(RHSA-2015:1551) Important: Red Hat JBoss Fuse Service Works 6.0.0 security update

2015-08-05T20:13:53
ID RHSA-2015:1551
Type redhat
Reporter RedHat
Modified 2019-02-20T17:22:28

Description

Red Hat JBoss Fuse Service Works is the next-generation ESB and business process automation infrastructure.

This roll up patch serves as a cumulative upgrade for Red Hat JBoss Fuse Service Works 6.0.0. It includes various bug fixes, which are listed in the README file included with the patch files.

The following security issues are also fixed with this release:

It was found that async-http-client would disable SSL/TLS certificate verification under certain conditions, for example if HTTPS communication also used client certificates. A man-in-the-middle (MITM) attacker could use this flaw to spoof a valid certificate. (CVE-2013-7397)

It was found that async-http-client did not verify that the server hostname matched the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name. (CVE-2013-7398)

All users of Red Hat JBoss Fuse Service Works 6.0.0 as provided from the Red Hat Customer Portal are advised to apply this roll up patch.