The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Apache Commons HttpClient: Man-in-the-Middle

Synthesis of the vulnerability 

An attacker can act as a Man-in-the-Middle on Apache Commons HttpClient, in order to read or write data in the session.
Vulnerable software: Fedora, HPE NNMi, WebSphere AS Traditional, RHEL, JBoss EAP by Red Hat, Ubuntu.
Severity of this announce: 2/4.
Creation date: 14/10/2015.
Références of this computer vulnerability: 7036319, c05103564, CVE-2012-6153, FEDORA-2014-9539, FEDORA-2014-9581, HPSBMU03584, MDVSA-2014:170, RHSA-2014:1082-01, RHSA-2014:1098-01, RHSA-2014:1162-01, RHSA-2014:1163-01, RHSA-2014:1320-01, RHSA-2014:1321-01, RHSA-2014:1322-01, RHSA-2014:1323-01, RHSA-2014:1833-01, RHSA-2014:1834-01, RHSA-2014:1835-01, RHSA-2014:1836-01, RHSA-2014:1891-01, RHSA-2014:1892-01, RHSA-2014:1904-01, RHSA-2014:2019-01, RHSA-2014:2020-01, RHSA-2015:0125-01, RHSA-2015:0158-01, RHSA-2015:0234-01, RHSA-2015:0235-01, RHSA-2015:0675-01, RHSA-2015:0720-01, RHSA-2015:0765-01, RHSA-2015:0850-01, RHSA-2015:0851-01, RHSA-2015:1009, USN-2769-1, VIGILANCE-VUL-18097.

Description of the vulnerability 

An attacker can act as a Man-in-the-Middle on Apache Commons HttpClient, in order to read or write data in the session.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This cybersecurity alert impacts software or systems such as Fedora, HPE NNMi, WebSphere AS Traditional, RHEL, JBoss EAP by Red Hat, Ubuntu.

Our Vigil@nce team determined that the severity of this weakness is medium.

The trust level is of type confirmed by the editor, with an origin of internet server.

An attacker with a expert ability can exploit this security weakness.

Solutions for this threat 

Fedora: new jakarta-commons-httpclient packages.
New packages are available:
  Fedora 19: jakarta-commons-httpclient 3.1-15.fc19
  Fedora 20: jakarta-commons-httpclient 3.1-15.fc20

HP NNMi: patch.
A patch is indicated in information sources.

Mandriva: new jakarta-commons-httpclient packages.
New packages are available:
  Mandriva BS1: jakarta-commons-httpclient 3.1-8.1.mbs1

Red Hat Developer Toolset: new devtoolset-2-httpcomponents-client packages.
New packages are available:
  RHEL 6: devtoolset-2-httpcomponents-client 4.2.1-6.el6

Red Hat JBoss BPM/BRMS: version 6.1.0.
The version 6.1.0 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=distributions&version=6.1.0
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=distributions&version=6.1.0

Red Hat JBoss BPM Suite: version 6.0.3 roll up patch 2.
The version 6.0.3 roll up patch 2 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=distributions&version=6.0.3

Red Hat JBoss BRMS/BPM Suite: version 6.0.3 roll up patch 1.
The version 6.0.3 roll up patch 1 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=distributions&version=6.0.3
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=distributions&version=6.0.3

Red Hat JBoss BRMS: version 6.0.3 roll up patch 2.
The version 6.0.3 roll up patch 2 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=distributions&version=6.0.3

Red Hat JBoss Data Virtualization: version 6.0.0 2015 roll up patch 1.
The version 6.0.0 2015 roll up patch 1 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform&downloadType=securityPatches&version=6.0.0

Red Hat JBoss Data Virtualization: version 6.1.0.
The version 6.1.0 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform&downloadType=distributions&version=6.1.0

Red Hat JBoss EAP: new apache packages.
New packages are available:
  RHEL 5: apache-cxf 2.7.12-1.SP1_redhat_5.1.ep6.el5, wss4j 1.6.16-2.redhat_3.1.ep6.el5
  RHEL 6: apache-cxf 2.7.12-1.SP1_redhat_5.1.ep6.el6, wss4j 1.6.16-2.redhat_3.1.ep6.el6
  RHEL 7: apache-cxf 2.7.12-1.SP1_redhat_5.1.ep6.el7, wss4j 1.6.16-2.redhat_3.1.ep6.el7

Red Hat JBoss EAP: patch for Apache.
A patch is available:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.3

Red Hat JBoss Enterprise Web Platform: solution for HttpComponents.
The solution is indicated in information sources.

Red Hat JBoss Fuse Service Works: version 6.0.0 roll up patch 4.
The version 6.0.0 roll up patch 4 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse.serviceworks&downloadType=securityPatches&version=6.0.0

Red Hat JBoss: new httpcomponents-eap6-6-12.redhat packages.
New packages are available:
  RHEL 5: httpcomponents-eap6-6-12.redhat 2.1.ep6.el5
  RHEL 6: httpcomponents-eap6-6-12.redhat 2.1.ep6.el6
  RHEL 7: httpcomponents-eap6-6-12.redhat 2.1.ep6.el7

Red Hat JBoss Operations Network: version 3.2.3.
The version 3.2.3 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em&downloadType=securityPatches&version=3.3.0

Red Hat JBoss: patch for HttpComponents.
A patch is available:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.3

Red Hat JBoss Portal: version 6.2.0.
The version 6.2.0 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal&downloadType=distributions

Red Hat JBoss: solution for Apache CXF.
The solution is indicated in information sources.

Red Hat JBoss Web Framework Kit: version 2.7.0.
The version 2.7.0 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=web.framework.kit&downloadType=distributions

Red Hat Software Collections: new thermostat1-httpcomponents-client packages.
New packages are available:
  RHEL 6: thermostat1-httpcomponents-client 4.2.5-3.4.el6.1

RHEL 6 RHEV-M: new rhevm packages.
New packages are available:
  RHEL 6: rhevm 3.5.0-0.29.el6ev

Ubuntu: new libcommons-httpclient-java packages.
New packages are available:
  Ubuntu 15.04: libcommons-httpclient-java 3.1-10.2ubuntu0.15.04.1
  Ubuntu 14.04 LTS: libcommons-httpclient-java 3.1-10.2ubuntu0.14.04.1
  Ubuntu 12.04 LTS: libcommons-httpclient-java 3.1-10ubuntu0.1

WebSphere AS: version 8.5.5.9.
The version 8.5.5.9 is fixed:
  http://www.ibm.com/support/docview.wss?uid=swg24041819
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a computer security database. The Vigil@nce vulnerability database contains several thousand vulnerabilities.