The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of RedHat JBoss Enterprise Application Platform

computer vulnerability note CVE-2012-4431

Apache Tomcat: bypass of countermeasures against CSRF

Synthesis of the vulnerability

An attacker can bypass verifications of Tomcat against requests dedicated to detection of request forgery, without having any valid session identifier, in order to submit request on other user's behalf.
Impacted products: Tomcat, Fedora, HP-UX, openSUSE, Solaris, RHEL, JBoss EAP by Red Hat, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Creation date: 05/12/2012.
Identifiers: BID-56814, c03734195, CERTA-2012-AVI-706, CERTA-2013-AVI-145, CERTFR-2014-AVI-112, CVE-2012-4431, FEDORA-2012-20151, HPSBUX02866, openSUSE-SU-2012:1700-1, openSUSE-SU-2012:1701-1, openSUSE-SU-2013:0147-1, openSUSE-SU-2013:0161-1, openSUSE-SU-2013:0192-1, RHSA-2013:0265-01, RHSA-2013:0266-01, RHSA-2013:0267-01, RHSA-2013:0268-01, RHSA-2013:0647-01, RHSA-2013:0648-01, RHSA-2013:0665-01, RHSA-2013:1437-01, RHSA-2013:1853-01, SSRT101139, VIGILANCE-VUL-12209.

Description of the vulnerability

An attacker can bypass verifications against requests dedicated to detection of request forgery, without having any valid session identifier, in order to submit request on other user's behalf.

Technical details are unknown.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2012-3546

Apache Tomcat: authentication bypass via URL mangling

Synthesis of the vulnerability

An attacker who must go through authentication via a form, can append /j_security_check to to URL, in order to bypass the authentication process.
Impacted products: Tomcat, Debian, Fedora, HPE NNMi, HP-UX, openSUSE, Solaris, RHEL, JBoss EAP by Red Hat, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Creation date: 05/12/2012.
Identifiers: BID-56812, c03734195, c03824583, CERTA-2012-AVI-706, CERTA-2013-AVI-145, CERTA-2013-AVI-440, CERTFR-2014-AVI-112, CVE-2012-3546, DSA-2725-1, FEDORA-2012-20151, HPSBMU02894, HPSBUX02866, openSUSE-SU-2012:1700-1, openSUSE-SU-2012:1701-1, openSUSE-SU-2013:0147-1, RHSA-2013:0004-01, RHSA-2013:0005-01, RHSA-2013:0146-01, RHSA-2013:0147-01, RHSA-2013:0151-01, RHSA-2013:0157-01, RHSA-2013:0158-01, RHSA-2013:0162-01, RHSA-2013:0163-01, RHSA-2013:0164-01, RHSA-2013:0191-01, RHSA-2013:0192-01, RHSA-2013:0193-01, RHSA-2013:0194-01, RHSA-2013:0195-01, RHSA-2013:0196-01, RHSA-2013:0197-01, RHSA-2013:0198-01, RHSA-2013:0221-01, RHSA-2013:0235-01, RHSA-2013:0623-01, RHSA-2013:0640-01, RHSA-2013:0641-01, RHSA-2013:0642-01, SSRT101139, VIGILANCE-VUL-12208.

Description of the vulnerability

The URL suffix /j_security_check has a special meaningful in the authentication process with a form.

Some Tomcat components other than the one in charge of password check can define the account used to validate accesses for the remote user (the principal). However, when the requested URL has this special suffix, these assignments badly interact with the desire that access to the error pages and login form are always granted, which leads to premature termination of the credentials validation.

An attacker who must go through authentication via a form, can append /j_security_check to to URL, in order to bypass the authentication process.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2012-4534

Apache Tomcat: denial of service via SSL and NIO

Synthesis of the vulnerability

An attacker who access Tomcat using the NIO connector and an SSL enabled connection, can cause excessive computing power, in order to deny service.
Impacted products: Tomcat, Debian, Fedora, HP-UX, openSUSE, Solaris, RHEL, JBoss EAP by Red Hat, Unix (platform) ~ not comprehensive, vCenter Server, VMware vSphere.
Severity: 2/4.
Creation date: 05/12/2012.
Identifiers: BID-56813, c03734195, CERTA-2012-AVI-706, CERTA-2013-AVI-145, CERTFR-2014-AVI-112, CVE-2012-4534, DSA-2725-1, FEDORA-2012-20151, HPSBUX02866, openSUSE-SU-2013:0161-1, openSUSE-SU-2013:0170-1, openSUSE-SU-2013:0192-1, RHSA-2013:0265-01, RHSA-2013:0266-01, RHSA-2013:0623-01, SSRT101139, VIGILANCE-VUL-12207, VMSA-2013-0006.

Description of the vulnerability

The vulnerability is applicable under the following conditions:
 - Tomcat is configured to use the NIO connector.
 - Tomcat use the sendfile() system call, which require that the response body is static.
 - The connection must use HTTP over SSL.

In this case, when the attacker half close the TCP connection and discard received TCP data, Tomcat enters in a CPU intensive endless loop, while attempting to send the response body.

An attacker who access Tomcat using the NIO connector and an SSL enabled connection, can therefore cause excessive computing power, in order to deny service.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2012-5783

Apache HttpClient 3: incomplete certificate validation

Synthesis of the vulnerability

An attacker can use any valid certificate on a malicious server, and then invite an Apache HttpClient 3 to connect there, in order to spy communications even if encryption is used.
Impacted products: Apache HttpClient, Fedora, WebSphere AS Traditional, IBM WebSphere ESB, openSUSE, RHEL, JBoss EAP by Red Hat, Ubuntu.
Severity: 2/4.
Creation date: 23/11/2012.
Identifiers: 2016216, BID-58073, CVE-2012-5783, FEDORA-2013-1189, FEDORA-2013-1203, FEDORA-2013-1289, HTTPCLIENT-1265, openSUSE-SU-2013:0354-1, openSUSE-SU-2013:0622-1, openSUSE-SU-2013:0623-1, openSUSE-SU-2013:0638-1, RHSA-2013:0270-01, RHSA-2013:0679-01, RHSA-2013:0680-01, RHSA-2013:0681-01, RHSA-2013:0682-01, RHSA-2013:0763-01, RHSA-2013:1006-01, RHSA-2013:1147-01, RHSA-2013:1853-01, RHSA-2014:0224-01, RHSA-2017:0868-01, swg22017526, USN-2769-1, VIGILANCE-VUL-12182.

Description of the vulnerability

The HttpClient library can manage HTTP connections over SSL.

In order to authenticate a server, the client must check the certificate (cryptographic signatures, validity date range, etc.) and also that the received certificate matches the visited server. This check is usually done on DNS names, or sometimes on IP addresses. However, HttpClient does not check that the names included in the certificates match the one requested at HTTP level. So, any valid certificate is accepted.

An attacker can therefore use any valid certificate on a malicious server, and then invite an Apache HttpClient 3 to connect there, in order to spy communications even if encryption is used.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2012-5370 CVE-2012-5371 CVE-2012-5373

Ruby, JRuby, OpenJDK: denial of service via MurmurHash collision

Synthesis of the vulnerability

An attacker can send data generating storage collisions, in order to overload a Ruby, JRuby or OpenJDK service.
Impacted products: Fedora, openSUSE, RHEL, JBoss EAP by Red Hat, Slackware, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Creation date: 13/11/2012.
Identifiers: BID-56484, BID-56673, CERTA-2012-AVI-643, CVE-2012-5370, CVE-2012-5371, CVE-2012-5373, FEDORA-2012-18017, openSUSE-SU-2013:0376-1, RHSA-2012:1604-01, RHSA-2012:1605-01, RHSA-2012:1606-01, RHSA-2013:0533-01, SSA:2012-341-04, VIGILANCE-VUL-12132.

Description of the vulnerability

The bulletin VIGILANCE-VUL-11254 describes a vulnerability which can be used to create a denial of service on several applications. This vulnerability is based on collisions in a data structure of type "hash table".

In order to fix this vulnerability, Ruby, JRuby and OpenJDK used the MurmurHash storage algorithm.

However, an attacker can also generate collisions in this algorithm.

An attacker can therefore send data generating storage collisions, in order to overload a Ruby, JRuby or OpenJDK service.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2012-5885 CVE-2012-5886 CVE-2012-5887

Apache Tomcat: bypassing the DIGEST authentication

Synthesis of the vulnerability

When Apache Tomcat uses an HTTP DIGEST authentication, an attacker can replay a previously captured session, and thus access to protected resources.
Impacted products: Tomcat, Debian, HP-UX, NSMXpress, MES, openSUSE, Solaris, RHEL, JBoss EAP by Red Hat.
Severity: 3/4.
Creation date: 06/11/2012.
Identifiers: BID-56403, c03734195, CERTA-2012-AVI-629, CERTA-2013-AVI-145, CERTFR-2014-AVI-112, CVE-2012-3439-REJECT, CVE-2012-5885, CVE-2012-5886, CVE-2012-5887, DSA-2725-1, HPSBUX02866, JSA10600, MDVSA-2013:004, openSUSE-SU-2012:1700-1, openSUSE-SU-2012:1701-1, openSUSE-SU-2013:0147-1, RHSA-2013:0265-01, RHSA-2013:0266-01, RHSA-2013:0623-01, RHSA-2013:0629-01, RHSA-2013:0631-01, RHSA-2013:0632-01, RHSA-2013:0633-01, RHSA-2013:0640-01, RHSA-2013:0647-01, RHSA-2013:0648-01, RHSA-2013:0665-01, RHSA-2013:0726-01, RHSA-2013:1006-01, SSRT101139, VIGILANCE-VUL-12113.

Description of the vulnerability

The HTTP Digest authentication defined in RFC 2617 combines several elements:
  HA1 = MD5(username:realm:password)
  HA2a = MD5(HTTP-METHOD:uri)
  HA2b = MD5(HTTP-METHOD:uri:md5(body-of-query))
  if qop == "auth" HA2=HA2a, if qop == "auth-int" HA2=HA2b
  digest = MD5(HA1:nonce:nc:cnonce:qop:HA2)
Where :
 - realm : service name
 - nonce : server random (the server can indicate that it is "stale", which means already used)
 - cnonce : client random
 - nc : incremented counter
 - qop : requested level : auth or auth-int

However, the Apache Tomcat implementation of HTTP Digest authentication is impacted by three vulnerabilities.

The Tomcat server monitors nonces (and nc) of clients, instead of detecting servers nonces duplicates. [severity:2/4; CVE-2012-5885]

When a session identifier is present, the authentication is bypassed. [severity:3/4; CVE-2012-5886]

When the nonce is stale, Tomcat does not check the user name and the password, and accepts the session. [severity:3/4; CVE-2012-5887]

When Apache Tomcat uses an HTTP DIGEST authentication, an attacker can therefore replay a previously captured session, and thus access to protected resources.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2012-2733

Apache Tomcat: denial of service via headers

Synthesis of the vulnerability

An attacker can send an HTTP query with large headers, in order to stop the HTTP NIO service of Apache Tomcat.
Impacted products: Tomcat, Debian, Fedora, HP-UX, openSUSE, Solaris, RHEL, JBoss EAP by Red Hat, Unix (platform) ~ not comprehensive, vCenter Server, VMware vSphere.
Severity: 3/4.
Creation date: 06/11/2012.
Identifiers: BID-56402, c03734195, CERTA-2012-AVI-629, CERTA-2013-AVI-145, CERTFR-2014-AVI-112, CVE-2012-2733, DSA-2725-1, FEDORA-2012-20151, HPSBUX02866, openSUSE-SU-2012:1700-1, openSUSE-SU-2012:1701-1, openSUSE-SU-2013:0147-1, RHSA-2013:0265-01, RHSA-2013:0266-01, SSRT101139, VIGILANCE-VUL-12112, VMSA-2013-0006.

Description of the vulnerability

The HTTP NIO connector processes HTTP queries for Apache Tomcat.

HTTP header which are longer than maxHttpHeaderSize (4kb by default) are forbidden. However, the HTTP NIO connector does this check too late: a long header can already have generated an OutOfMemoryError exception.

An attacker can therefore send an HTTP query with large headers, in order to stop the HTTP NIO service of Apache Tomcat.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2009-5066

JBoss AS 5: password reading via twiddle.sh

Synthesis of the vulnerability

When the twiddle.sh script is used, a local attacker can use the ps command, in order to read the password.
Impacted products: JBoss AS OpenSource, RHEL, JBoss EAP by Red Hat.
Severity: 1/4.
Creation date: 23/07/2012.
Identifiers: BID-54631, CVE-2009-5066, JBPAPP-3391, RHSA-2013:0191-01, RHSA-2013:0192-01, RHSA-2013:0193-01, RHSA-2013:0194-01, RHSA-2013:0195-01, RHSA-2013:0196-01, RHSA-2013:0197-01, RHSA-2013:0198-01, RHSA-2013:0221-01, RHSA-2013:0533-01, VIGILANCE-VUL-11787.

Description of the vulnerability

The twiddle.sh script, which is provided with JBoss Application Server version 5, is used to connect to a JMX server. It uses twiddle.jar.

However, the login/password has to be provided on the command line. For example:
  ./twiddle.sh --user=MyLogin --password=MyPassword ...

When the twiddle.sh script is used, a local attacker can therefore use the ps command, in order to read the password.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2012-2333

OpenSSL: denial of service via TLS

Synthesis of the vulnerability

An attacker can send a malicious message during a TLS session, in order to stop clients or servers linked with OpenSSL.
Impacted products: BIG-IP Hardware, TMOS, HP-UX, NetBSD, OpenSSL, Solaris, JBoss EAP by Red Hat.
Severity: 3/4.
Creation date: 11/05/2012.
Identifiers: BID-5347, c03498127, CERTA-2012-AVI-277, CVE-2012-2333, HPSBUX02814, RHSA-2012:1306-01, RHSA-2012:1307-01, RHSA-2012:1308-01, SOL15401, SSRT100930, VIGILANCE-VUL-11620.

Description of the vulnerability

The tls1_enc() function of file ssl/t1_enc.c processes the TLS version 1.1 and 1.2. encryption.

However, this function does not check if the padding size and the initialization vector size match the message size. When the initialization vector is skipped, computed size becomes incorrect, and an invalid memory area is read, which stops the application.

An attacker can therefore send a malicious message during a TLS session, in order to stop clients or servers linked with OpenSSL.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2012-2333

OpenSSL: denial of service via DTLS

Synthesis of the vulnerability

An attacker can send a malicious message during a DTLS session, in order to stop clients or servers linked with OpenSSL.
Impacted products: Debian, Fedora, HP-UX, AIX, MES, Mandriva Linux, NetBSD, OpenSSL, Solaris, RHEL, JBoss EAP by Red Hat, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Creation date: 11/05/2012.
Identifiers: BID-53476, c03498127, CERTA-2012-AVI-277, CERTA-2012-AVI-419, CVE-2012-2333, FEDORA-2012-7939, FEDORA-2012-8014, FEDORA-2012-8024, HPSBUX02814, MDVSA-2012:073, NetBSD-SA2012-002, RHSA-2012:0699-01, RHSA-2012:1306-01, RHSA-2012:1307-01, RHSA-2012:1308-01, SSRT100930, SUSE-SU-2012:0674-1, SUSE-SU-2012:0678-1, SUSE-SU-2012:0679-1, VIGILANCE-VUL-11619.

Description of the vulnerability

The DTLS (Datagram Transport Layer Security) protocol, based on TLS, provides a cryptographic layer over the UDP protocol.

The dtls1_enc() function of file ssl/d1_enc.c processes the DTLS encryption.

However, this function does not check if the padding size and the initialization vector size match the message size. When the initialization vector is skipped, computed size becomes incorrect, and an invalid memory area is read, which stops the application.

An attacker can therefore send a malicious message during a DTLS session, in order to stop clients or servers linked with OpenSSL.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about RedHat JBoss Enterprise Application Platform: