(RHSA-2015:1176) Important: Red Hat JBoss Fuse 6.2.0 update

Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,
flexible, open source enterprise service bus and integration platform.

The following security fixes are addressed in this release:

It was found that async-http-client would disable SSL/TLS certificate verification under certain conditions, for example if HTTPS communication also used client certificates. A man-in-the-middle (MITM) attacker could use this flaw to spoof a valid certificate. (CVE-2013-7397)

It was found that async-http-client did not verify that the server hostname matched the domain name in the subject’s Common Name (CN) or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name. (CVE-2013-7398)

It was found that the ServerTrustManager in the Smack XMPP API did not
verify basicConstraints and nameConstraints in X.509 certificate chains. A
man-in-the-middle attacker could use this flaw to spoof servers and obtain
sensitive information. (CVE-2014-0363)

It was found that the ParseRoster component in the Smack XMPP API did not
verify the From attribute of a roster-query IQ stanza. A remote attacker
could use this flaw to spoof IQ responses. (CVE-2014-0364)

It was found that the fix for CVE-2012-6153 was incomplete: the code added to check that the server hostname matches the domain name in a subject’s Common Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. (CVE-2014-3577)

It was found that the JClouds scriptbuilder Statements class writes a temporary file to a predictable location. An attacker could use this flaw to access sensitive data, denial of service, or other attacks. (CVE-2014-4651)

It was found that SSLSocket in Smack did not perform hostname verification. An attacker could redirect traffic between an application and an XMPP server by providing a valid certificate for a domain under the attacker’s control. (CVE-2014-5075)

It was found that JBoss Fuse would allow any user defined in the users.properties file to access the HawtIO console without having a valid admin role. This could allow a remote attacker to bypass intended authentication HawtIO console access restrictions. (CVE-2014-8175)

It was found that a prior countermeasure in Apache WSS4J for Bleichenbacher’s attack on XML Encryption (CVE-2011-2487) threw an exception that permitted an attacker to determine the failure of the attempted attack, thereby leaving WSS4J vulnerable to the attack. The original flaw allowed a remote attacker to recover the entire plain text form of a symmetric key. (CVE-2015-0226)

It was found that Apache WSS4J permitted bypass of the requireSignedEncryptedDataElements configuration property via XML Signature wrapping attacks. A remote attacker could use this flaw to modify the contents of a signed request. (CVE-2015-0227)

It was found that PKIX trust components allowed an X509 credential to be trusted if no trusted names were available for the entityID. An attacker could use a certificate issued by a shibmd:KeyAuthority trust anchor to impersonate an entity within the scope of that keyAuthority. (CVE-2015-1796)

The CVE-2014-8175 issue was reported by Jay Kumar SenSharma of Red Hat.