(RHSA-2017:0244) Important: Red Hat JBoss Enterprise Application Platform security update

Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7.

This release of Red Hat JBoss Enterprise Application Platform 6.4.13 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.12, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.

Security Fix(es):

• It was discovered that the jboss init script performed unsafe file handling which could result in local privilege escalation. (CVE-2016-8656)

• It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own. (CVE-2016-6816)

• An EAP feature to download server log files allows logs to be available via GET requests making them vulnerable to cross-origin attacks. An attacker could trigger the user’s browser to request the log files consuming enough resources that normal server functioning could be impaired. (CVE-2016-8627)

• It was discovered that when configuring RBAC and marking information as sensitive, users with a Monitor role are able to view the sensitive information. (CVE-2016-7061)

The CVE-2016-8627 issue was discovered by Darran Lofthouse and Brian Stansberry (Red Hat).