The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of RedHat JBoss Enterprise Application Platform

computer vulnerability announce CVE-2009-5066

JBoss AS 5: password reading via twiddle.sh

Synthesis of the vulnerability

When the twiddle.sh script is used, a local attacker can use the ps command, in order to read the password.
Impacted products: JBoss AS OpenSource, RHEL, JBoss EAP by Red Hat.
Severity: 1/4.
Creation date: 23/07/2012.
Identifiers: BID-54631, CVE-2009-5066, JBPAPP-3391, RHSA-2013:0191-01, RHSA-2013:0192-01, RHSA-2013:0193-01, RHSA-2013:0194-01, RHSA-2013:0195-01, RHSA-2013:0196-01, RHSA-2013:0197-01, RHSA-2013:0198-01, RHSA-2013:0221-01, RHSA-2013:0533-01, VIGILANCE-VUL-11787.

Description of the vulnerability

The twiddle.sh script, which is provided with JBoss Application Server version 5, is used to connect to a JMX server. It uses twiddle.jar.

However, the login/password has to be provided on the command line. For example:
  ./twiddle.sh --user=MyLogin --password=MyPassword ...

When the twiddle.sh script is used, a local attacker can therefore use the ps command, in order to read the password.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2012-2333

OpenSSL: denial of service via TLS

Synthesis of the vulnerability

An attacker can send a malicious message during a TLS session, in order to stop clients or servers linked with OpenSSL.
Impacted products: BIG-IP Hardware, TMOS, HP-UX, NetBSD, OpenSSL, Solaris, JBoss EAP by Red Hat.
Severity: 3/4.
Creation date: 11/05/2012.
Identifiers: BID-5347, c03498127, CERTA-2012-AVI-277, CVE-2012-2333, HPSBUX02814, RHSA-2012:1306-01, RHSA-2012:1307-01, RHSA-2012:1308-01, SOL15401, SSRT100930, VIGILANCE-VUL-11620.

Description of the vulnerability

The tls1_enc() function of file ssl/t1_enc.c processes the TLS version 1.1 and 1.2. encryption.

However, this function does not check if the padding size and the initialization vector size match the message size. When the initialization vector is skipped, computed size becomes incorrect, and an invalid memory area is read, which stops the application.

An attacker can therefore send a malicious message during a TLS session, in order to stop clients or servers linked with OpenSSL.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2012-2333

OpenSSL: denial of service via DTLS

Synthesis of the vulnerability

An attacker can send a malicious message during a DTLS session, in order to stop clients or servers linked with OpenSSL.
Impacted products: Debian, Fedora, HP-UX, AIX, MES, Mandriva Linux, NetBSD, OpenSSL, Solaris, RHEL, JBoss EAP by Red Hat, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Creation date: 11/05/2012.
Identifiers: BID-53476, c03498127, CERTA-2012-AVI-277, CERTA-2012-AVI-419, CVE-2012-2333, FEDORA-2012-7939, FEDORA-2012-8014, FEDORA-2012-8024, HPSBUX02814, MDVSA-2012:073, NetBSD-SA2012-002, RHSA-2012:0699-01, RHSA-2012:1306-01, RHSA-2012:1307-01, RHSA-2012:1308-01, SSRT100930, SUSE-SU-2012:0674-1, SUSE-SU-2012:0678-1, SUSE-SU-2012:0679-1, VIGILANCE-VUL-11619.

Description of the vulnerability

The DTLS (Datagram Transport Layer Security) protocol, based on TLS, provides a cryptographic layer over the UDP protocol.

The dtls1_enc() function of file ssl/d1_enc.c processes the DTLS encryption.

However, this function does not check if the padding size and the initialization vector size match the message size. When the initialization vector is skipped, computed size becomes incorrect, and an invalid memory area is read, which stops the application.

An attacker can therefore send a malicious message during a DTLS session, in order to stop clients or servers linked with OpenSSL.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2012-2110

OpenSSL: memory corruption via asn1_d2i_read_bio

Synthesis of the vulnerability

An attacker can use malformed ASN.1 data, with an application linked to OpenSSL, in order to corrupt the memory, which leads to a denial of service or to code execution.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, HP-UX, AIX, Tivoli Workload Scheduler, IVE OS, Junos Pulse, Junos Space, Juniper SA, Juniper SBR, MES, Mandriva Linux, NetBSD, NetScreen Firewall, ScreenOS, OpenBSD, OpenSSL, openSUSE, Solaris, RHEL, JBoss EAP by Red Hat, SUSE Linux Enterprise Desktop, SLES, ESX.
Severity: 3/4.
Creation date: 19/04/2012.
Identifiers: 1643316, BID-53158, c03333987, CERTA-2012-AVI-224, CERTA-2012-AVI-286, CERTA-2012-AVI-419, CERTA-2012-AVI-479, CERTFR-2014-AVI-480, CERTFR-2016-AVI-300, CVE-2012-2110, DSA-2454-1, ESX350-201302401-SG, ESX400-201209001, ESX400-201209401-SG, ESX400-201209402-SG, ESX400-201209404-SG, ESX410-201208101-SG, ESX410-201208102-SG, ESX410-201208103-SG, ESX410-201208104-SG, ESX410-201208105-SG, ESX410-201208106-SG, ESX410-201208107-SG, FEDORA-2012-6395, FEDORA-2012-6403, FreeBSD-SA-12:01.openssl, HPSBUX02782, JSA10659, KB27376, MDVSA-2012:060, NetBSD-SA2012-001, openSUSE-SU-2013:0336-1, openSUSE-SU-2013:0337-1, openSUSE-SU-2013:0339-1, PSN-2012-09-712, PSN-2013-03-872, PSN-2013-05-941, RHSA-2012:0518-01, RHSA-2012:0522-01, RHSA-2012:1306-01, RHSA-2012:1307-01, RHSA-2012:1308-01, SOL16285, SSRT100844, SUSE-SU-2012:0623-1, SUSE-SU-2012:0637-1, SUSE-SU-2012:1149-1, SUSE-SU-2012:1149-2, VIGILANCE-VUL-11559, VMSA-2012-0003.1, VMSA-2012-0005.2, VMSA-2012-0005.3, VMSA-2012-0008.1, VMSA-2012-0013, VMSA-2012-0013.1, VMSA-2013-0001.2, VMSA-2013-0003.

Description of the vulnerability

X.509 certificates are encoded with ASN.1 (Abstract Syntax Notation).

OpenSSL uses BIO, which are data streams where a program can write or read.

The asn1_d2i_read_bio() function of OpenSSL decodes ASN.1 data coming from a BIO.

However, this function converts ("cast") size of ASN.1 objects to signed integers (where as "size_t" is unsigned). If the announced size of an object is greater than 0x80000000, an allocation error thus occurs, and the memory is corrupted.

The asn1_d2i_read_bio() function is used by several OpenSSL functions. Note: SSL/TLS clients/servers do not use this function, and are thus not vulnerable (there are exceptions if d2i_X509_bio() is called). However, S/MIME or CMS applications are vulnerable.

An attacker can therefore use malformed ASN.1 data, with an application linked to OpenSSL, in order to corrupt the memory, which leads to a denial of service or to code execution.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2012-1165

OpenSSL: denial of service via S/MIME and mime_param_cmp

Synthesis of the vulnerability

An attacker can send malformed S/MIME data, in order to stop applications which check the signature with the OpenSSL library.
Impacted products: Debian, Fedora, HP-UX, AIX, MES, Mandriva Linux, OpenSSL, openSUSE, Solaris, RHEL, JBoss EAP by Red Hat, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Creation date: 13/03/2012.
Identifiers: BID-52764, c03333987, CERTA-2012-AVI-286, CERTA-2012-AVI-419, CVE-2012-1165, DSA-2454-1, FEDORA-2012-4659, FEDORA-2012-4665, HPSBUX02782, MDVSA-2012:038, openSUSE-SU-2012:0474-1, openSUSE-SU-2013:0336-1, openSUSE-SU-2013:0337-1, openSUSE-SU-2013:0339-1, RHSA-2012:0426-01, RHSA-2012:1306-01, RHSA-2012:1307-01, RHSA-2012:1308-01, SSRT100844, SUSE-SU-2012:0478-1, SUSE-SU-2012:0479-1, VIGILANCE-VUL-11429.

Description of the vulnerability

The S/MIME (Secure/Multipurpose Internet Mail Extensions) standard is used to sign and encrypt MIME (emails) data. The signature is for example added in a new MIME item:
  Content-Type: application/x-pkcs7-signature; name="smime.p7s"
  Content-Transfer-Encoding: base64
  [...]

The crypto/asn1/asn_mime.c file of the OpenSSL library processes these MIME data. However, if a MIME has a parameter with no name, a NULL pointer is dereferenced in the mime_param_cmp() function.

An attacker can therefore send malformed S/MIME data, in order to stop applications which check the signature with the OpenSSL library.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2011-4619

OpenSSL: denial of service via SGC

Synthesis of the vulnerability

An attacker can use the handshake restart feature of SGC without the Client Hello message, in order to create a denial of service.
Impacted products: BIG-IP Hardware, TMOS, FreeBSD, HP-UX, AIX, Tivoli Workload Scheduler, IVE OS, Junos Pulse, Juniper SA, OpenSSL, openSUSE, Solaris, JBoss EAP by Red Hat, ESX, ESXi, VMware vSphere, VMware vSphere Hypervisor.
Severity: 2/4.
Creation date: 13/03/2012.
Identifiers: 1643316, c03333987, CERTA-2012-AVI-286, CERTA-2012-AVI-479, CVE-2011-4619, ESX410-201208101-SG, ESX410-201208102-SG, ESX410-201208103-SG, ESX410-201208104-SG, ESX410-201208105-SG, ESX410-201208106-SG, ESX410-201208107-SG, ESXi410-201208101-SG, ESXi500-201212102-SG, FreeBSD-SA-12:01.openssl, HPSBUX02782, openSUSE-SU-2013:0336-1, openSUSE-SU-2013:0337-1, openSUSE-SU-2013:0339-1, PSN-2012-09-712, RHSA-2012:1306-01, RHSA-2012:1307-01, RHSA-2012:1308-01, SOL15389, SOL15461, SSRT100844, VIGILANCE-VUL-11428, VMSA-2012-0005.2, VMSA-2012-0012.1, VMSA-2012-0012.2, VMSA-2012-0013, VMSA-2012-0013.2, VMSA-2013-0003.

Description of the vulnerability

The SGC (Server Gated Cryptography) technology processes weak algorithms/keys. It is considered as obsolete.

An attacker can use the handshake restart feature of SGC without the Client Hello message, in order to create a denial of service.

This vulnerability results from a bad correction for CVE-2011-4619 (VIGILANCE-VUL-11257).
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2012-0884

OpenSSL: Bleichenbacher attack on CMS and PKCS7

Synthesis of the vulnerability

The Bleichenbacher attack can be used against the OpenSSL implementation of CMS and PKCS#7, in order to obtain clear text information, using 2^20 messages.
Impacted products: IPSO, Debian, Fedora, FreeBSD, HP-UX, AIX, Tivoli Workload Scheduler, IVE OS, Junos Pulse, Juniper SA, MES, Mandriva Linux, OpenSSL, openSUSE, Solaris, RHEL, JBoss EAP by Red Hat, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Creation date: 12/03/2012.
Identifiers: 1643316, BID-52428, c03333987, CERTA-2012-AVI-134, CERTA-2012-AVI-286, CERTA-2012-AVI-419, CVE-2012-0884, DSA-2454-1, FEDORA-2012-4659, FEDORA-2012-4665, FreeBSD-SA-12:01.openssl, HPSBUX02782, MDVSA-2012:038, openSUSE-SU-2012:0547-1, openSUSE-SU-2013:0336-1, openSUSE-SU-2013:0337-1, openSUSE-SU-2013:0339-1, PSN-2012-09-712, RHSA-2012:0426-01, RHSA-2012:1306-01, RHSA-2012:1307-01, RHSA-2012:1308-01, sk76360, SSRT100844, SUSE-SU-2012:0479-1, VIGILANCE-VUL-11427.

Description of the vulnerability

The PKCS#7 format is used to represent a signed or encrypted document. CMS (Cryptographic Message Syntax) is an improvement of PKCS#7. S/MIME used PKCS#7, and now uses CMS. TLS/SSL does not use PKCS#7 nor CMS.

In 1998, Daniel Bleichenbacher proposed an attack to detect if clear data belong to encrypted data in a PKCS#1 block. This attack is named "Million Message Attack" because it requires to query an oracle numerous times.

However, the Bleichenbacher attack can be used against the OpenSSL implementation of CMS and PKCS#7, in order to obtain clear text information, using 2^20 messages.

Technical details are unknown.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2011-4858

Tomcat, JBoss: denial of service via hash collision

Synthesis of the vulnerability

An attacker can send data generating storage collisions, in order to overload a service.
Impacted products: Tomcat, Debian, Fedora, HPE NNMi, OpenView NNM, HP-UX, openSUSE, Solaris, RHEL, JBoss EAP by Red Hat, ESX, vCenter Server, VMware vSphere.
Severity: 3/4.
Creation date: 22/02/2012.
Identifiers: BID-51200, c03183543, c03231290, c03824583, CERTA-2012-AVI-479, CERTA-2013-AVI-440, CVE-2011-4084-REJECT, CVE-2011-4858, DSA-2401-1, ESX400-201209001, ESX400-201209401-SG, ESX400-201209402-SG, ESX400-201209404-SG, ESX410-201208101-SG, ESX410-201208102-SG, ESX410-201208103-SG, ESX410-201208104-SG, ESX410-201208105-SG, ESX410-201208106-SG, ESX410-201208107-SG, FEDORA-2012-7258, FEDORA-2012-7593, HPSBMU02747, HPSBMU02894, HPSBUX02741, openSUSE-SU-2012:0103-1, RHSA-2012:0041-01, RHSA-2012:0074-01, RHSA-2012:0075-01, RHSA-2012:0076-01, RHSA-2012:0077-01, RHSA-2012:0078-01, RHSA-2012:0089-01, RHSA-2012:0091-01, RHSA-2012:0325-01, RHSA-2012:0406-01, RHSA-2012:0474-01, RHSA-2012:0475-01, RHSA-2012:0679-01, RHSA-2012:0680-01, RHSA-2012:0681-01, RHSA-2012:0682-01, SSRT100728, SSRT100771, VIGILANCE-VUL-11383, VMSA-2012-0003.1, VMSA-2012-0005.2, VMSA-2012-0005.3, VMSA-2012-0008.1, VMSA-2012-0013, VMSA-2012-0013.1.

Description of the vulnerability

The bulletin VIGILANCE-VUL-11254 describes a vulnerability which can be used to create a denial of service on several applications.

This vulnerability impacts Tomcat.

In order to simplify VIGILANCE-VUL-11254, which was too big, solutions for Tomcat were moved here.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2012-0022

Apache Tomcat: denial of service via several parameters

Synthesis of the vulnerability

An attacker can send a query containing several parameters to Apache Tomcat, in order to overload the CPU.
Impacted products: Tomcat, Debian, Fedora, OpenView NNM, HP-UX, NSMXpress, MES, Mandriva Linux, Solaris, RHEL, JBoss EAP by Red Hat, ESX, vCenter Server, VMware vSphere.
Severity: 2/4.
Creation date: 17/01/2012.
Identifiers: c03183543, c03231290, CERTA-2012-AVI-479, CVE-2012-0022, DSA-2401-1, ESX400-201209001, ESX400-201209401-SG, ESX400-201209402-SG, ESX400-201209404-SG, ESX410-201208101-SG, ESX410-201208102-SG, ESX410-201208103-SG, ESX410-201208104-SG, ESX410-201208105-SG, ESX410-201208106-SG, ESX410-201208107-SG, FEDORA-2012-7258, FEDORA-2012-7593, HPSBMU02747, HPSBUX02741, JSA10600, MDVSA-2012:085, RHSA-2012:0074-01, RHSA-2012:0075-01, RHSA-2012:0076-01, RHSA-2012:0077-01, RHSA-2012:0078-01, RHSA-2012:0091-01, RHSA-2012:0325-01, RHSA-2012:0345-02, RHSA-2012:0474-01, RHSA-2012:0475-01, RHSA-2012:0679-01, RHSA-2012:0680-01, RHSA-2012:0681-01, RHSA-2012:0682-01, RHSA-2012:1331-01, SSRT100728, SSRT100771, VIGILANCE-VUL-11290, VMSA-2012-0003.1, VMSA-2012-0005, VMSA-2012-0005.2, VMSA-2012-0005.3, VMSA-2012-0008.1, VMSA-2012-0013, VMSA-2012-0013.1.

Description of the vulnerability

An HTTP GET or POST query uses parameters like "para1=value&para2=value&...".

The org/apache/tomcat/util/http/Parameters.java file decodes these parameters. However, the algorithm used is not efficient. If the query contains numerous parameters, Tomcat consumes a lot a processor resources.

An attacker can therefore send a query containing several parameters to Apache Tomcat, in order to overload the CPU.

This vulnerability is different from VIGILANCE-VUL-11383.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2011-3375

Apache Tomcat: information disclosure on previous sessions

Synthesis of the vulnerability

In some cases, Apache Tomcat can return to an application data belonging to the HTTP session of a previous user.
Impacted products: Tomcat, Debian, Fedora, Solaris, RHEL, JBoss EAP by Red Hat, ESX, vCenter Server, VMware vSphere.
Severity: 1/4.
Creation date: 17/01/2012.
Identifiers: 51872, BID-51442, CERTA-2012-AVI-025, CERTA-2012-AVI-479, CVE-2011-3375, DSA-2401-1, ESX400-201209001, ESX400-201209401-SG, ESX400-201209402-SG, ESX400-201209404-SG, ESX410-201208101-SG, ESX410-201208102-SG, ESX410-201208103-SG, ESX410-201208104-SG, ESX410-201208105-SG, ESX410-201208106-SG, ESX410-201208107-SG, FEDORA-2012-7258, FEDORA-2012-7593, RHSA-2012:0681-01, RHSA-2012:0682-01, VIGILANCE-VUL-11289, VMSA-2012-0003.1, VMSA-2012-0005, VMSA-2012-0005.2, VMSA-2012-0005.3, VMSA-2012-0008.1, VMSA-2012-0013, VMSA-2012-0013.1.

Description of the vulnerability

A Tomcat application can use the following methods to obtain information on the connected client:
 - request.getRemoteAddr() : IP address
 - request.getRemoteUser() : user name
 - request.getRemoteHost() : host name
 - etc.
Some of these information can then be included in the HTML page generated for the client.

Apache Tomcat uses two memory areas to store session information. However, both areas are not cleared simultaneously. So, data belonging to the old session are still stored, whereas a new session has already started.

In some cases, Apache Tomcat can therefore return to an application data belonging to the HTTP session of a previous user.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about RedHat JBoss Enterprise Application Platform: