RHSA-2014:1833: Important: Red Hat JBoss Enterprise Web Platform 5.2.0 security update
Red Hat JBoss Enterprise Web Platform is a platform for Java applications,which integrates the JBoss Web Server with JBoss Hibernate and JBoss Seam.It was discovered that the HttpClient incorrectly extracted host name froman X.509 certificate subject's Common Name (CN) field. A man-in-the-middleattacker could use this flaw to spoof an SSL server using a speciallycrafted X.509 certificate. (CVE-2012-6153, CVE-2014-3577)The CVE-2012-6153 issue was discovered by Florian Weimer of Red HatProduct Security.For additional information on these flaws, refer to the Knowledgebasearticle in the References section.All users of Red Hat JBoss Enterprise Web Platform 5.2.0 on Red HatEnterprise Linux 4, 5, and 6 are advised to upgrade to these updatedpackages. The JBoss server process must be restarted for the update totake effect.
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of RHSA-2014:1833?
The severity of RHSA-2014:1833 is classified as important.
How do I fix RHSA-2014:1833?
To fix RHSA-2014:1833, update the affected apache-cxf package to version 2.2.12-14.patch_09.el6 or 2.2.12-14.patch_09.ep5.el5.
Which systems are affected by RHSA-2014:1833?
RHSA-2014:1833 affects Red Hat JBoss Enterprise Web Platform running apache-cxf versions up to 2.2.12-14.patch_09.el6 and 2.2.12-14.patch_09.ep5.el5.
What is the nature of the vulnerability in RHSA-2014:1833?
The vulnerability in RHSA-2014:1833 involves incorrect extraction of the host name from an X.509 certificate subject's Common Name (CN).
Is there an update available for RHSA-2014:1833?
Yes, updates are available for the affected packages in RHSA-2014:1833 to address the vulnerability.