-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: JBoss Enterprise SOA Platform 5.1.0 security update
Advisory ID:       RHSA-2011:1334-01
Product:           JBoss Enterprise Middleware
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2011-1334.html
Issue date:        2011-09-22
CVE Names:         CVE-2011-2894 
=====================================================================

1. Summary:

Updated Spring Framework 3 files for JBoss Enterprise SOA Platform 5.1.0
that fix multiple security issues are now available from the Red Hat
Customer Portal.

The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

2. Description:

JBoss Enterprise SOA Platform is the next-generation ESB and business
process automation infrastructure. JBoss Enterprise SOA Platform allows IT
to leverage existing (MoM and EAI), modern (SOA and BPM-Rules), and future
(EDA and CEP) integration methodologies to dramatically improve business
process execution speed and quality.

Multiple flaws were found in the way Spring Framework 3 deserialized
certain Java objects. If an attacker were able to control the stream from
which an application with the Spring Framework 3 AOP in its class-path was
deserializing objects, they could use these flaws to execute arbitrary code
with the privileges of the JBoss Application Server process via a
specially-crafted, serialized Java object. (CVE-2011-2894)

Note: JBoss Enterprise SOA Platform does not expose applications that
deserialize objects from an untrusted source by default. These flaws would
affect applications configured to trust a malicious source, for example,
if the messaging service was configured to look up a remote messaging
queue, and an attacker had control of that queue.

All users of JBoss Enterprise SOA Platform 5.1.0 as provided from the Red
Hat Customer Portal are advised to install this update. Refer to the
Solution section for information about installing the update.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Before applying the update, back up your
existing JBoss Enterprise SOA Platform installation (including its
databases, applications, configuration files, and so on).

If you have created custom applications that are packaged with a copy of
the Spring Framework 3 library, those applications must be rebuilt with the
Spring Framework 3 files provided by this update.

Note that it is recommended to halt the JBoss Enterprise SOA Platform
server by stopping the JBoss Application Server process before installing
this update, and then after installing the update, restart the JBoss
Enterprise SOA Platform server by starting the JBoss Application Server
process.

4. Bugs fixed (http://bugzilla.redhat.com/):

737611 - CVE-2011-2894 Spring Framework, Spring Security:  Chosen commands execution on the server (Framework) or authentication token bypass (Security) by objects de-serialization

5. References:

https://www.redhat.com/security/data/cve/CVE-2011-2894.html
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform&downloadType=securityPatches&version=5.1.0+GA

6. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2011 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFOe2u0XlSAg2UNWIIRAko1AJ9jCnICBuYt0Ou2XIybJd3dHE/axACfQe48
rPSltdXnEliw5kYHw+eukDg=
=b+0C
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce