RHSA-2014:1162: Important: Red Hat JBoss Enterprise Application Platform 6.3.0 security update
Red Hat JBoss Enterprise Application Platform 6 is a platform for Javaapplications based on JBoss Application Server 7.It was found that the fix for CVE-2012-5783 was incomplete: the code addedto check that the server host name matches the domain name in a subject'sCommon Name (CN) field in X.509 certificates was flawed.A man-in-the-middle attacker could use this flaw to spoof an SSL serverusing a specially crafted X.509 certificate. (CVE-2012-6153)It was discovered that the HttpClient incorrectly extracted host name froman X.509 certificate subject's Common Name (CN) field. A man-in-the-middleattacker could use this flaw to spoof an SSL server using a speciallycrafted X.509 certificate. (CVE-2014-3577)The CVE-2012-6153 issue was discovered by Florian Weimer of Red HatProduct Security.For additional information on these flaws, refer to the Knowledgebasearticle in the References section.All users of Red Hat JBoss Enterprise Application Platform 6.3.0 on Red HatEnterprise Linux 5, 6, and 7 are advised to upgrade to these updatedpackages. The JBoss server process must be restarted for the update totake effect.
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of RHSA-2014:1162?
The severity of RHSA-2014:1162 is classified as important.
How do I fix RHSA-2014:1162?
To fix RHSA-2014:1162, update the affected packages to the specified versions for your system.
Which packages are affected by RHSA-2014:1162?
Affected packages include httpcomponents-eap6, httpclient-eap6, and httpcore-eap6 among others.
When was RHSA-2014:1162 released?
RHSA-2014:1162 was released on November 5, 2014.
What is the primary issue addressed in RHSA-2014:1162?
The primary issue addressed in RHSA-2014:1162 is an incomplete fix for CVE-2012-5783.