Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
redhatRedHatRHSA-2015:0850
HistoryApr 16, 2015 - 4:00 p.m.

(RHSA-2015:0850) Important: Red Hat JBoss BRMS 6.1.0 update

2015-04-1616:00:56
access.redhat.com
10

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.07 Low

EPSS

Percentile

92.9%

JSON

Red Hat JBoss BRMS is a business rules management system for the
management, storage, creation, modification, and deployment of JBoss Rules.

This release of Red Hat JBoss BRMS 6.1.0 serves as a replacement for Red
Hat JBoss BRMS 6.0.3, and includes bug fixes and enhancements. Refer to the
Red Hat JBoss BRMS 6.1.0 Release Notes for information on the most
significant of these changes. The Release Notes are available at
https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_BRMS/

The following security issues are also fixed with this release,
descriptions of which can be found on the respective CVE pages linked in
the References section.

CVE-2012-6153 Jakarta Commons httpclient / Apache CXF: SSL hostname
verification bypass, incomplete CVE-2012-5783 fix

CVE-2013-2133 JBoss WS: EJB3 role restrictions are not applied to jaxws
handlers

CVE-2013-4517 Apache Santuario XML Security for Java: Java XML Signature
DoS Attack

CVE-2013-7397 async-http-client: SSL/TLS certificate verification is
disabled under certain conditions

CVE-2013-7398 async-http-client: missing hostname verification for SSL
certificates

CVE-2014-0034 Apache CXF: The SecurityTokenService accepts certain invalid
SAML Tokens as valid

CVE-2014-0035 Apache CXF: UsernameTokens are sent in plaintext with a
Symmetric EncryptBeforeSigning policy

CVE-2014-0059 JBossSX/PicketBox: World readable audit.log file

CVE-2014-0109 Apache CXF: HTML content posted to SOAP endpoint could cause
OOM errors

CVE-2014-0110 Apache CXF: Large invalid content could cause temporary space
to fill

CVE-2014-3577 Jakarta Commons httpclient / Apache CXF: SSL hostname
verification bypass, incomplete CVE-2012-6153 fix

CVE-2014-3623 Apache WSS4J / Apache CXF: Improper security semantics
enforcement of SAML SubjectConfirmation methods

CVE-2014-7827 JBoss Security: Wrong security context loaded when using
SAML2 STS Login Module

CVE-2014-7839 RESTeasy: External entities expanded by DocumentProvider

CVE-2014-8122 JBoss Weld: Limited information disclosure via stale thread
state

CVE-2014-8125 jBPM: BPMN2 file processing XXE in Process Execution

Red Hat would like to thank Rune Steinseth of JProfessionals for reporting
the CVE-2014-8122 issue. The CVE-2012-6153 issue was discovered by Florian
Weimer of Red Hat Product Security; the CVE-2014-8125 was discovered by
Jeremy Lindop of Red Hat; the CVE-2014-7827 issue was discovered by Ondra
Lukas of the Red Hat Quality Engineering Team; the CVE-2013-2133 issue was
discovered by Richard Opalka and Arun Neelicattu of Red Hat.

All users of Red Hat JBoss BRMS 6.0.3 as provided from the Red Hat Customer
Portal are advised to upgrade to Red Hat JBoss BRMS 6.1.0.

Related

redhat 28
veracode 4
nessus 33
openvas 22
f5 4
debian 1
amazon 1
ubuntucve 6
osv 9
fedora 8
ibm 42
securityvulns 2
ubuntu 1
mageia 2
github 6
debiancve 4
freebsd 1
atlassian 2
prion 11
cve 9
photon 2
cgr 1
redhat
redhat
(RHSA-2015:0851) Important: Red Hat JBoss BPM Suite 6.1.0 update
2015-04-16 16:01:23
(RHSA-2014:1320) Important: Red Hat JBoss Enterprise Web Platform 5.2.0 security update
2014-09-29 00:00:00
(RHSA-2014:0799) Moderate: Red Hat JBoss Enterprise Application Platform 6.2.4 update
2014-06-26 00:00:00
veracode
veracode
XML External Entity (XXE)
2019-05-02 05:00:05
Man In The Middle (MitM) Attacks Are Possible With Spoofed SSL Servers
2019-01-15 08:59:46
Authorization Bypass
2019-01-15 09:04:30
nessus
nessus
RHEL 5 / 6 / 7 : JBoss EAP (RHSA-2014:1162)
2014-09-08 00:00:00
RHEL 4 / 5 / 6 : JBoss EAP (RHSA-2014:1321)
2014-10-01 00:00:00
Debian DLA-222-1 : commons-httpclient security update
2015-05-20 00:00:00
openvas
openvas
Debian: Security Advisory (DLA-222-1)
2023-03-08 00:00:00
Amazon Linux: Security Advisory (ALAS-2014-410)
2015-09-08 00:00:00
Fedora Update for jakarta-commons-httpclient FEDORA-2014-9539
2014-08-27 00:00:00
f5
f5
SOL15364328 - Apache vulnerabilities CVE-2012-5783, CVE-2012-6153, and CVE-2014-3577
2016-02-02 00:00:00
K15364328 : Apache vulnerabilities CVE-2012-5783 and CVE-2012-6153
2016-02-02 00:00:00
K15741 : Apache Commons HttpClient vulnerability CVE-2012-6153
2014-10-27 00:00:00
debian
debian
[SECURITY] [DLA 222-1] commons-httpclient security update
2015-05-19 15:18:39
amazon
amazon
Important: jakarta-commons-httpclient
2014-09-17 21:47:00
ubuntucve
ubuntucve
CVE-2012-5783
2012-11-04 00:00:00
CVE-2012-6153
2014-09-04 00:00:00
CVE-2014-7839
2014-11-25 00:00:00
osv
osv
commons-httpclient - security update
2015-05-19 00:00:00
Improper certificate validation in org.apache.httpcomponents:httpclient
2018-10-17 00:05:15
Improper Input Validation in Drools and jBPM
2022-05-17 04:12:57
fedora
fedora
[SECURITY] Fedora 19 Update: jakarta-commons-httpclient-3.1-15.fc19
2014-08-27 01:28:57
[SECURITY] Fedora 20 Update: jakarta-commons-httpclient-3.1-15.fc20
2014-08-27 01:31:46
[SECURITY] Fedora 20 Update: async-http-client-1.7.22-2.fc20
2015-05-08 07:38:37
ibm
ibm
Security Bulletin: Apache Commons HttpClient 3.x (and few others) allow Man-In-The-Middle (MITM) attack
2022-12-12 13:16:13
Security Bulletin: Apache HttpComponents vulnerable to spoofing attacks are affecting Case Manager Client (CVE-2012-6153, CVE-2014-3577)
2018-06-17 12:12:04
Security Bulletin: Public disclosed vulnerabilities from Apache HttpComponents affects IBM Spectrum LSF
2019-03-01 14:10:02
securityvulns
securityvulns
[USN-2769-1] Apache Commons HttpClient
2015-10-25 00:00:00
CVE-2014-3577: Apache HttpComponents client: Hostname verification susceptible to MITM attack
2014-08-18 00:00:00
ubuntu
ubuntu
Apache Commons HttpClient vulnerabilities
2015-10-14 00:00:00
mageia
mageia
Updated async-http-client packages fix security vulnerabilities
2015-05-11 23:10:38
Updated Updated jakarta-commons-httpclient and httpcomponents-client packages fix security vulnerabilities
2014-08-25 12:44:11
github
github
Improper certificate validation in org.apache.httpcomponents:httpclient
2018-10-17 00:05:15
Improper Input Validation in Drools and jBPM
2022-05-17 04:12:57
XML External Entity Reference in RESTEasy
2022-05-17 04:13:50
debiancve
debiancve
CVE-2012-6153
2014-09-04 17:55:00
CVE-2014-7839
2014-11-25 15:59:00
CVE-2013-7398
2015-06-24 16:59:00
freebsd
freebsd
Axis2 -- Security vulnerabilities on dependency Apache HttpClient
2012-12-06 00:00:00
atlassian
atlassian
Update the version of commons-httpclient to address CVE-2012-5783 & CVE-2014-3577 and gain SNI support
2015-05-12 07:34:43
Update the version of commons-httpclient to address CVE-2012-5783 & CVE-2014-3577 and gain SNI support
2015-05-12 07:34:43
prion
prion
Design/Logic Flaw
2014-09-04 17:55:00
Xxe
2015-04-21 17:59:00
Design/Logic Flaw
2015-06-24 16:59:00
cve
cve
CVE-2012-6153
2014-09-04 17:55:00
CVE-2014-7839
2014-11-25 15:59:00
CVE-2014-8122
2015-02-13 15:59:00
photon
photon
Moderate Photon OS Security Update - PHSA-2020-0141
2020-09-17 00:00:00
Moderate Photon OS Security Update - PHSA-2020-3.0-0141
2020-09-17 00:00:00
cgr
cgr
CVE-2012-5783 vulnerabilities
2024-04-25 21:08:41

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.07 Low

EPSS

Percentile

92.9%

JSON
Related for RHSA-2015:0850
redhat28veracode4nessus33openvas22f54debian1amazon1ubuntucve6osv9fedora8ibm42securityvulns2ubuntu1mageia2github6debiancve4freebsd1atlassian2prion11cve9photon2cgr1