(RHSA-2012:1166) Moderate: mod_cluster security update

2012-08-1300:00:00

access.redhat.com

0.005 Low

EPSS

Percentile

77.5%

JSON

mod_cluster is an Apache HTTP Server (httpd) based load balancer that
forwards requests from httpd to application server nodes. It can use the
AJP, HTTP, or HTTPS protocols for communication with application server
nodes.

The RHSA-2012:0035 update for JBoss Enterprise Web Server 1.0.2 introduced
a regression, causing mod_cluster to register and expose the root context
of a server by default, even when “ROOT” was in the “excludedContexts” list
in the mod_cluster configuration. If an application was deployed on the
root context, a remote attacker could use this flaw to bypass intended
access restrictions and gain access to that application. (CVE-2012-1154)

Warning: Before applying the update, back up your existing JBoss Enterprise
Web Server installation (including all applications and configuration
files).

Users of JBoss Enterprise Web Server 1.0.2 on Red Hat Enterprise Linux 5
and 6 should upgrade to these updated packages, which resolve this issue.
Apache Tomcat must be restarted for this update to take effect.

OSVersionArchitecturePackageVersionFilename
RedHat5noarchmod_cluster-demo< 1.0.10-4.1.GA_CP02_patch01.ep5.el5mod_cluster-demo-1.0.10-4.1.GA_CP02_patch01.ep5.el5.noarch.rpm
RedHat6noarchmod_cluster-demo< 1.0.10-4.1.GA_CP02_patch01.ep5.el6mod_cluster-demo-1.0.10-4.1.GA_CP02_patch01.ep5.el6.noarch.rpm
RedHat5noarchmod_cluster-tomcat6< 1.0.10-4.1.GA_CP02_patch01.ep5.el5mod_cluster-tomcat6-1.0.10-4.1.GA_CP02_patch01.ep5.el5.noarch.rpm
RedHat6srcmod_cluster< 1.0.10-4.1.GA_CP02_patch01.ep5.el6mod_cluster-1.0.10-4.1.GA_CP02_patch01.ep5.el6.src.rpm
RedHat5srcmod_cluster< 1.0.10-4.1.GA_CP02_patch01.ep5.el5mod_cluster-1.0.10-4.1.GA_CP02_patch01.ep5.el5.src.rpm
RedHat5noarchmod_cluster-jbossweb2< 1.0.10-4.1.GA_CP02_patch01.ep5.el5mod_cluster-jbossweb2-1.0.10-4.1.GA_CP02_patch01.ep5.el5.noarch.rpm
RedHat6noarchmod_cluster-tomcat6< 1.0.10-4.1.GA_CP02_patch01.ep5.el6mod_cluster-tomcat6-1.0.10-4.1.GA_CP02_patch01.ep5.el6.noarch.rpm
RedHat6noarchmod_cluster-jbossas< 1.0.10-4.1.GA_CP02_patch01.ep5.el6mod_cluster-jbossas-1.0.10-4.1.GA_CP02_patch01.ep5.el6.noarch.rpm
RedHat6noarchmod_cluster-jbossweb2< 1.0.10-4.1.GA_CP02_patch01.ep5.el6mod_cluster-jbossweb2-1.0.10-4.1.GA_CP02_patch01.ep5.el6.noarch.rpm
RedHat5noarchmod_cluster-jbossas< 1.0.10-4.1.GA_CP02_patch01.ep5.el5mod_cluster-jbossas-1.0.10-4.1.GA_CP02_patch01.ep5.el5.noarch.rpm

OS	Version	Architecture	Package	Version	Filename
RedHat	5	noarch	mod_cluster-demo	< 1.0.10-4.1.GA_CP02_patch01.ep5.el5	mod_cluster-demo-1.0.10-4.1.GA_CP02_patch01.ep5.el5.noarch.rpm
RedHat	6	noarch	mod_cluster-demo	< 1.0.10-4.1.GA_CP02_patch01.ep5.el6	mod_cluster-demo-1.0.10-4.1.GA_CP02_patch01.ep5.el6.noarch.rpm
RedHat	5	noarch	mod_cluster-tomcat6	< 1.0.10-4.1.GA_CP02_patch01.ep5.el5	mod_cluster-tomcat6-1.0.10-4.1.GA_CP02_patch01.ep5.el5.noarch.rpm
RedHat	6	src	mod_cluster	< 1.0.10-4.1.GA_CP02_patch01.ep5.el6	mod_cluster-1.0.10-4.1.GA_CP02_patch01.ep5.el6.src.rpm
RedHat	5	src	mod_cluster	< 1.0.10-4.1.GA_CP02_patch01.ep5.el5	mod_cluster-1.0.10-4.1.GA_CP02_patch01.ep5.el5.src.rpm
RedHat	5	noarch	mod_cluster-jbossweb2	< 1.0.10-4.1.GA_CP02_patch01.ep5.el5	mod_cluster-jbossweb2-1.0.10-4.1.GA_CP02_patch01.ep5.el5.noarch.rpm
RedHat	6	noarch	mod_cluster-tomcat6	< 1.0.10-4.1.GA_CP02_patch01.ep5.el6	mod_cluster-tomcat6-1.0.10-4.1.GA_CP02_patch01.ep5.el6.noarch.rpm
RedHat	6	noarch	mod_cluster-jbossas	< 1.0.10-4.1.GA_CP02_patch01.ep5.el6	mod_cluster-jbossas-1.0.10-4.1.GA_CP02_patch01.ep5.el6.noarch.rpm
RedHat	6	noarch	mod_cluster-jbossweb2	< 1.0.10-4.1.GA_CP02_patch01.ep5.el6	mod_cluster-jbossweb2-1.0.10-4.1.GA_CP02_patch01.ep5.el6.noarch.rpm
RedHat	5	noarch	mod_cluster-jbossas	< 1.0.10-4.1.GA_CP02_patch01.ep5.el5	mod_cluster-jbossas-1.0.10-4.1.GA_CP02_patch01.ep5.el5.noarch.rpm

0.005 Low

EPSS

Percentile

77.5%

JSON

Related for RHSA-2012:1166