RHSA-2009:1649: Moderate: JBoss Enterprise Application Platform 4.3.0.CP07 update

Published Dec 9, 2009
·
Updated

JBoss Enterprise Application Platform is the market leading platform forinnovative and scalable Java applications; integrating the JBossApplication Server, with JBoss Hibernate and JBoss Seam into a complete,simple enterprise solution.This release of JBEAP for Red Hat Enterprise Linux 5 serves as areplacement to JBEAP 4.3.0.CP06.These updated packages include bug fixes and enhancements which aredetailed in the Release Notes, available shortly from:http://www.redhat.com/docs/en-US/JBossEnterpriseApplicationPlatform/ The following security issues are also fixed with this release:A missing check for the recommended minimum length of the truncated form ofHMAC-based XML signatures was found in xml-security. An attacker could usethis flaw to create a specially-crafted XML file that forges an XMLsignature, allowing the attacker to bypass authentication that is based onthe XML Signature specification. (CVE-2009-0217)Swatej Kumar discovered cross-site scripting (XSS) flaws in the JBossApplication Server Web Console. An attacker could use these flaws topresent misleading data to an authenticated user, or execute arbitraryscripting code in the context of the authenticated user's browser session.(CVE-2009-2405)A flaw was found in the way the Apache Xerces2 Java Parser processed theSYSTEM identifier in DTDs. A remote attacker could provide aspecially-crafted XML file, which once parsed by an application using theApache Xerces2 Java Parser, would lead to a denial of service (applicationhang due to excessive CPU use). (CVE-2009-2625)An information leak flaw was found in the twiddle command line client. TheJMX password was logged in plain text to "twiddle.log". (CVE-2009-3554)An XSS flaw was found in the JMX Console. An attacker could use this flawto present misleading data to an authenticated user, or execute arbitraryscripting code in the context of the authenticated user's browser session.(CVE-2009-1380)Warning: Before applying this update, please backup the JBEAP"server/[configuration]/deploy/" directory, and any other customizedconfiguration files.All users of JBEAP 4.3 on Red Hat Enterprise Linux 5 are advised to upgradeto these updated packages.

Affected Software

58 affected componentsFixes available
redhat/glassfish-jaxb<2.1.4-1.12.patch03.1.ep1.el5
2.1.4-1.12.patch03.1.ep1.el5
redhat/glassfish-jsf<1.2_13-2.1.ep1.el5
1.2_13-2.1.ep1.el5
redhat/hibernate3<3.2.4-1.SP1_CP09.0jpp.ep1.2.4.el5
3.2.4-1.SP1_CP09.0jpp.ep1.2.4.el5
redhat/hibernate3-annotations<3.3.1-1.11GA_CP02.ep1.el5
3.3.1-1.11GA_CP02.ep1.el5
redhat/hibernate3-entitymanager<3.3.2-2.5.1.ep1.el5
3.3.2-2.5.1.ep1.el5
redhat/jacorb<2.3.0-1jpp.ep1.9.1.el5
2.3.0-1jpp.ep1.9.1.el5
redhat/jboss-aop<1.5.5-3.CP04.2.ep1.el5
1.5.5-3.CP04.2.ep1.el5
redhat/jboss-common<1.2.1-0jpp.ep1.3.el5.1
1.2.1-0jpp.ep1.3.el5.1
redhat/jboss-messaging<1.4.0-3.SP3_CP09.4.ep1.el5
1.4.0-3.SP3_CP09.4.ep1.el5
redhat/jboss-remoting<2.2.3-3.SP1.ep1.el5
2.2.3-3.SP1.ep1.el5
redhat/jboss-seam<1.2.1-3.JBPAPP_4_3_0_GA.ep1.12.el5.1
1.2.1-3.JBPAPP_4_3_0_GA.ep1.12.el5.1
redhat/jboss-seam2<2.0.2.FP-1.ep1.18.el5
2.0.2.FP-1.ep1.18.el5
redhat/jbossas<4.3.0-6.GA_CP07.4.2.ep1.el5
4.3.0-6.GA_CP07.4.2.ep1.el5
redhat/jbossts<4.2.3-1.SP5_CP08.1jpp.ep1.1.el5
4.2.3-1.SP5_CP08.1jpp.ep1.1.el5
redhat/jbossweb<2.0.0-6.CP12.0jpp.ep1.2.el5
2.0.0-6.CP12.0jpp.ep1.2.el5
redhat/jbossws<2.0.1-4.SP2_CP07.2.1.ep1.el5
2.0.1-4.SP2_CP07.2.1.ep1.el5
redhat/jbossws-common<1.0.0-2.GA_CP05.1.ep1.el5
1.0.0-2.GA_CP05.1.ep1.el5
redhat/jbossws-framework<2.0.1-1.GA_CP05.1.ep1.el5
2.0.1-1.GA_CP05.1.ep1.el5
redhat/jcommon<1.0.16-1.1.ep1.el5
1.0.16-1.1.ep1.el5
redhat/jfreechart<1.0.13-2.3.1.ep1.el5
1.0.13-2.3.1.ep1.el5
redhat/jgroups<2.4.7-1.ep1.el5
2.4.7-1.ep1.el5
redhat/quartz<1.5.2-1jpp.patch01.ep1.4.1.el5
1.5.2-1jpp.patch01.ep1.4.1.el5
redhat/rh-eap-docs<4.3.0-6.GA_CP07.ep1.3.el5
4.3.0-6.GA_CP07.ep1.3.el5
redhat/xml-security<1.3.0-1.3.patch01.ep1.2.1.el5
1.3.0-1.3.patch01.ep1.2.1.el5
redhat/glassfish-jaxb<2.1.4-1.12.patch03.1.ep1.el5
2.1.4-1.12.patch03.1.ep1.el5
redhat/glassfish-jaxb-javadoc<2.1.4-1.12.patch03.1.ep1.el5
2.1.4-1.12.patch03.1.ep1.el5
redhat/glassfish-jsf<1.2_13-2.1.ep1.el5
1.2_13-2.1.ep1.el5
redhat/hibernate3<3.2.4-1.SP1_CP09.0jpp.ep1.2.4.el5
3.2.4-1.SP1_CP09.0jpp.ep1.2.4.el5
redhat/hibernate3-annotations<3.3.1-1.11GA_CP02.ep1.el5
3.3.1-1.11GA_CP02.ep1.el5
redhat/hibernate3-annotations-javadoc<3.3.1-1.11GA_CP02.ep1.el5
3.3.1-1.11GA_CP02.ep1.el5
redhat/hibernate3-entitymanager<3.3.2-2.5.1.ep1.el5
3.3.2-2.5.1.ep1.el5
redhat/hibernate3-entitymanager-javadoc<3.3.2-2.5.1.ep1.el5
3.3.2-2.5.1.ep1.el5
redhat/hibernate3-javadoc<3.2.4-1.SP1_CP09.0jpp.ep1.2.4.el5
3.2.4-1.SP1_CP09.0jpp.ep1.2.4.el5
redhat/jacorb<2.3.0-1jpp.ep1.9.1.el5
2.3.0-1jpp.ep1.9.1.el5
redhat/jboss-aop<1.5.5-3.CP04.2.ep1.el5
1.5.5-3.CP04.2.ep1.el5
redhat/jboss-common<1.2.1-0jpp.ep1.3.el5.1
1.2.1-0jpp.ep1.3.el5.1
redhat/jboss-messaging<1.4.0-3.SP3_CP09.4.ep1.el5
1.4.0-3.SP3_CP09.4.ep1.el5
redhat/jboss-remoting<2.2.3-3.SP1.ep1.el5
2.2.3-3.SP1.ep1.el5
redhat/jboss-seam<1.2.1-3.JBPAPP_4_3_0_GA.ep1.12.el5.1
1.2.1-3.JBPAPP_4_3_0_GA.ep1.12.el5.1
redhat/jboss-seam-docs<1.2.1-3.JBPAPP_4_3_0_GA.ep1.12.el5.1
1.2.1-3.JBPAPP_4_3_0_GA.ep1.12.el5.1
redhat/jboss-seam2<2.0.2.FP-1.ep1.18.el5
2.0.2.FP-1.ep1.18.el5
redhat/jboss-seam2-docs<2.0.2.FP-1.ep1.18.el5
2.0.2.FP-1.ep1.18.el5
redhat/jbossas<4.3.0-6.GA_CP07.4.2.ep1.el5
4.3.0-6.GA_CP07.4.2.ep1.el5
redhat/jbossas<4.3.0.GA_CP07-bin-4.3.0-6.GA_CP07.4.2.ep1.el5
4.3.0.GA_CP07-bin-4.3.0-6.GA_CP07.4.2.ep1.el5
redhat/jbossas-client<4.3.0-6.GA_CP07.4.2.ep1.el5
4.3.0-6.GA_CP07.4.2.ep1.el5
redhat/jbossts<4.2.3-1.SP5_CP08.1jpp.ep1.1.el5
4.2.3-1.SP5_CP08.1jpp.ep1.1.el5
redhat/jbossweb<2.0.0-6.CP12.0jpp.ep1.2.el5
2.0.0-6.CP12.0jpp.ep1.2.el5
redhat/jbossws<2.0.1-4.SP2_CP07.2.1.ep1.el5
2.0.1-4.SP2_CP07.2.1.ep1.el5
redhat/jbossws-common<1.0.0-2.GA_CP05.1.ep1.el5
1.0.0-2.GA_CP05.1.ep1.el5
redhat/jbossws-framework<2.0.1-1.GA_CP05.1.ep1.el5
2.0.1-1.GA_CP05.1.ep1.el5
redhat/jbossws-native42<2.0.1-4.SP2_CP07.2.1.ep1.el5
2.0.1-4.SP2_CP07.2.1.ep1.el5
redhat/jcommon<1.0.16-1.1.ep1.el5
1.0.16-1.1.ep1.el5
redhat/jfreechart<1.0.13-2.3.1.ep1.el5
1.0.13-2.3.1.ep1.el5
redhat/jgroups<2.4.7-1.ep1.el5
2.4.7-1.ep1.el5
redhat/quartz<1.5.2-1jpp.patch01.ep1.4.1.el5
1.5.2-1jpp.patch01.ep1.4.1.el5
redhat/rh-eap-docs<4.3.0-6.GA_CP07.ep1.3.el5
4.3.0-6.GA_CP07.ep1.3.el5
redhat/rh-eap-docs-examples<4.3.0-6.GA_CP07.ep1.3.el5
4.3.0-6.GA_CP07.ep1.3.el5
redhat/xml-security<1.3.0-1.3.patch01.ep1.2.1.el5
1.3.0-1.3.patch01.ep1.2.1.el5

Remediation

Event History

Dec 9, 2009
Advisory Published
via Red Hat·12:00 AM
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of RHSA-2009:1649?

The severity of RHSA-2009:1649 is classified as important.

2

How do I fix RHSA-2009:1649?

To fix RHSA-2009:1649, update the affected packages to the versions specified in the advisory.

3

What software packages are affected by RHSA-2009:1649?

RHSA-2009:1649 affects several packages including glassfish-jaxb, hibernate3, and jboss-web.

4

Is there a workaround for RHSA-2009:1649?

There are no specific workarounds provided for RHSA-2009:1649; updating is recommended.

5

When was RHSA-2009:1649 released?

RHSA-2009:1649 was released on October 27, 2009.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203