(RHSA-2011:1456) Moderate: JBoss Enterprise SOA Platform 5.2.0 update

2011-11-16T05:00:00
ID RHSA-2011:1456
Type redhat
Reporter RedHat
Modified 2017-07-25T00:13:16

Description

JBoss Enterprise SOA Platform is the next-generation ESB and business process automation infrastructure. JBoss Enterprise SOA Platform allows IT to leverage existing (MoM and EAI), modern (SOA and BPM-Rules), and future (EDA and CEP) integration methodologies to dramatically improve business process execution speed and quality.

This release of JBoss Enterprise SOA Platform 5.2.0 serves as a replacement for JBoss Enterprise SOA Platform 5.1.0. It includes various bug fixes and enhancements which are detailed in the JBoss Enterprise SOA Platform 5.2.0 Release Notes. The Release Notes will be available shortly from https://docs.redhat.com/docs/en-US/index.html

The following security issues are also fixed with this release:

A cross-site scripting (XSS) flaw was found in JRuby (a Java implementation of Ruby), which is included in the scripting_chain sample application. The sample application does not expose this flaw. If the version of JRuby shipped with the scripting_chain sample application was used to build a custom application, a remote attacker could use this flaw to supply specially-crafted input to that application, leading to the execution of arbitrary HTML or web script. (CVE-2010-1330)

Note: JBoss Enterprise SOA Platform only provides JRuby as a dependency of the scripting_chain quickstart. The CVE-2010-1330 flaw is not exposed unless the version of JRuby shipped with that quickstart is used by a deployed, custom application.

It was found that the invoker servlets, deployed by default via httpha-invoker, only performed access control on the HTTP GET and POST methods, allowing remote attackers to make unauthenticated requests by using different HTTP methods. Due to the second layer of authentication provided by a security interceptor, this issue is not exploitable on default installations unless an administrator has misconfigured the security interceptor or disabled it. (CVE-2011-4085)

Warning: Before applying the update, back up your existing JBoss Enterprise SOA Platform installation (including its databases, applications, configuration files, and so on).

All users of JBoss Enterprise SOA Platform 5.1.0 as provided from the Red Hat Customer Portal are advised to upgrade to JBoss Enterprise SOA Platform 5.2.0.