ID RHSA-2013:0248 Type redhat Reporter RedHat Modified 2017-07-25T00:07:04
Description
JBoss Enterprise Application Platform is a platform for Java applications,
which integrates the JBoss Application Server with JBoss Hibernate and
JBoss Seam.
When using LDAP authentication with the provided LDAP login modules
(LdapLoginModule/LdapExtLoginModule), empty passwords were allowed by
default. An attacker could use this flaw to bypass intended authentication
by providing an empty password for a valid username, as the LDAP server may
recognize this as an 'unauthenticated authentication' (RFC 4513). This
update sets the allowEmptyPasswords option for the LDAP login modules to
false if the option is not already configured. (CVE-2012-5629)
Warning: Before applying this update, back up your existing JBoss
Enterprise Application Platform installation (including all applications
and configuration files).
All users of JBoss Enterprise Application Platform 4.3.0 CP10 as provided
from the Red Hat Customer Portal are advised to apply this update.
{"id": "RHSA-2013:0248", "hash": "edba810b2116afe6ee6a82b81e56de00", "type": "redhat", "bulletinFamily": "unix", "title": "(RHSA-2013:0248) Important: JBoss Enterprise Application Platform 4.3.0 CP10 security update", "description": "JBoss Enterprise Application Platform is a platform for Java applications,\nwhich integrates the JBoss Application Server with JBoss Hibernate and\nJBoss Seam.\n\nWhen using LDAP authentication with the provided LDAP login modules\n(LdapLoginModule/LdapExtLoginModule), empty passwords were allowed by\ndefault. An attacker could use this flaw to bypass intended authentication\nby providing an empty password for a valid username, as the LDAP server may\nrecognize this as an 'unauthenticated authentication' (RFC 4513). This\nupdate sets the allowEmptyPasswords option for the LDAP login modules to\nfalse if the option is not already configured. (CVE-2012-5629)\n\nWarning: Before applying this update, back up your existing JBoss\nEnterprise Application Platform installation (including all applications\nand configuration files).\n\nAll users of JBoss Enterprise Application Platform 4.3.0 CP10 as provided\nfrom the Red Hat Customer Portal are advised to apply this update.\n", "published": "2013-02-11T05:00:00", "modified": "2017-07-25T00:07:04", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2013:0248", "reporter": "RedHat", "references": [], "cvelist": ["CVE-2012-5629"], "lastseen": "2017-07-26T22:57:35", "history": [{"lastseen": "2016-08-22T23:29:15", "edition": 1, "differentElements": ["modified"], "bulletin": {"published": "2013-02-11T05:00:00", "id": "RHSA-2013:0248", "modified": "2016-04-04T18:31:07", "history": [], "enchantments": {}, "bulletinFamily": "unix", "viewCount": 0, "cvelist": ["CVE-2012-5629"], "affectedPackage": [], "title": "(RHSA-2013:0248) Important: JBoss Enterprise Application Platform 4.3.0 CP10 security update", "references": [], "description": "JBoss Enterprise Application Platform is a platform for Java applications,\nwhich integrates the JBoss Application Server with JBoss Hibernate and\nJBoss Seam.\n\nWhen using LDAP authentication with the provided LDAP login modules\n(LdapLoginModule/LdapExtLoginModule), empty passwords were allowed by\ndefault. An attacker could use this flaw to bypass intended authentication\nby providing an empty password for a valid username, as the LDAP server may\nrecognize this as an 'unauthenticated authentication' (RFC 4513). This\nupdate sets the allowEmptyPasswords option for the LDAP login modules to\nfalse if the option is not already configured. (CVE-2012-5629)\n\nWarning: Before applying this update, back up your existing JBoss\nEnterprise Application Platform installation (including all applications\nand configuration files).\n\nAll users of JBoss Enterprise Application Platform 4.3.0 CP10 as provided\nfrom the Red Hat Customer Portal are advised to apply this update.\n", "type": "redhat", "href": "https://access.redhat.com/errata/RHSA-2013:0248", "lastseen": "2016-08-22T23:29:15", "reporter": "RedHat", "objectVersion": "1.4", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}}], "viewCount": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2012-5629"]}, {"type": "redhat", "idList": ["RHSA-2013:0234", "RHSA-2013:0230", "RHSA-2013:0233", "RHSA-2013:0232", "RHSA-2013:0586", "RHSA-2013:0231", "RHSA-2013:0249", "RHSA-2013:0229"]}, {"type": "nessus", "idList": ["REDHAT-RHSA-2013-0229.NASL", "REDHAT-RHSA-2013-0249.NASL", "REDHAT-RHSA-2013-0231.NASL"]}], "modified": "2017-07-26T22:57:35"}, "vulnersScore": 7.5}, "objectVersion": "1.4", "affectedPackage": [], "_object_type": "robots.models.redhat.RedHatBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"]}
{"cve": [{"lastseen": "2016-09-03T17:17:36", "bulletinFamily": "NVD", "description": "The default configuration of the (1) LdapLoginModule and (2) LdapExtLoginModule modules in JBoss Enterprise Application Platform (EAP) 4.3.0 CP10, 5.2.0, and 6.0.1, and Enterprise Web Platform (EWP) 5.2.0 allow remote attackers to bypass authentication via an empty password.", "modified": "2015-01-17T21:59:15", "published": "2013-03-12T19:55:01", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5629", "id": "CVE-2012-5629", "type": "cve", "title": "CVE-2012-5629", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "redhat": [{"lastseen": "2018-06-12T21:09:06", "bulletinFamily": "unix", "description": "JBoss Enterprise Application Platform 6 is a platform for Java applications\nbased on JBoss Application Server 7.\n\nWhen using LDAP authentication with either the \"ldap\" configuration entry\nor the provided LDAP login modules (LdapLoginModule/LdapExtLoginModule),\nempty passwords were allowed by default. An attacker could use this flaw to\nbypass intended authentication by providing an empty password for a valid\nusername, as the LDAP server may recognize this as an 'unauthenticated\nauthentication' (RFC 4513). This update sets the allowEmptyPasswords option\nfor the LDAP login modules to false if the option is not already\nconfigured. (CVE-2012-5629)\n\nNote: If you are using the \"ldap\" configuration entry and rely on empty\npasswords, they will no longer work after applying this update. The\njboss-as-domain-management module, by default, will prevent empty\npasswords. This cannot be configured; however, a future release may add a\nconfiguration option to allow empty passwords when using the \"ldap\"\nconfiguration entry.\n\nWarning: Before applying this update, back up your existing JBoss\nEnterprise Application Platform installation and deployed applications.\n\nAll users of JBoss Enterprise Application Platform 6.0.1 as provided from\nthe Red Hat Customer Portal are advised to apply this update.\n", "modified": "2018-06-07T02:39:06", "published": "2013-02-04T05:00:00", "id": "RHSA-2013:0234", "href": "https://access.redhat.com/errata/RHSA-2013:0234", "type": "redhat", "title": "(RHSA-2013:0234) Important: JBoss Enterprise Application Platform 6.0.1 security update", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-06-06T23:51:01", "bulletinFamily": "unix", "description": "JBoss Enterprise Application Platform is a platform for Java applications,\nwhich integrates the JBoss Application Server with JBoss Hibernate and\nJBoss Seam.\n\nWhen using LDAP authentication with the provided LDAP login modules\n(LdapLoginModule/LdapExtLoginModule), empty passwords were allowed by\ndefault. An attacker could use this flaw to bypass intended authentication\nby providing an empty password for a valid username, as the LDAP server may\nrecognize this as an 'unauthenticated authentication' (RFC 4513). This\nupdate sets the allowEmptyPasswords option for the LDAP login modules to\nfalse if the option is not already configured. (CVE-2012-5629)\n\nWarning: Before applying this update, back up your existing JBoss\nEnterprise Application Platform installation (including all applications\nand configuration files).\n\nAll users of JBoss Enterprise Application Platform 5.2.0 as provided from\nthe Red Hat Customer Portal are advised to apply this update.\n", "modified": "2018-06-07T02:37:44", "published": "2013-02-04T05:00:00", "id": "RHSA-2013:0232", "href": "https://access.redhat.com/errata/RHSA-2013:0232", "type": "redhat", "title": "(RHSA-2013:0232) Important: JBoss Enterprise Application Platform 5.2.0 security update", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-12-11T17:43:32", "bulletinFamily": "unix", "description": "JBoss Enterprise Application Platform is a platform for Java applications,\nwhich integrates the JBoss Application Server with JBoss Hibernate and\nJBoss Seam.\n\nWhen using LDAP authentication with the provided LDAP login modules\n(LdapLoginModule/LdapExtLoginModule), empty passwords were allowed by\ndefault. An attacker could use this flaw to bypass intended authentication\nby providing an empty password for a valid username, as the LDAP server may\nrecognize this as an 'unauthenticated authentication' (RFC 4513). This\nupdate sets the allowEmptyPasswords option for the LDAP login modules to\nfalse if the option is not already configured. (CVE-2012-5629)\n\nWarning: Before applying this update, back up your existing JBoss\nEnterprise Application Platform installation (including all applications\nand configuration files).\n\nAll users of JBoss Enterprise Application Platform 4.3.0 CP10 on Red Hat\nEnterprise Linux 4 and 5 are advised to upgrade to these updated packages.\nThe JBoss server process must be restarted for the update to take effect.\n", "modified": "2016-04-04T18:31:06", "published": "2013-02-11T05:00:00", "id": "RHSA-2013:0249", "href": "https://access.redhat.com/errata/RHSA-2013:0249", "type": "redhat", "title": "(RHSA-2013:0249) Important: JBoss Enterprise Application Platform 4.3.0 CP10 security update", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-12-11T19:42:12", "bulletinFamily": "unix", "description": "JBoss Enterprise Application Platform 6 is a platform for Java applications\nbased on JBoss Application Server 7.\n\nWhen using LDAP authentication with either the \"ldap\" configuration entry\nor the provided LDAP login modules (LdapLoginModule/LdapExtLoginModule),\nempty passwords were allowed by default. An attacker could use this flaw to\nbypass intended authentication by providing an empty password for a valid\nusername, as the LDAP server may recognize this as an 'unauthenticated\nauthentication' (RFC 4513). This update sets the allowEmptyPasswords option\nfor the LDAP login modules to false if the option is not already\nconfigured. (CVE-2012-5629)\n\nNote: If you are using the \"ldap\" configuration entry and rely on empty\npasswords, they will no longer work after applying this update. The\njboss-as-domain-management module, by default, will prevent empty\npasswords. This cannot be configured; however, a future release may add a\nconfiguration option to allow empty passwords when using the \"ldap\"\nconfiguration entry.\n\nWarning: Before applying this update, back up your existing JBoss\nEnterprise Application Platform installation and deployed applications.\n\nAll users of JBoss Enterprise Application Platform 6.0.1 on Red Hat\nEnterprise Linux 5 and 6 are advised to upgrade to these updated packages.\nThe JBoss server process must be restarted for the update to take effect.\n", "modified": "2018-06-07T02:39:08", "published": "2013-02-04T05:00:00", "id": "RHSA-2013:0231", "href": "https://access.redhat.com/errata/RHSA-2013:0231", "type": "redhat", "title": "(RHSA-2013:0231) Important: JBoss Enterprise Application Platform 6.0.1 security update", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-12-11T19:41:13", "bulletinFamily": "unix", "description": "JBoss Enterprise Application Platform is a platform for Java applications,\nwhich integrates the JBoss Application Server with JBoss Hibernate and\nJBoss Seam.\n\nWhen using LDAP authentication with the provided LDAP login modules\n(LdapLoginModule/LdapExtLoginModule), empty passwords were allowed by\ndefault. An attacker could use this flaw to bypass intended authentication\nby providing an empty password for a valid username, as the LDAP server may\nrecognize this as an 'unauthenticated authentication' (RFC 4513). This\nupdate sets the allowEmptyPasswords option for the LDAP login modules to\nfalse if the option is not already configured. (CVE-2012-5629)\n\nWarning: Before applying this update, back up your existing JBoss\nEnterprise Application Platform installation (including all applications\nand configuration files).\n\nAll users of JBoss Enterprise Application Platform 5.2.0 on Red Hat\nEnterprise Linux 4, 5, and 6 are advised to upgrade to this updated\npackage. The JBoss server process must be restarted for the update to take\neffect.\n", "modified": "2018-06-07T02:37:45", "published": "2013-02-04T05:00:00", "id": "RHSA-2013:0229", "href": "https://access.redhat.com/errata/RHSA-2013:0229", "type": "redhat", "title": "(RHSA-2013:0229) Important: JBoss Enterprise Application Platform 5.2.0 security update", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-26T22:57:49", "bulletinFamily": "unix", "description": "JBoss Enterprise BRMS Platform is a business rules management system for\nthe management, storage, creation, modification, and deployment of JBoss\nRules. JBoss Enterprise Portal Platform is the open source implementation\nof the Java EE suite of services and Portal services running atop JBoss\nEnterprise Application Platform. JBoss Enterprise SOA Platform is the\nnext-generation ESB and business process automation infrastructure.\n\nWhen using LDAP authentication with the provided LDAP login modules\n(LdapLoginModule/LdapExtLoginModule), empty passwords were allowed by\ndefault. An attacker could use this flaw to bypass intended authentication\nby providing an empty password for a valid username, as the LDAP server may\nrecognize this as an 'unauthenticated authentication' (RFC 4513). This\nupdate sets the allowEmptyPasswords option for the LDAP login modules to\nfalse if the option is not already configured. (CVE-2012-5629)\n\nWarning: Before applying this update, back up your JBoss installation,\nincluding any databases, database settings, applications, configuration\nfiles, and so on.\n\nAll users of JBoss Enterprise BRMS Platform 5.3.1, JBoss Enterprise Portal\nPlatform 4.3.0 CP07 and 5.2.2, and JBoss Enterprise SOA Platform 4.2.0\nCP05, and 4.3.0 CP05 as provided from the Red Hat Customer Portal are\nadvised to apply this update.\n", "modified": "2017-07-25T00:13:59", "published": "2013-03-04T05:00:00", "id": "RHSA-2013:0586", "href": "https://access.redhat.com/errata/RHSA-2013:0586", "type": "redhat", "title": "(RHSA-2013:0586) Important: jbosssx security update", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-12-11T19:41:25", "bulletinFamily": "unix", "description": "The Enterprise Web Platform is a slimmed down profile of the JBoss\nEnterprise Application Platform intended for mid-size workloads with light\nand rich Java applications.\n\nWhen using LDAP authentication with the provided LDAP login modules\n(LdapLoginModule/LdapExtLoginModule), empty passwords were allowed by\ndefault. An attacker could use this flaw to bypass intended authentication\nby providing an empty password for a valid username, as the LDAP server may\nrecognize this as an 'unauthenticated authentication' (RFC 4513). This\nupdate sets the allowEmptyPasswords option for the LDAP login modules to\nfalse if the option is not already configured. (CVE-2012-5629)\n\nWarning: Before applying this update, back up your existing JBoss\nEnterprise Web Platform installation (including all applications and\nconfiguration files).\n\nAll users of JBoss Enterprise Web Platform 5.2.0 on Red Hat Enterprise\nLinux 4, 5, and 6 are advised to upgrade to this updated package. The JBoss\nserver process must be restarted for the update to take effect.\n", "modified": "2018-06-07T02:39:14", "published": "2013-02-04T05:00:00", "id": "RHSA-2013:0230", "href": "https://access.redhat.com/errata/RHSA-2013:0230", "type": "redhat", "title": "(RHSA-2013:0230) Important: JBoss Enterprise Web Platform 5.2.0 security update", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-06-13T00:00:39", "bulletinFamily": "unix", "description": "The Enterprise Web Platform is a slimmed down profile of the JBoss\nEnterprise Application Platform intended for mid-size workloads with light\nand rich Java applications.\n\nWhen using LDAP authentication with the provided LDAP login modules\n(LdapLoginModule/LdapExtLoginModule), empty passwords were allowed by\ndefault. An attacker could use this flaw to bypass intended authentication\nby providing an empty password for a valid username, as the LDAP server may\nrecognize this as an 'unauthenticated authentication' (RFC 4513). This\nupdate sets the allowEmptyPasswords option for the LDAP login modules to\nfalse if the option is not already configured. (CVE-2012-5629)\n\nWarning: Before applying this update, back up your existing JBoss\nEnterprise Web Platform installation (including all applications and\nconfiguration files).\n\nAll users of JBoss Enterprise Web Platform 5.2.0 as provided from the Red\nHat Customer Portal are advised to apply this update.\n", "modified": "2018-06-07T02:39:14", "published": "2013-02-04T05:00:00", "id": "RHSA-2013:0233", "href": "https://access.redhat.com/errata/RHSA-2013:0233", "type": "redhat", "title": "(RHSA-2013:0233) Important: JBoss Enterprise Web Platform 5.2.0 security update", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-01-16T20:15:36", "bulletinFamily": "scanner", "description": "An updated jbosssx2 package for JBoss Enterprise Application Platform\n5.2.0 that fixes one security issue is now available for Red Hat\nEnterprise Linux 4, 5, and 6.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. A Common Vulnerability Scoring System\n(CVSS) base score, which gives a detailed severity rating, is\navailable from the CVE link in the References section.\n\nJBoss Enterprise Application Platform is a platform for Java\napplications, which integrates the JBoss Application Server with JBoss\nHibernate and JBoss Seam.\n\nWhen using LDAP authentication with the provided LDAP login modules\n(LdapLoginModule/LdapExtLoginModule), empty passwords were allowed by\ndefault. An attacker could use this flaw to bypass intended\nauthentication by providing an empty password for a valid username, as\nthe LDAP server may recognize this as an 'unauthenticated\nauthentication' (RFC 4513). This update sets the allowEmptyPasswords\noption for the LDAP login modules to false if the option is not\nalready configured. (CVE-2012-5629)\n\nWarning: Before applying this update, back up your existing JBoss\nEnterprise Application Platform installation (including all\napplications and configuration files).\n\nAll users of JBoss Enterprise Application Platform 5.2.0 on Red Hat\nEnterprise Linux 4, 5, and 6 are advised to upgrade to this updated\npackage. The JBoss server process must be restarted for the update to\ntake effect.", "modified": "2018-12-27T00:00:00", "published": "2013-02-05T00:00:00", "id": "REDHAT-RHSA-2013-0229.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=64465", "title": "RHEL 5 / 6 : JBoss EAP (RHSA-2013:0229)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:0229. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(64465);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2018/12/27 10:05:36\");\n\n script_cve_id(\"CVE-2012-5629\");\n script_xref(name:\"RHSA\", value:\"2013:0229\");\n\n script_name(english:\"RHEL 5 / 6 : JBoss EAP (RHSA-2013:0229)\");\n script_summary(english:\"Checks the rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An updated jbosssx2 package for JBoss Enterprise Application Platform\n5.2.0 that fixes one security issue is now available for Red Hat\nEnterprise Linux 4, 5, and 6.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. A Common Vulnerability Scoring System\n(CVSS) base score, which gives a detailed severity rating, is\navailable from the CVE link in the References section.\n\nJBoss Enterprise Application Platform is a platform for Java\napplications, which integrates the JBoss Application Server with JBoss\nHibernate and JBoss Seam.\n\nWhen using LDAP authentication with the provided LDAP login modules\n(LdapLoginModule/LdapExtLoginModule), empty passwords were allowed by\ndefault. An attacker could use this flaw to bypass intended\nauthentication by providing an empty password for a valid username, as\nthe LDAP server may recognize this as an 'unauthenticated\nauthentication' (RFC 4513). This update sets the allowEmptyPasswords\noption for the LDAP login modules to false if the option is not\nalready configured. (CVE-2012-5629)\n\nWarning: Before applying this update, back up your existing JBoss\nEnterprise Application Platform installation (including all\napplications and configuration files).\n\nAll users of JBoss Enterprise Application Platform 5.2.0 on Red Hat\nEnterprise Linux 4, 5, and 6 are advised to upgrade to this updated\npackage. The JBoss server process must be restarted for the update to\ntake effect.\"\n );\n # http://tools.ietf.org/html/rfc4513\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://tools.ietf.org/html/rfc4513\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2013:0229\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2012-5629\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected jbosssx2 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbosssx2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/05\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(5|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x / 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2013:0229\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n\n if (! (rpm_exists(release:\"RHEL5\", rpm:\"jbosssx2-\") || rpm_exists(release:\"RHEL6\", rpm:\"jbosssx2-\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"JBoss EAP\");\n\n if (rpm_check(release:\"RHEL5\", reference:\"jbosssx2-2.0.5-9.SP3_1_patch_01.ep5.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"jbosssx2-2.0.5-9.1.SP3_1_patch_01.ep5.el6\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"jbosssx2\");\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-01-16T20:15:38", "bulletinFamily": "scanner", "description": "Updated JBoss Enterprise Application Platform 4.3.0 CP10 packages that\nfix one security issue are now available for Red Hat Enterprise Linux\n4 and 5.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. A Common Vulnerability Scoring System\n(CVSS) base score, which gives a detailed severity rating, is\navailable from the CVE link in the References section.\n\nJBoss Enterprise Application Platform is a platform for Java\napplications, which integrates the JBoss Application Server with JBoss\nHibernate and JBoss Seam.\n\nWhen using LDAP authentication with the provided LDAP login modules\n(LdapLoginModule/LdapExtLoginModule), empty passwords were allowed by\ndefault. An attacker could use this flaw to bypass intended\nauthentication by providing an empty password for a valid username, as\nthe LDAP server may recognize this as an 'unauthenticated\nauthentication' (RFC 4513). This update sets the allowEmptyPasswords\noption for the LDAP login modules to false if the option is not\nalready configured. (CVE-2012-5629)\n\nWarning: Before applying this update, back up your existing JBoss\nEnterprise Application Platform installation (including all\napplications and configuration files).\n\nAll users of JBoss Enterprise Application Platform 4.3.0 CP10 on Red\nHat Enterprise Linux 4 and 5 are advised to upgrade to these updated\npackages. The JBoss server process must be restarted for the update to\ntake effect.", "modified": "2018-11-26T00:00:00", "published": "2013-02-12T00:00:00", "id": "REDHAT-RHSA-2013-0249.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=64564", "title": "RHEL 5 : JBoss EAP (RHSA-2013:0249)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:0249. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(64564);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2018/11/26 11:02:15\");\n\n script_cve_id(\"CVE-2012-5629\");\n script_bugtraq_id(57890);\n script_xref(name:\"RHSA\", value:\"2013:0249\");\n\n script_name(english:\"RHEL 5 : JBoss EAP (RHSA-2013:0249)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated JBoss Enterprise Application Platform 4.3.0 CP10 packages that\nfix one security issue are now available for Red Hat Enterprise Linux\n4 and 5.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. A Common Vulnerability Scoring System\n(CVSS) base score, which gives a detailed severity rating, is\navailable from the CVE link in the References section.\n\nJBoss Enterprise Application Platform is a platform for Java\napplications, which integrates the JBoss Application Server with JBoss\nHibernate and JBoss Seam.\n\nWhen using LDAP authentication with the provided LDAP login modules\n(LdapLoginModule/LdapExtLoginModule), empty passwords were allowed by\ndefault. An attacker could use this flaw to bypass intended\nauthentication by providing an empty password for a valid username, as\nthe LDAP server may recognize this as an 'unauthenticated\nauthentication' (RFC 4513). This update sets the allowEmptyPasswords\noption for the LDAP login modules to false if the option is not\nalready configured. (CVE-2012-5629)\n\nWarning: Before applying this update, back up your existing JBoss\nEnterprise Application Platform installation (including all\napplications and configuration files).\n\nAll users of JBoss Enterprise Application Platform 4.3.0 CP10 on Red\nHat Enterprise Linux 4 and 5 are advised to upgrade to these updated\npackages. The JBoss server process must be restarted for the update to\ntake effect.\"\n );\n # http://tools.ietf.org/html/rfc4513\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://tools.ietf.org/html/rfc4513\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2013:0249\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2012-5629\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected jbossas and / or jbossas-client packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-client\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2013:0249\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n\n if (! (rpm_exists(release:\"RHEL5\", rpm:\"jbossas-client-\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"JBoss EAP\");\n\n if (rpm_check(release:\"RHEL5\", reference:\"jbossas-4.3.0-12.GA_CP10_patch_01.1.ep1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jbossas-client-4.3.0-12.GA_CP10_patch_01.1.ep1.el5\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"jbossas / jbossas-client\");\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-01-16T20:15:36", "bulletinFamily": "scanner", "description": "Updated JBoss Enterprise Application Platform 6.0.1 packages that fix\none security issue are now available for Red Hat Enterprise Linux 5\nand 6.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. A Common Vulnerability Scoring System\n(CVSS) base score, which gives a detailed severity rating, is\navailable from the CVE link in the References section.\n\nJBoss Enterprise Application Platform 6 is a platform for Java\napplications based on JBoss Application Server 7.\n\nWhen using LDAP authentication with either the 'ldap' configuration\nentry or the provided LDAP login modules\n(LdapLoginModule/LdapExtLoginModule), empty passwords were allowed by\ndefault. An attacker could use this flaw to bypass intended\nauthentication by providing an empty password for a valid username, as\nthe LDAP server may recognize this as an 'unauthenticated\nauthentication' (RFC 4513). This update sets the allowEmptyPasswords\noption for the LDAP login modules to false if the option is not\nalready configured. (CVE-2012-5629)\n\nNote: If you are using the 'ldap' configuration entry and rely on\nempty passwords, they will no longer work after applying this update.\nThe jboss-as-domain-management module, by default, will prevent empty\npasswords. This cannot be configured; however, a future release may\nadd a configuration option to allow empty passwords when using the\n'ldap' configuration entry.\n\nWarning: Before applying this update, back up your existing JBoss\nEnterprise Application Platform installation and deployed\napplications.\n\nAll users of JBoss Enterprise Application Platform 6.0.1 on Red Hat\nEnterprise Linux 5 and 6 are advised to upgrade to these updated\npackages. The JBoss server process must be restarted for the update to\ntake effect.", "modified": "2018-12-27T00:00:00", "published": "2013-02-05T00:00:00", "id": "REDHAT-RHSA-2013-0231.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=64466", "title": "RHEL 5 / 6 : JBoss EAP (RHSA-2013:0231)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:0231. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(64466);\n script_version(\"1.16\");\n script_cvs_date(\"Date: 2018/12/27 10:05:36\");\n\n script_cve_id(\"CVE-2012-5629\");\n script_bugtraq_id(57890);\n script_xref(name:\"RHSA\", value:\"2013:0231\");\n\n script_name(english:\"RHEL 5 / 6 : JBoss EAP (RHSA-2013:0231)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated JBoss Enterprise Application Platform 6.0.1 packages that fix\none security issue are now available for Red Hat Enterprise Linux 5\nand 6.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. A Common Vulnerability Scoring System\n(CVSS) base score, which gives a detailed severity rating, is\navailable from the CVE link in the References section.\n\nJBoss Enterprise Application Platform 6 is a platform for Java\napplications based on JBoss Application Server 7.\n\nWhen using LDAP authentication with either the 'ldap' configuration\nentry or the provided LDAP login modules\n(LdapLoginModule/LdapExtLoginModule), empty passwords were allowed by\ndefault. An attacker could use this flaw to bypass intended\nauthentication by providing an empty password for a valid username, as\nthe LDAP server may recognize this as an 'unauthenticated\nauthentication' (RFC 4513). This update sets the allowEmptyPasswords\noption for the LDAP login modules to false if the option is not\nalready configured. (CVE-2012-5629)\n\nNote: If you are using the 'ldap' configuration entry and rely on\nempty passwords, they will no longer work after applying this update.\nThe jboss-as-domain-management module, by default, will prevent empty\npasswords. This cannot be configured; however, a future release may\nadd a configuration option to allow empty passwords when using the\n'ldap' configuration entry.\n\nWarning: Before applying this update, back up your existing JBoss\nEnterprise Application Platform installation and deployed\napplications.\n\nAll users of JBoss Enterprise Application Platform 6.0.1 on Red Hat\nEnterprise Linux 5 and 6 are advised to upgrade to these updated\npackages. The JBoss server process must be restarted for the update to\ntake effect.\"\n );\n # http://tools.ietf.org/html/rfc4513\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://tools.ietf.org/html/rfc4513\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2013:0231\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2012-5629\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected jboss-as-domain-management and / or picketbox\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-management\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:picketbox\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/05\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(5|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x / 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2013:0231\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n\n if (! (rpm_exists(release:\"RHEL5\", rpm:\"jbossas-core-\") || rpm_exists(release:\"RHEL6\", rpm:\"jbossas-core-\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"JBoss EAP\");\n\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-domain-management-7.1.3-5.Final_redhat_5.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"picketbox-4.0.14-3.Final_redhat_3.ep6.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-domain-management-7.1.3-5.Final_redhat_5.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"picketbox-4.0.14-3.Final_redhat_3.ep6.el6\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"jboss-as-domain-management / picketbox\");\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
