(RHSA-2015:1642) Important: Red Hat JBoss Web Server 2.1.0 security update

2015-08-1818:27:39

access.redhat.com

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.003 Low

EPSS

Percentile

67.3%

JSON

Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the Apache
HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector
(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat
Native library.

A flaw was found in the way the mod_cluster manager processed certain MCMP
messages. An attacker with access to the network from which MCMP messages
are allowed to be sent could use this flaw to execute arbitrary JavaScript
code in the mod_cluster manager web interface. (CVE-2015-0298)

It was discovered that a JkUnmount rule for a subtree of a previous JkMount
rule could be ignored. This could allow a remote attacker to potentially
access a private artifact in a tree that would otherwise not be accessible
to them. (CVE-2014-8111)

All users of Red Hat JBoss Web Server 2.1.0 are advised to apply this
update. The Red Hat JBoss Web Server process must be restarted for the
update to take effect.

OSVersionArchitecturePackageVersionFilename
RedHat5srcmod_cluster-native< 1.2.9-4.Final_redhat_2.ep6.el5mod_cluster-native-1.2.9-4.Final_redhat_2.ep6.el5.src.rpm
RedHat5x86_64mod_cluster-native< 1.2.9-4.Final_redhat_2.ep6.el5mod_cluster-native-1.2.9-4.Final_redhat_2.ep6.el5.x86_64.rpm
RedHat5i386mod_jk-ap22< 1.2.40-4.redhat_2.ep6.el5mod_jk-ap22-1.2.40-4.redhat_2.ep6.el5.i386.rpm
RedHat5srcmod_jk< 1.2.40-4.redhat_2.ep6.el5mod_jk-1.2.40-4.redhat_2.ep6.el5.src.rpm
RedHat6x86_64mod_jk-ap22< 1.2.40-4.redhat_2.ep6.el6mod_jk-ap22-1.2.40-4.redhat_2.ep6.el6.x86_64.rpm
RedHat7x86_64mod_cluster-native< 1.2.9-4.Final_redhat_2.ep6.el7mod_cluster-native-1.2.9-4.Final_redhat_2.ep6.el7.x86_64.rpm
RedHat6i386mod_cluster-native-debuginfo< 1.2.9-4.Final_redhat_2.ep6.el6mod_cluster-native-debuginfo-1.2.9-4.Final_redhat_2.ep6.el6.i386.rpm
RedHat5x86_64mod_jk-ap22< 1.2.40-4.redhat_2.ep6.el5mod_jk-ap22-1.2.40-4.redhat_2.ep6.el5.x86_64.rpm
RedHat6x86_64mod_jk-manual< 1.2.40-4.redhat_2.ep6.el6mod_jk-manual-1.2.40-4.redhat_2.ep6.el6.x86_64.rpm
RedHat6x86_64mod_cluster-native< 1.2.9-4.Final_redhat_2.ep6.el6mod_cluster-native-1.2.9-4.Final_redhat_2.ep6.el6.x86_64.rpm

OS	Version	Architecture	Package	Version	Filename
RedHat	5	src	mod_cluster-native	< 1.2.9-4.Final_redhat_2.ep6.el5	mod_cluster-native-1.2.9-4.Final_redhat_2.ep6.el5.src.rpm
RedHat	5	x86_64	mod_cluster-native	< 1.2.9-4.Final_redhat_2.ep6.el5	mod_cluster-native-1.2.9-4.Final_redhat_2.ep6.el5.x86_64.rpm
RedHat	5	i386	mod_jk-ap22	< 1.2.40-4.redhat_2.ep6.el5	mod_jk-ap22-1.2.40-4.redhat_2.ep6.el5.i386.rpm
RedHat	5	src	mod_jk	< 1.2.40-4.redhat_2.ep6.el5	mod_jk-1.2.40-4.redhat_2.ep6.el5.src.rpm
RedHat	6	x86_64	mod_jk-ap22	< 1.2.40-4.redhat_2.ep6.el6	mod_jk-ap22-1.2.40-4.redhat_2.ep6.el6.x86_64.rpm
RedHat	7	x86_64	mod_cluster-native	< 1.2.9-4.Final_redhat_2.ep6.el7	mod_cluster-native-1.2.9-4.Final_redhat_2.ep6.el7.x86_64.rpm
RedHat	6	i386	mod_cluster-native-debuginfo	< 1.2.9-4.Final_redhat_2.ep6.el6	mod_cluster-native-debuginfo-1.2.9-4.Final_redhat_2.ep6.el6.i386.rpm
RedHat	5	x86_64	mod_jk-ap22	< 1.2.40-4.redhat_2.ep6.el5	mod_jk-ap22-1.2.40-4.redhat_2.ep6.el5.x86_64.rpm
RedHat	6	x86_64	mod_jk-manual	< 1.2.40-4.redhat_2.ep6.el6	mod_jk-manual-1.2.40-4.redhat_2.ep6.el6.x86_64.rpm
RedHat	6	x86_64	mod_cluster-native	< 1.2.9-4.Final_redhat_2.ep6.el6	mod_cluster-native-1.2.9-4.Final_redhat_2.ep6.el6.x86_64.rpm