JBoss Enterprise Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the industry's leading web server (Apache HTTP Server), the popular Apache Tomcat servlet container, as well as the mod_jk connector and the Tomcat Native library.
This 1.0.1 release of JBoss Enterprise Web Server serves as a replacement to JBoss Enterprise Web Server 1.0.0 GA. These updated packages include a number of bug fixes. For detailed component, installation, and bug fix information, refer to the JBoss Enterprise Web Server 1.0.1 Release Notes, available shortly from the link in the References section of this erratum.
The following security issues are also fixed with this release:
A directory traversal flaw was found in the Tomcat deployment process. An attacker could create a specially-crafted WAR file, which once deployed by a local, unsuspecting user, would lead to attacker-controlled content being deployed outside of the web root, into directories accessible to the Tomcat process. (CVE-2009-2693)
A second directory traversal flaw was found in the Tomcat deployment process. WAR file names were not sanitized, which could allow an attacker to create a specially-crafted WAR file that could delete files in the Tomcat host's work directory. (CVE-2009-2902)
A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handle session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client's session (for example, an HTTPS connection to a website). This could force the server to process an attacker's request as if authenticated using the victim's credentials. (CVE-2009-3555)
This update provides a mitigation for this flaw in the following components:
tomcat5 and tomcat6: A new attribute, allowUnsafeLegacyRenegotiation, is available for the blocking IO (BIO) connector using JSSE, to enable or disable TLS session renegotiation. The default value is "false", meaning session renegotiation, both client- and server-initiated, is disabled by default.
tomcat-native: Client-initiated renegotiation is now rejected by the native connector. Server-initiated renegotiation is still allowed.
Refer to the following Knowledgebase article for additional details about the CVE-2009-3555 flaw: http://kbase.redhat.com/faq/docs/DOC-20491
All users of JBoss Enterprise Web Server 1.0.0 on Red Hat Enterprise Linux 4 and 5 are advised to upgrade to these updated packages.