(RHSA-2012:1052) Moderate: mod_cluster security update

2012-07-0300:00:00

access.redhat.com

0.005 Low

EPSS

Percentile

77.5%

JSON

mod_cluster is an Apache HTTP Server (httpd) based load balancer that
forwards requests from httpd to application server nodes. It can use the
AJP, HTTP, or HTTPS protocols for communication with application server
nodes.

The JBoss Enterprise Application Platform 5.1.2 release (RHSA-2011:1800,
RHSA-2011:1799, RHSA-2011:1798) introduced a regression, causing
mod_cluster to register and expose the root context of a server by default,
even when “ROOT” was in the “excludedContexts” list in the mod_cluster
configuration. If an application was deployed on the root context, a remote
attacker could use this flaw to bypass intended access restrictions and
gain access to that application. (CVE-2012-1154)

Warning: Before applying this update, back up your JBoss Enterprise
Application Platform’s “server/[PROFILE]/deploy/” directory, along with all
other customized configuration files.

Users of JBoss Enterprise Application Platform 5.1.2 on Red Hat Enterprise
Linux 4, 5, and 6 should upgrade to these updated packages, which correct
this issue. The JBoss server process must be restarted for this update to
take effect.

OSVersionArchitecturePackageVersionFilename
RedHat6noarchmod_cluster-demo< 1.0.10-4.1.GA_CP02_patch01.ep5.el6mod_cluster-demo-1.0.10-4.1.GA_CP02_patch01.ep5.el6.noarch.rpm
RedHat6noarchmod_cluster-tomcat6< 1.0.10-4.1.GA_CP02_patch01.ep5.el6mod_cluster-tomcat6-1.0.10-4.1.GA_CP02_patch01.ep5.el6.noarch.rpm
RedHat5noarchmod_cluster-tomcat6< 1.0.10-4.1.GA_CP02_patch01.ep5.el5mod_cluster-tomcat6-1.0.10-4.1.GA_CP02_patch01.ep5.el5.noarch.rpm
RedHat6srcmod_cluster< 1.0.10-4.1.GA_CP02_patch01.ep5.el6mod_cluster-1.0.10-4.1.GA_CP02_patch01.ep5.el6.src.rpm
RedHat6noarchmod_cluster-jbossas< 1.0.10-4.1.GA_CP02_patch01.ep5.el6mod_cluster-jbossas-1.0.10-4.1.GA_CP02_patch01.ep5.el6.noarch.rpm
RedHat5srcmod_cluster< 1.0.10-4.1.GA_CP02_patch01.ep5.el5mod_cluster-1.0.10-4.1.GA_CP02_patch01.ep5.el5.src.rpm
RedHat5noarchmod_cluster-jbossas< 1.0.10-4.1.GA_CP02_patch01.ep5.el5mod_cluster-jbossas-1.0.10-4.1.GA_CP02_patch01.ep5.el5.noarch.rpm
RedHat5noarchmod_cluster-jbossweb2< 1.0.10-4.1.GA_CP02_patch01.ep5.el5mod_cluster-jbossweb2-1.0.10-4.1.GA_CP02_patch01.ep5.el5.noarch.rpm
RedHat5noarchmod_cluster-demo< 1.0.10-4.1.GA_CP02_patch01.ep5.el5mod_cluster-demo-1.0.10-4.1.GA_CP02_patch01.ep5.el5.noarch.rpm
RedHat6noarchmod_cluster-jbossweb2< 1.0.10-4.1.GA_CP02_patch01.ep5.el6mod_cluster-jbossweb2-1.0.10-4.1.GA_CP02_patch01.ep5.el6.noarch.rpm

OS	Version	Architecture	Package	Version	Filename
RedHat	6	noarch	mod_cluster-demo	< 1.0.10-4.1.GA_CP02_patch01.ep5.el6	mod_cluster-demo-1.0.10-4.1.GA_CP02_patch01.ep5.el6.noarch.rpm
RedHat	6	noarch	mod_cluster-tomcat6	< 1.0.10-4.1.GA_CP02_patch01.ep5.el6	mod_cluster-tomcat6-1.0.10-4.1.GA_CP02_patch01.ep5.el6.noarch.rpm
RedHat	5	noarch	mod_cluster-tomcat6	< 1.0.10-4.1.GA_CP02_patch01.ep5.el5	mod_cluster-tomcat6-1.0.10-4.1.GA_CP02_patch01.ep5.el5.noarch.rpm
RedHat	6	src	mod_cluster	< 1.0.10-4.1.GA_CP02_patch01.ep5.el6	mod_cluster-1.0.10-4.1.GA_CP02_patch01.ep5.el6.src.rpm
RedHat	6	noarch	mod_cluster-jbossas	< 1.0.10-4.1.GA_CP02_patch01.ep5.el6	mod_cluster-jbossas-1.0.10-4.1.GA_CP02_patch01.ep5.el6.noarch.rpm
RedHat	5	src	mod_cluster	< 1.0.10-4.1.GA_CP02_patch01.ep5.el5	mod_cluster-1.0.10-4.1.GA_CP02_patch01.ep5.el5.src.rpm
RedHat	5	noarch	mod_cluster-jbossas	< 1.0.10-4.1.GA_CP02_patch01.ep5.el5	mod_cluster-jbossas-1.0.10-4.1.GA_CP02_patch01.ep5.el5.noarch.rpm
RedHat	5	noarch	mod_cluster-jbossweb2	< 1.0.10-4.1.GA_CP02_patch01.ep5.el5	mod_cluster-jbossweb2-1.0.10-4.1.GA_CP02_patch01.ep5.el5.noarch.rpm
RedHat	5	noarch	mod_cluster-demo	< 1.0.10-4.1.GA_CP02_patch01.ep5.el5	mod_cluster-demo-1.0.10-4.1.GA_CP02_patch01.ep5.el5.noarch.rpm
RedHat	6	noarch	mod_cluster-jbossweb2	< 1.0.10-4.1.GA_CP02_patch01.ep5.el6	mod_cluster-jbossweb2-1.0.10-4.1.GA_CP02_patch01.ep5.el6.noarch.rpm

0.005 Low

EPSS

Percentile

77.5%

JSON

Related for RHSA-2012:1052