-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat JBoss A-MQ 6.3 security update
Advisory ID: RHSA-2016:2036-01
Product: Red Hat JBoss A-MQ
Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2036.html
Issue date: 2016-10-06
CVE Names: CVE-2015-3192 CVE-2015-7940 CVE-2016-4437
=====================================================================
1. Summary:
Red Hat JBoss A-MQ 6.3, which fixes multiple security issues and includes
several bug fixes and enhancements, is now available from the Red Hat
Customer Portal.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Description:
Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant
messaging system that is tailored for use in mission critical applications.
Red Hat JBoss A-MQ 6.3 is a minor product release that updates Red Hat
JBoss A-MQ 6.2.1, and includes several bug fixes and enhancements. Refer to
the Release Notes document, available from the Product Documentation link
in the References section, for a list of these changes.
Security Fix(es):
It was found that Apache Shiro uses a default cipher key for its "remember
me" feature. An attacker could use this to devise a malicious request
parameter and gain access to unauthorized content. (CVE-2016-4437)
A denial of service flaw was found in the way Spring processes inline DTD
declarations. A remote attacker could submit a specially crafted XML file
that would cause out-of-memory errors when parsed. (CVE-2015-3192)
It was found that bouncycastle is vulnerable to an invalid curve attack. An
attacker could extract private keys used in elliptic curve cryptography
with a few thousand queries. (CVE-2015-7940)
Refer to the Product Documentation link in the References section for
installation instructions.
3. Solution:
The References section of this erratum contains a download link (you must
log in to download the update).
4. Bugs fixed (https://bugzilla.redhat.com/):
1239002 - CVE-2015-3192 Spring Framework: denial-of-service attack with XML
input
1276272 - CVE-2015-7940 bouncycastle: Invalid curve attack allowing to extract
private keys
1343346 - CVE-2016-4437 shiro: Security constraint bypass
5. References:
https://access.redhat.com/security/cve/CVE-2015-3192
https://access.redhat.com/security/cve/CVE-2015-7940
https://access.redhat.com/security/cve/CVE-2016-4437
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq&downloadType=distributions&version=6.3.0
https://access.redhat.com/documentation/en/red-hat-jboss-fuse/?version=6.3
6. Contact:
The Red Hat security contact is <secal...@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFX9nl/XlSAg2UNWIIRAn5DAKCeqOJhy3a+EAGO1sG/lNuo/JWFgQCfQRGS
3jDFUUI5eQBAO6ioMdCl8mQ=
=CjkF
-----END PGP SIGNATURE-----
_______________________________________________
Jboss-watch-list mailing list
Jboss-watch-list@redhat.com
https://www.redhat.com/mailman/listinfo/jboss-watch-list
