(RHSA-2008:0828) Moderate: JBoss Enterprise Application Platform 4.3.0CP01 security update

2008-08-0500:00:00

access.redhat.com

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.005 Low

EPSS

Percentile

74.4%

JSON

JBoss EAP is a middleware platform for Java 2 Platform, Enterprise Edition
(J2EE) applications.

This release of JBoss EAP for Red Hat Enterprise Linux 5 contains the JBoss
Application Server and JBoss Seam. This release serves as a replacement to
JBoss EAP 4.3.0.GA, and fixes the following security issues:

The JavaServer Faces (JSF) component was vulnerable to multiple cross-site
scripting (XSS) vulnerabilities. An attacker could use these flaws to
inject arbitrary web script or HTML. (CVE-2008-1285)

Unauthenticated users were able to access the status servlet, which could
allow remote attackers to acquire details about deployed web contexts.
(CVE-2008-3273)

These updated packages include bug fixes and enhancements which are not
listed here. For a full list, refer to the JBoss EAP 4.3.0.CP01 release
notes, linked to in the “References” section of this advisory.

Warning: before applying this update, please back up the JBoss EAP
“server/[configuration]/deploy/” directory, and any customized
configuration files.

All users of JBoss EAP on Red Hat Enterprise Linux 5 are advised to upgrade
to these updated packages, which resolve these issues.

OSVersionArchitecturePackageVersionFilename
RedHat5srchibernate3-entitymanager< 3.2.1-1jpp.ep1.7.el5hibernate3-entitymanager-3.2.1-1jpp.ep1.7.el5.src.rpm
RedHat5srcjboss-cache< 1.4.1-4.SP9.1jpp.ep1.1.el5jboss-cache-1.4.1-4.SP9.1jpp.ep1.1.el5.src.rpm
RedHat5noarchglassfish-javamail< 1.4.0-0jpp.ep1.9.el5glassfish-javamail-1.4.0-0jpp.ep1.9.el5.noarch.rpm
RedHat5srchibernate3< 3.2.4-1.SP1_CP03.0jpp.ep1.1.el5hibernate3-3.2.4-1.SP1_CP03.0jpp.ep1.1.el5.src.rpm
RedHat5srcjbossws< 2.0.1-2.SP2_CP01.0jpp.ep1.2.el5jbossws-2.0.1-2.SP2_CP01.0jpp.ep1.2.el5.src.rpm
RedHat5srcjbossas< 4.3.0-2.GA_CP01.ep1.6.el5.1jbossas-4.3.0-2.GA_CP01.ep1.6.el5.1.src.rpm
RedHat5srcjboss-remoting< 2.2.2-3.SP7.0jpp.ep1.3.el5jboss-remoting-2.2.2-3.SP7.0jpp.ep1.3.el5.src.rpm
RedHat5srcglassfish-jsf< 1.2_08-0jpp.ep1.2.el5glassfish-jsf-1.2_08-0jpp.ep1.2.el5.src.rpm
RedHat5noarchasm< 1.5.3-1jpp.ep1.2.el5asm-1.5.3-1jpp.ep1.2.el5.noarch.rpm
RedHat5noarchglassfish-jsf< 1.2_08-0jpp.ep1.2.el5glassfish-jsf-1.2_08-0jpp.ep1.2.el5.noarch.rpm

OS	Version	Architecture	Package	Version	Filename
RedHat	5	src	hibernate3-entitymanager	< 3.2.1-1jpp.ep1.7.el5	hibernate3-entitymanager-3.2.1-1jpp.ep1.7.el5.src.rpm
RedHat	5	src	jboss-cache	< 1.4.1-4.SP9.1jpp.ep1.1.el5	jboss-cache-1.4.1-4.SP9.1jpp.ep1.1.el5.src.rpm
RedHat	5	noarch	glassfish-javamail	< 1.4.0-0jpp.ep1.9.el5	glassfish-javamail-1.4.0-0jpp.ep1.9.el5.noarch.rpm
RedHat	5	src	hibernate3	< 3.2.4-1.SP1_CP03.0jpp.ep1.1.el5	hibernate3-3.2.4-1.SP1_CP03.0jpp.ep1.1.el5.src.rpm
RedHat	5	src	jbossws	< 2.0.1-2.SP2_CP01.0jpp.ep1.2.el5	jbossws-2.0.1-2.SP2_CP01.0jpp.ep1.2.el5.src.rpm
RedHat	5	src	jbossas	< 4.3.0-2.GA_CP01.ep1.6.el5.1	jbossas-4.3.0-2.GA_CP01.ep1.6.el5.1.src.rpm
RedHat	5	src	jboss-remoting	< 2.2.2-3.SP7.0jpp.ep1.3.el5	jboss-remoting-2.2.2-3.SP7.0jpp.ep1.3.el5.src.rpm
RedHat	5	src	glassfish-jsf	< 1.2_08-0jpp.ep1.2.el5	glassfish-jsf-1.2_08-0jpp.ep1.2.el5.src.rpm
RedHat	5	noarch	asm	< 1.5.3-1jpp.ep1.2.el5	asm-1.5.3-1jpp.ep1.2.el5.noarch.rpm
RedHat	5	noarch	glassfish-jsf	< 1.2_08-0jpp.ep1.2.el5	glassfish-jsf-1.2_08-0jpp.ep1.2.el5.noarch.rpm