RHSA-2014:1834: Important: Red Hat JBoss Enterprise Application Platform 5.2.0 security update
Red Hat JBoss Enterprise Application Platform is a platform for Javaapplications, which integrates the JBoss Application Server with JBossHibernate and JBoss Seam.It was discovered that the HttpClient incorrectly extracted host name froman X.509 certificate subject's Common Name (CN) field. A man-in-the-middleattacker could use this flaw to spoof an SSL server using a speciallycrafted X.509 certificate. (CVE-2012-6153, CVE-2014-3577)The CVE-2012-6153 issue was discovered by Florian Weimer of Red HatProduct Security.For additional information on these flaws, refer to the Knowledgebasearticle in the References section.All users of Red Hat JBoss Enterprise Application Platform 5.2.0 on Red HatEnterprise Linux 4, 5, and 6 are advised to upgrade to these updatedpackages. The JBoss server process must be restarted for the update to takeeffect.
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of RHSA-2014:1834?
The severity of RHSA-2014:1834 is classified as important.
How do I fix RHSA-2014:1834?
To fix RHSA-2014:1834, you should update to the patched version 2.2.12-14.patch_09.el6 or 2.2.12-14.patch_09.ep5.el5 depending on your system.
What software is affected by RHSA-2014:1834?
RHSA-2014:1834 affects the Apache CXF packages included in Red Hat JBoss Enterprise Application Platform.
What type of vulnerability is addressed in RHSA-2014:1834?
RHSA-2014:1834 addresses a vulnerability related to incorrect host name extraction from an X.509 certificate.
Is there a workaround for RHSA-2014:1834?
There are no specific workarounds mentioned for RHSA-2014:1834, so applying the update is recommended.