 update
🔗 CVE IDs covered (37)
📋 Description
CVE-2012-6153 — CXF: SSL hostname verification bypass, incomplete CVE-2012-5783 fix CVE-2013-1624 — bouncycastle: TLS CBC padding timing attack CVE-2013-2133 — WS: EJB3 role restrictions are not applied to jaxws handlers CVE-2013-4286 — tomcat: multiple content-length header poisoning flaws CVE-2013-5855 — JSF: XSS due to insufficient escaping of user-supplied content in outputText tags and EL expressions CVE-2013-7285 — XStream: remote code execution due to insecure XML deserialization CVE-2014-0005 — PicketBox/JBossSX: Unauthorized access to and modification of application server configuration and state by application CVE-2014-0018 — jboss-as-server: Unchecked access to MSC Service Registry under JSM CVE-2014-0034 — CXF: The SecurityTokenService accepts certain invalid SAML Tokens as valid CVE-2014-0035 — CXF: UsernameTokens are sent in plaintext with a Symmetric EncryptBeforeSigning policy CVE-2014-0050 — apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream CVE-2014-0058 — EAP6: Plain text password logging during security audit CVE-2014-0059 — JBossSX/PicketBox: World readable audit.log file CVE-2014-0075 — Tomcat/JBossWeb: Limited DoS in chunked transfer encoding input filter CVE-2014-0086 — RichFaces: remote denial of service via memory exhaustion CVE-2014-0093 — 6: JSM policy not respected by deployed applications CVE-2014-0096 — Tomcat/JBossWeb: XXE vulnerability via user supplied XSLTs CVE-2014-0099 — Tomcat/JBossWeb: Request smuggling via malicious content length header CVE-2014-0107 — Xalan-Java: insufficient constraints in secure processing feature CVE-2014-0109 — CXF: HTML content posted to SOAP endpoint could cause OOM errors CVE-2014-0110 — CXF: Large invalid content could cause temporary space to fill CVE-2014-0119 — Tomcat/JBossWeb: XML parser hijack by malicious web application CVE-2014-0193 — netty: DoS via memory exhaustion during data aggregation CVE-2014-0227 — Tomcat/JBossWeb: request smuggling and limited DoS in ChunkedInputFilter CVE-2014-0245 — WSRP: Information disclosure via unsafe concurrency handling in interceptor CVE-2014-3472 — Security: Invalid EJB caller role check implementation CVE-2014-3481 — JAX-RS: Information disclosure via XML eXternal Entity (XXE) CVE-2014-3490 — RESTEasy: XXE via parameter entities CVE-2014-3529 — apache-poi: XML eXternal Entity (XXE) flaw CVE-2014-3530 — PicketLink: XXE via insecure DocumentBuilderFactory usage CVE-2014-3574 — apache-poi: entity expansion (billion laughs) flaw CVE-2014-3577 — CXF: SSL hostname verification bypass, incomplete CVE-2012-6153 fix CVE-2014-3586 — CLI: Insecure default permissions on history file CVE-2014-4172 — cas-client: Bypass of security constraints via URL parameter injection CVE-2014-7839 — RESTeasy: External entities expanded by DocumentProvider CVE-2015-0226 — wss4j: Apache WSS4J is vulnerable to Bleichenbacher's attack (incomplete fix for CVE-2011-2487) CVE-2015-0227 — wss4j: Apache WSS4J doesn't correctly enforce the requireSignedEncryptedDataElements property
🔗 References (40)
- selfhttps://access.redhat.com/errata/RHSA-2015:1009
- externalhttps://access.redhat.com/security/updates/classification/#important
- externalhttps://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal&downloadType=distributions
- externalhttps://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Portal/
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=908428
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=969924
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1049736
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1051277
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1052783
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1058454
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1062337
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1063641
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1063642
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1065139
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1067268
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1069921
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1070046
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1072776
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1080248
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1088342
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1092783
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1093526
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1093527
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1093529
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1093530
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1101303
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1102030
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1102038
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1103815
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1105242
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1107901
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1109196
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1112987
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1126687
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1129074
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1129916
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1131350
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1138135
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1138140
- selfhttps://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_1009.json