Moritz Muehlenhoff
2010-May-11 19:03 UTC
[Secure-testing-team] Bug#581226: Multiple security issues
Package: jbossas4
Severity: grave
Tags: security
The following security issues have been reported against jbossas4:
CVE-2010-0738:
The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise
Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09
and 4.3 before 4.3.0.CP08 performs access control only for the GET and
POST methods, which allows remote attackers to send requests to this
application''s GET handler by using a different method.
https://bugzilla.redhat.com/show_bug.cgi?id=574105
CVE-2010-1428:
The Web Console (aka web-console) in JBossAs in Red Hat JBoss
Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before
4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for
the GET and POST methods, which allows remote attackers to obtain
sensitive information via an unspecified request that uses a different
method.
https://bugzilla.redhat.com/show_bug.cgi?id=585899
CVE-2010-1429:
Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP)
4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 allows remote
attackers to obtain sensitive information about "deployed web
contexts" via a request to the status servlet, as demonstrated by a
full=true query string. NOTE: this issue exists because of a
CVE-2008-3273 regression.
https://bugzilla.redhat.com/show_bug.cgi?id=585900
I''ve noticed the following in README.Debian:
| jbossas4 is currently in a very alpha stage of packaging. I can be used
| to build other libraries depending on JBoss like libhibernate3-java but
| it is not complete and cannot be used as an application server yet.
Does this mean these issue don''t affect jbossas4 as packaged in Debian?
If so we should limit the scope of security support for Squeeze.
Cheers,
Moritz
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, ''unstable'')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15 at euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash