RHSA-2015:0720: Important: Red Hat JBoss Fuse Service Works 6.0.0 security update

Red Hat JBoss Fuse Service Works is the next-generation ESB and businessprocess automation infrastructure.This roll up patch serves as a cumulative upgrade for Red Hat JBoss FuseService Works 6.0.0. It includes various bug fixes, which are listed in theREADME file included with the patch files.The following security issues are also fixed with this release,descriptions of which can be found on the respective CVE pages linked inthe References section.CVE-2012-6153 Apache HttpComponents client: SSL hostname verificationbypass, incomplete CVE-2012-5783 fixCVE-2014-3577 Apache HttpComponents client: SSL hostname verificationbypass, incomplete CVE-2012-6153 fixCVE-2014-3625 spring: Spring Framework: directory traversal flawCVE-2014-3578 spring: Spring Framework: Directory traversalCVE-2014-3558 hibernate-validator: Hibernate Validator: JSM bypass viaReflectionHelperCVE-2014-3530 PicketLink: XXE via insecure DocumentBuilderFactory usageCVE-2014-3490 RESTEasy: XXE via parameter entitiesCVE-2014-3481 jboss-as-jaxrs: JBoss AS JAX-RS: Information disclosure viaXML eXternal Entity (XXE)CVE-2014-3472 jboss-as-controller: JBoss AS Security: Invalid EJB callerrole check implementationCVE-2014-0227 Tomcat/JBossWeb: Limited DoS in chunked transfer encodinginput filterCVE-2014-0193 netty: DoS via memory exhaustion during data aggregationCVE-2014-0119 jbossweb: Apache Tomcat 6: XML parser hijack by malicious webapplicationCVE-2014-0099 jbossweb: Apache Tomcat: Request smuggling via maliciouscontent length headerCVE-2014-0096 jbossweb: Apache Tomcat: XXE vulnerability via user suppliedXSLTsCVE-2014-0075 jbossweb: tomcat: Limited DoS in chunked transfer encodinginput filterCVE-2014-0005 security: PicketBox/JBossSX: Unauthorized access to andmodification of application server configuration and state by applicationCVE-2013-5855 Mojarra JSF: XSS due to insufficient escaping ofuser-supplied content in outputText tags and EL expressionsCVE-2013-4002 xerces-j2: Xerces-J2 OpenJDK: XML parsing Denial of Service(JAXP, 8017298)Red Hat would like to thank James Roper of Typesafe for reporting theCVE-2014-0193 issue; CA Technologies for reporting the CVE-2014-3472issue; and Alexander Papadakis for reporting the CVE-2014-3530 issue. TheCVE-2012-6153 issue was discovered by Florian Weimer of Red Hat ProductSecurity; the CVE-2014-0005 issue was discovered by Josef Cacek of the RedHat JBoss EAP Quality Engineering team; the CVE-2014-3481 issue wasdiscovered by the Red Hat JBoss Enterprise Application Platform QE team;and the CVE-2014-0075 and CVE-2014-3490 issues were discovered by DavidJorm of Red Hat Product Security.All users of Red Hat JBoss Fuse Service Works 6.0.0 as provided from theRed Hat Customer Portal are advised to apply this roll up patch.