The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of Apache Commons HttpClient: Man-in-the-Middle

Synthesis of the vulnerability

An attacker can act as a Man-in-the-Middle on Apache Commons HttpClient, in order to read or write data in the session.
Severity of this announce: 2/4.
Creation date: 14/10/2015.
Références of this computer vulnerability: 7036319, c05103564, CVE-2012-6153, FEDORA-2014-9539, FEDORA-2014-9581, HPSBMU03584, MDVSA-2014:170, RHSA-2014:1082-01, RHSA-2014:1098-01, RHSA-2014:1162-01, RHSA-2014:1163-01, RHSA-2014:1320-01, RHSA-2014:1321-01, RHSA-2014:1322-01, RHSA-2014:1323-01, RHSA-2014:1833-01, RHSA-2014:1834-01, RHSA-2014:1835-01, RHSA-2014:1836-01, RHSA-2014:1891-01, RHSA-2014:1892-01, RHSA-2014:1904-01, RHSA-2014:2019-01, RHSA-2014:2020-01, RHSA-2015:0125-01, RHSA-2015:0158-01, RHSA-2015:0234-01, RHSA-2015:0235-01, RHSA-2015:0675-01, RHSA-2015:0720-01, RHSA-2015:0765-01, RHSA-2015:0850-01, RHSA-2015:0851-01, RHSA-2015:1009, USN-2769-1, VIGILANCE-VUL-18097.

Description of the vulnerability

An attacker can act as a Man-in-the-Middle on Apache Commons HttpClient, in order to read or write data in the session.
Full Vigil@nce bulletin... (Request your free trial)

This cybersecurity alert impacts software or systems such as Fedora, HPE NNMi, WebSphere AS Traditional, RHEL, JBoss EAP by Red Hat, Ubuntu.

Our Vigil@nce team determined that the severity of this weakness is medium.

The trust level is of type confirmed by the editor, with an origin of internet server.

An attacker with a expert ability can exploit this security weakness.

Solutions for this threat

Fedora: new jakarta-commons-httpclient packages.
New packages are available:
  Fedora 19: jakarta-commons-httpclient 3.1-15.fc19
  Fedora 20: jakarta-commons-httpclient 3.1-15.fc20

HP NNMi: patch.
A patch is indicated in information sources.

Mandriva: new jakarta-commons-httpclient packages.
New packages are available:
  Mandriva BS1: jakarta-commons-httpclient 3.1-8.1.mbs1

Red Hat Developer Toolset: new devtoolset-2-httpcomponents-client packages.
New packages are available:
  RHEL 6: devtoolset-2-httpcomponents-client 4.2.1-6.el6

Red Hat JBoss BPM/BRMS: version 6.1.0.
The version 6.1.0 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=distributions&version=6.1.0
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=distributions&version=6.1.0

Red Hat JBoss BPM Suite: version 6.0.3 roll up patch 2.
The version 6.0.3 roll up patch 2 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=distributions&version=6.0.3

Red Hat JBoss BRMS/BPM Suite: version 6.0.3 roll up patch 1.
The version 6.0.3 roll up patch 1 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=distributions&version=6.0.3
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=distributions&version=6.0.3

Red Hat JBoss BRMS: version 6.0.3 roll up patch 2.
The version 6.0.3 roll up patch 2 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=distributions&version=6.0.3

Red Hat JBoss Data Virtualization: version 6.0.0 2015 roll up patch 1.
The version 6.0.0 2015 roll up patch 1 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform&downloadType=securityPatches&version=6.0.0

Red Hat JBoss Data Virtualization: version 6.1.0.
The version 6.1.0 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform&downloadType=distributions&version=6.1.0

Red Hat JBoss EAP: new apache packages.
New packages are available:
  RHEL 5: apache-cxf 2.7.12-1.SP1_redhat_5.1.ep6.el5, wss4j 1.6.16-2.redhat_3.1.ep6.el5
  RHEL 6: apache-cxf 2.7.12-1.SP1_redhat_5.1.ep6.el6, wss4j 1.6.16-2.redhat_3.1.ep6.el6
  RHEL 7: apache-cxf 2.7.12-1.SP1_redhat_5.1.ep6.el7, wss4j 1.6.16-2.redhat_3.1.ep6.el7

Red Hat JBoss EAP: patch for Apache.
A patch is available:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.3

Red Hat JBoss Enterprise Web Platform: solution for HttpComponents.
The solution is indicated in information sources.

Red Hat JBoss Fuse Service Works: version 6.0.0 roll up patch 4.
The version 6.0.0 roll up patch 4 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse.serviceworks&downloadType=securityPatches&version=6.0.0

Red Hat JBoss: new httpcomponents-eap6-6-12.redhat packages.
New packages are available:
  RHEL 5: httpcomponents-eap6-6-12.redhat 2.1.ep6.el5
  RHEL 6: httpcomponents-eap6-6-12.redhat 2.1.ep6.el6
  RHEL 7: httpcomponents-eap6-6-12.redhat 2.1.ep6.el7

Red Hat JBoss Operations Network: version 3.2.3.
The version 3.2.3 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em&downloadType=securityPatches&version=3.3.0

Red Hat JBoss: patch for HttpComponents.
A patch is available:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.3

Red Hat JBoss Portal: version 6.2.0.
The version 6.2.0 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal&downloadType=distributions

Red Hat JBoss: solution for Apache CXF.
The solution is indicated in information sources.

Red Hat JBoss Web Framework Kit: version 2.7.0.
The version 2.7.0 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=web.framework.kit&downloadType=distributions

Red Hat Software Collections: new thermostat1-httpcomponents-client packages.
New packages are available:
  RHEL 6: thermostat1-httpcomponents-client 4.2.5-3.4.el6.1

RHEL 6 RHEV-M: new rhevm packages.
New packages are available:
  RHEL 6: rhevm 3.5.0-0.29.el6ev

Ubuntu: new libcommons-httpclient-java packages.
New packages are available:
  Ubuntu 15.04: libcommons-httpclient-java 3.1-10.2ubuntu0.15.04.1
  Ubuntu 14.04 LTS: libcommons-httpclient-java 3.1-10.2ubuntu0.14.04.1
  Ubuntu 12.04 LTS: libcommons-httpclient-java 3.1-10ubuntu0.1

WebSphere AS: version 8.5.5.9.
The version 8.5.5.9 is fixed:
  http://www.ibm.com/support/docview.wss?uid=swg24041819
Full Vigil@nce bulletin... (Request your free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a computer security database. The Vigil@nce vulnerability database contains several thousand vulnerabilities.