RHSA-2014:1904: Important: Red Hat JBoss Operations Network 3.3.0 update

Red Hat JBoss Operations Network is a middleware management solution thatprovides a single point of control to deploy, manage, and monitor JBossEnterprise Middleware, applications, and services.This JBoss Operations Network 3.3.0 release serves as a replacement forJBoss Operations Network 3.2.3, and includes several bug fixes. Refer tothe JBoss Operations Network 3.3.0 Release Notes for information on themost significant of these changes. The Release Notes will be availableshortly from https://access.redhat.com/documentation/en-US/ The following security issues are also fixed with this release:It was found that the fix for CVE-2012-5783 was incomplete: the code addedto check that the server host name matches the domain name in a subject'sCommon Name (CN) field in X.509 certificates was flawed. Aman-in-the-middle attacker could use this flaw to spoof an SSL serverusing a specially crafted X.509 certificate. (CVE-2012-6153, CVE-2014-3577)It was found that the default context parameters as provided to RESTEasydeployments by JBoss EAP did not explicitly disable external entityexpansion for RESTEasy. A remote attacker could use this flaw to performXML External Entity (XXE) attacks on RESTEasy applications accepting XMLinput. (CVE-2014-3481)It was found that the fix for CVE-2012-0818 was incomplete: externalparameter entities were not disabled when theresteasy.document.expand.entity.references parameter was set to false.A remote attacker able to send XML requests to a RESTEasy endpoint coulduse this flaw to read files accessible to the user running the applicationserver, and potentially perform other more advanced XXE attacks.(CVE-2014-3490)The HawtJNI Library class wrote native libraries to a predictable file namein /tmp when the native libraries were bundled in a JAR file, and no customlibrary path was specified. A local attacker could overwrite these nativelibraries with malicious versions during the window between when HawtJNIwrites them and when they are executed. (CVE-2013-2035)It was found that the security auditing functionality provided by PicketBoxand JBossSX, both security frameworks for Java applications, used aworld-readable audit.log file to record sensitive information. A local usercould possibly use this flaw to gain access to the sensitive information inthe audit.log file. (CVE-2014-0059)The CVE-2013-2035 and CVE-2012-6153 issues were discovered by FlorianWeimer of Red Hat Product Security. The CVE-2014-3481 issue was discoveredby the Red Hat JBoss Enterprise Application Platform QE team. TheCVE-2014-3490 issue was discovered by David Jorm of Red Hat ProductSecurity.All users of JBoss Operations Network 3.2.3 as provided from the Red HatCustomer Portal are advised to upgrade to JBoss Operations Network 3.3.0.