Business

News

 
More...

Alerts

 
More...

Events

 
More...
 
     
 

Red Hat JBoss Information Disclosure vulnerabilities

 

Systems Affected


Red Hat JBoss Fuse version 6.1.0
Red Hat JBoss A-MQ version 6.1.0

Threat Level


Medium


Overview


Multiple vulnerabilities have been reported in Red Hat JBoss Fuse and A-MQ which could be exploited by remote attackers to obtain potentially sensitive information on the target system.


Description


JBoss Fuse is an open source Enterprise Service Bus (ESB) with an elastic footprint that supports integration beyond the data center. JBoss A-MQ is a high performance, flexible messaging platform that delivers information safely. Multiple potential information disclosure vulnerabilities have been reported in JBOSS the way XXE elements are processed. 1. Information Disclosure Vulnerability ( CVE-2015-0263 ) This vulnerability occurs while performing XML External Entity (XXE) expansion by Apache Camels XML converter. A remote attacker could exploit this vulnerability by supplying SAXSource containing a specially crafted XML External Entity (XXE) declaration. Successful exploitation of this vulnerability could allow the attacker to gain access of the sensitive information on the targeted system with the privilege of JBoss Server. 2. Information Disclosure Vulnerability ( CVE-2015-0264 ) This vulnerability occurs while performing XML External Entity (XXE) expansion by Apache Camels XML converter. A remote attacker could exploit this vulnerability using an XML message containing a specially crafted XML string or XML GenericFile object. Successful exploitation of this vulnerability could allow the attacker to gain access of the sensitive information on the targeted system with the privilege of JBoss Server.


Impact



Solution/ Workarounds


Apply appropriate fix/patch as mentioned by the vendor
https://rhn.redhat.com/errata/RHSA-2015-1041.html


References


http://www.cert-in.org.in/


Disclaimer


The information provided herein is on "as is" basis, without warranty of any kind.


 
     

© Copyright Sri Lanka CERT|CC. All Rights Reserved.