본문 바로가기

취약점 정보1

Red Hat Security Advisory 2014-0400-03

728x90

Red Hat Security Advisory 2014-0400-03 - Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Security fixes: A flaw was found in the way Apache Santuario XML Security for Java validated XML signatures. Santuario allowed a signature to specify an arbitrary canonicalization algorithm, which would be applied to the SignedInfo XML fragment. A remote attacker could exploit this to spoof an XML signature via a specially crafted XML signature block.

----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Red Hat JBoss Fuse 6.1.0 update
Advisory ID: RHSA-2014:0400-03
Product: Red Hat JBoss Fuse
Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0400.html
Issue date: 2014-04-14
CVE Names: CVE-2013-2035 CVE-2013-2172 CVE-2013-2192
CVE-2013-4152 CVE-2013-4517 CVE-2013-6429
CVE-2013-6430 CVE-2014-0050 CVE-2014-0054
CVE-2014-0085 CVE-2014-1904
=====================================================================

1. Summary:

Red Hat JBoss Fuse 6.1.0, which fixes multiple security issues, several
bugs, and adds various enhancements, is now available from the Red Hat
Customer Portal.

The Red Hat Security Response Team has rated this update as having
Moderate security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

Red Hat JBoss Fuse 6.1.0 is a minor product release that updates Red Hat
JBoss Fuse 6.0.0, and includes several bug fixes and enhancements. Refer to
the Release Notes document, available from the link in the References
section, for a list of changes.

2. Description:

Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,
flexible, open source enterprise service bus and integration platform.

Security fixes:

A flaw was found in the way Apache Santuario XML Security for Java
validated XML signatures. Santuario allowed a signature to specify an
arbitrary canonicalization algorithm, which would be applied to the
SignedInfo XML fragment. A remote attacker could exploit this to spoof an
XML signature via a specially crafted XML signature block. (CVE-2013-2172)

A flaw was found in the Apache Hadoop RPC protocol. A man-in-the-middle
attacker could possibly use this flaw to unilaterally disable bidirectional
authentication between a client and a server, forcing a downgrade to simple
(unidirectional) authentication. This flaw only affected users who have
enabled Hadoop's Kerberos security features. (CVE-2013-2192)

It was discovered that the Spring OXM wrapper did not expose any property
for disabling entity resolution when using the JAXB unmarshaller. A remote
attacker could use this flaw to conduct XML External Entity (XXE) attacks
on web sites, and read files in the context of the user running the
application server. (CVE-2013-4152)

It was discovered that the Apache Santuario XML Security for Java project
allowed Document Type Definitions (DTDs) to be processed when applying
Transforms even when secure validation was enabled. A remote attacker could
use this flaw to exhaust all available memory on the system, causing a
denial of service. (CVE-2013-4517)

It was found that the Spring MVC SourceHttpMessageConverter enabled entity
resolution by default. A remote attacker could use this flaw to conduct XXE
attacks on web sites, and read files in the context of the user running the
application server. (CVE-2013-6429)

The Spring JavaScript escape method insufficiently escaped some characters.
Applications using this method to escape user-supplied content, which would
be rendered in HTML5 documents, could be exposed to cross-site scripting
(XSS) flaws. (CVE-2013-6430)

A denial of service flaw was found in the way Apache Commons FileUpload
handled small-sized buffers used by MultipartStream. A remote attacker
could use this flaw to create a malformed Content-Type header for a
multipart request, causing Apache Commons FileUpload to enter an infinite
loop when processing such an incoming request. (CVE-2014-0050)

It was found that fixes for the CVE-2013-4152 and CVE-2013-6429 XXE issues
in Spring were incomplete. Spring MVC processed user-provided XML and
neither disabled XML external entities nor provided an option to disable
them, possibly allowing a remote attacker to conduct XXE attacks.
(CVE-2014-0054)

A cross-site scripting (XSS) flaw was found in the Spring Framework when
using Spring MVC. When the action was not specified in a Spring form, the
action field would be populated with the requested URI, allowing an
attacker to inject malicious content into the form. (CVE-2014-1904)

The HawtJNI Library class wrote native libraries to a predictable file name
in /tmp when the native libraries were bundled in a JAR file, and no custom
library path was specified. A local attacker could overwrite these native
libraries with malicious versions during the window between when HawtJNI
writes them and when they are executed. (CVE-2013-2035)

An information disclosure flaw was found in the way Apache Zookeeper stored
the password of an administrative user in the log files. A local user with
access to these log files could use the exposed sensitive information to
gain administrative access to an application using Apache Zookeeper.
(CVE-2014-0085)

The CVE-2013-6430 issue was discovered by Jon Passki of Coverity SRL and
Arun Neelicattu of the Red Hat Security Response Team, the CVE-2013-2035
issue was discovered by Florian Weimer of the Red Hat Product Security
Team, and the CVE-2014-0085 issue was discovered by Graeme Colman of
Red Hat.

3. Solution:

All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer
Portal are advised to apply this update.

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

958618 - CVE-2013-2035 HawtJNI: predictable temporary file name leading to local arbitrary code execution
999263 - CVE-2013-2172 Apache Santuario XML Security for Java: XML signature spoofing
1000186 - CVE-2013-4152 Spring Framework: XML External Entity (XXE) injection flaw
1001326 - CVE-2013-2192 hadoop: man-in-the-middle vulnerability
1039783 - CVE-2013-6430 Spring Framework: org.spring.web.util.JavaScriptUtils.javaScriptEscape insufficient escaping of characters
1045257 - CVE-2013-4517 Apache Santuario XML Security for Java: Java XML Signature DoS Attack
1053290 - CVE-2013-6429 Spring Framework: XML External Entity (XXE) injection flaw
1062337 - CVE-2014-0050 apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream
1067265 - CVE-2014-0085 Apache Zookeeper: admin user cleartext password appears in logging
1075296 - CVE-2014-1904 Spring Framework: cross-site scripting flaw when using Spring MVC
1075328 - CVE-2014-0054 Spring Framework: incomplete fix for CVE-2013-4152/CVE-2013-6429

5. References:

https://www.redhat.com/security/data/cve/CVE-2013-2035.html
https://www.redhat.com/security/data/cve/CVE-2013-2172.html
https://www.redhat.com/security/data/cve/CVE-2013-2192.html
https://www.redhat.com/security/data/cve/CVE-2013-4152.html
https://www.redhat.com/security/data/cve/CVE-2013-4517.html
https://www.redhat.com/security/data/cve/CVE-2013-6429.html
https://www.redhat.com/security/data/cve/CVE-2013-6430.html
https://www.redhat.com/security/data/cve/CVE-2014-0050.html
https://www.redhat.com/security/data/cve/CVE-2014-0054.html
https://www.redhat.com/security/data/cve/CVE-2014-0085.html
https://www.redhat.com/security/data/cve/CVE-2014-1904.html
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=6.1.0
https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_Fuse/

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFTS/JWXlSAg2UNWIIRAh+fAJ9677T5eyaDWJuYLiFlhdkjOhZncgCgwPG0
4iA38miFgmWgRtUp0Xztb6E=
=/1+z
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
728x90