Red Hat Jboss 5.1.2

1. Red Hat Jboss 5.1.2 Free
2. Red Hat Jboss 5.1.2 Box

SynopsisLow: JBoss Enterprise Application Platform 5.1.2 update Type/SeveritySecurity Advisory: Low TopicJBoss Enterprise Application Platform 5.1.2, which fixes two securityissues, various bugs, and adds several enhancements is now available fromthe Red Hat Customer Portal.The Red Hat Security Response Team has rated this update as having lowsecurity impact. Common Vulnerability Scoring System (CVSS) base scores,which give detailed severity ratings, are available for each vulnerabilityfrom the CVE links in the References section.DescriptionJBoss Enterprise Application Platform is a platform for Java applications,which integrates the JBoss Application Server with JBoss Hibernate andJBoss Seam. OpenID4Java allows you to implement OpenID authentication inyour Java applications.

Red Hat Jboss 5.1.2 Free

OpenID4Java is a Technology Preview.This JBoss Enterprise Application Platform 5.1.2 release serves as areplacement for JBoss Enterprise Application Platform 5.1.1, and includesbug fixes and enhancements. Refer to the JBoss Enterprise ApplicationPlatform 5.1.2 Release Notes for information on the most significant ofthese changes. The Release Notes will be available shortly fromfollowing security issues are also fixed with this release:It was found that the invoker servlets, deployed by default viahttpha-invoker, only performed access control on the HTTP GET and POSTmethods, allowing remote attackers to make unauthenticated requests byusing different HTTP methods. Due to the second layer of authenticationprovided by a security interceptor, this issue is not exploitable ondefault installations unless an administrator has misconfigured thesecurity interceptor or disabled it.

Red Hat Jboss 5.1.2 Box

(CVE-2011-4085)It was found that the Attribute Exchange (AX) extension of OpenID4Java wasnot checking to ensure attributes were signed. If AX was being used toreceive information that an application only trusts the identity providerto assert, a remote attacker could use this flaw to conductman-in-the-middle attacks and compromise the integrity of the informationvia a specially-crafted request. By default, only the JBoss Seam openidexample application uses OpenID4Java.

(Red Hat Issues Fix for JBoss) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System - SecurityTrackerFix Available: Yes Vendor Confirmed: Yes Exploit Included: YesVersion(s): A-MQ 6.2.1; BPM Suite 6.2.0; BRMS 6.2.0; Data Grid 6.4.1, 6.5.1; EAP 4.3.10, 5.1.2, 5.2, 6.1, 6.2, 6.3, 6.4; Fuse 6.2.1; Fuse Service Works 6.0.0; Operations Network 3.2.3; SOA 5.3.1; Web Server 3.0.1Description:A vulnerability was reported in Apache Commons Components. A remote user can execute arbitrary code on the target system.