5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was found that when JBoss Web processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encoding header, JBoss Web would incorrectly handle the request. A remote attacker could use this flaw to poison a web cache, perform cross-site scripting (XSS) attacks, or obtain sensitive information from other requests. (CVE-2013-4286) It was found that Java Security Manager permissions configured via a policy file were not properly applied, causing all deployed applications to be granted the java.security.AllPermission permission. In certain cases, an attacker could use this flaw to circumvent expected security measures to perform actions which would otherwise be restricted. (CVE-2014-0093) The CVE-2014-0093 issue was discovered by Josef Cacek of the Red Hat JBoss EAP Quality Engineering team. This release serves as an update for Red Hat JBoss Enterprise Application Platform 6.2, and includes bug fixes and enhancements. Documentation for these changes will be available shortly from the Red Hat JBoss Enterprise Application Platform 6.2.2 Release Notes, linked to in the References. All users of Red Hat JBoss Enterprise Application Platform 6.2 on Red Hat Enterprise Linux 5 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.
rhn.redhat.com/errata/RHSA-2014-0343.html
rhn.redhat.com/errata/RHSA-2014-0344.html
rhn.redhat.com/errata/RHSA-2014-0345.html
secunia.com/advisories/57675
www.securityfocus.com/bid/66596
access.redhat.com/security/updates/classification/#moderate
access.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6.2/html-single/6.2.2_Release_Notes/index.html
bugzilla.redhat.com/show_bug.cgi?id=1063448
bugzilla.redhat.com/show_bug.cgi?id=1066498
bugzilla.redhat.com/show_bug.cgi?id=1066504
bugzilla.redhat.com/show_bug.cgi?id=1066506
bugzilla.redhat.com/show_bug.cgi?id=1066513
bugzilla.redhat.com/show_bug.cgi?id=1067101
bugzilla.redhat.com/show_bug.cgi?id=1067168
bugzilla.redhat.com/show_bug.cgi?id=1067321
bugzilla.redhat.com/show_bug.cgi?id=1067509
bugzilla.redhat.com/show_bug.cgi?id=1067649
bugzilla.redhat.com/show_bug.cgi?id=1068712
bugzilla.redhat.com/show_bug.cgi?id=1069602
bugzilla.redhat.com/show_bug.cgi?id=1076115
bugzilla.redhat.com/show_bug.cgi?id=1076134
bugzilla.redhat.com/show_bug.cgi?id=1076168
rhn.redhat.com/errata/RHSA-2014-0343.html