RHSA-2014:2019: Important: Red Hat JBoss Enterprise Application Platform 6.3.2 security update

Published Dec 18, 2014
·
Updated

Red Hat JBoss Enterprise Application Platform 6 is a platform for Javaapplications based on JBoss Application Server 7.It was discovered that the Apache CXF incorrectly extracted the host namefrom an X.509 certificate subject's Common Name (CN) field.A man-in-the-middle attacker could use this flaw to spoof an SSL serverusing a specially crafted X.509 certificate. (CVE-2012-6153, CVE-2014-3577)It was found that Apache WSS4J (Web Services Security for Java), as used byApache CXF with the TransportBinding, did not, by default, properly enforceall security requirements associated with SAML SubjectConfirmation methods.A remote attacker could use this flaw to perform various types of spoofingattacks on web service endpoints secured by WSS4j that rely on SAML forauthentication. (CVE-2014-3623)The CVE-2012-6153 issue was discovered by Florian Weimer of Red HatProduct Security.All users of Red Hat JBoss Enterprise Application Platform 6.3.2 on RedHat Enterprise Linux 5, 6, and 7 are advised to upgrade to these updatedpackages. The JBoss server process must be restarted for the update totake effect.

Affected Software

12 affected componentsFixes available
redhat/apache-cxf<2.7.12-1.SP1_redhat_5.1.ep6.el6
2.7.12-1.SP1_redhat_5.1.ep6.el6
redhat/wss4j<1.6.16-2.redhat_3.1.ep6.el6
1.6.16-2.redhat_3.1.ep6.el6
redhat/apache-cxf<2.7.12-1.SP1_redhat_5.1.ep6.el6
2.7.12-1.SP1_redhat_5.1.ep6.el6
redhat/wss4j<1.6.16-2.redhat_3.1.ep6.el6
1.6.16-2.redhat_3.1.ep6.el6
redhat/apache-cxf<2.7.12-1.SP1_redhat_5.1.ep6.el7
2.7.12-1.SP1_redhat_5.1.ep6.el7
redhat/wss4j<1.6.16-2.redhat_3.1.ep6.el7
1.6.16-2.redhat_3.1.ep6.el7
redhat/apache-cxf<2.7.12-1.SP1_redhat_5.1.ep6.el7
2.7.12-1.SP1_redhat_5.1.ep6.el7
redhat/wss4j<1.6.16-2.redhat_3.1.ep6.el7
1.6.16-2.redhat_3.1.ep6.el7
redhat/apache-cxf<2.7.12-1.SP1_redhat_5.1.ep6.el5
2.7.12-1.SP1_redhat_5.1.ep6.el5
redhat/wss4j<1.6.16-2.redhat_3.1.ep6.el5
1.6.16-2.redhat_3.1.ep6.el5
redhat/apache-cxf<2.7.12-1.SP1_redhat_5.1.ep6.el5
2.7.12-1.SP1_redhat_5.1.ep6.el5
redhat/wss4j<1.6.16-2.redhat_3.1.ep6.el5
1.6.16-2.redhat_3.1.ep6.el5

Remediation

Event History

Dec 18, 2014
Advisory Published
12:00 AM
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of RHSA-2014:2019?

The severity of RHSA-2014:2019 is classified as important.

2

How do I fix RHSA-2014:2019?

To fix RHSA-2014:2019, upgrade to the versions 2.7.12-1.SP1_redhat_5.1.ep6.el5, el6, or el7 for apache-cxf and 1.6.16-2.redhat_3.1.ep6.el5, el6, or el7 for wss4j.

3

Which software is affected by RHSA-2014:2019?

RHSA-2014:2019 affects Red Hat JBoss Enterprise Application Platform 6, specifically the apache-cxf and wss4j packages.

4

What type of vulnerability is described in RHSA-2014:2019?

The vulnerability described in RHSA-2014:2019 involves the incorrect extraction of host names from X.509 certificate subject's Common Name (CN) field.

5

Is there a workaround for RHSA-2014:2019?

No specific workaround is suggested for RHSA-2014:2019; upgrading to the patched software versions is recommended.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203