csaf_redhat - rhsa-2015:1672

rhsa-2015:1672

Vulnerability from csaf_redhat

Published

2015-08-24 15:52

Modified

2025-04-09 15:46

Summary

Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform security update

Notes

Topic

An updated Red Hat JBoss Enterprise Application Platform 6.4.3 package that fixes a security issue, several bugs and adds various enhancements is now available for Red Hat Enterprise Linux 6.

Details

Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.2 and includes bug fixes and enhancements. Documentation for these changes is available from the Red Hat JBoss Enterprise Application Platform 6.4.3 Release Notes, linked to in the References. The following security issue is also fixed with this release: It was discovered that under specific conditions that PicketLink IDP ignores role based authorization. This could lead to an authenticated user being able to access application resources that are not permitted for a given role. (CVE-2015-3158) All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 6 are advised to upgrade to this updated package, which fixes these bugs and adds these enhancements. The JBoss server process must be restarted for the update to take effect.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An updated Red Hat JBoss Enterprise Application Platform 6.4.3 package that fixes a security issue, several bugs and adds various enhancements is now available for Red Hat Enterprise Linux 6.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat JBoss Enterprise Application Platform 6 is a platform for Java\napplications based on JBoss Application Server 7.\n\nThis release serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.2 and includes bug fixes and enhancements. Documentation for these changes is available from the Red Hat JBoss Enterprise Application Platform 6.4.3 Release Notes, linked to in the References.\n\nThe following security issue is also fixed with this release:\n\nIt was discovered that under specific conditions that PicketLink\nIDP ignores role based authorization.  This could lead to an \nauthenticated user being able to access application resources\nthat are not permitted for a given role. (CVE-2015-3158)\n\nAll users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 6 are advised to upgrade to this updated package, which fixes these bugs and adds these enhancements. The JBoss server process must be restarted for the update to take effect.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2015:1672",
        "url": "https://access.redhat.com/errata/RHSA-2015:1672"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=securityPatches\u0026version=6.4",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=securityPatches\u0026version=6.4"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html",
        "url": "https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html"
      },
      {
        "category": "external",
        "summary": "1216123",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1216123"
      },
      {
        "category": "external",
        "summary": "1247691",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1247691"
      },
      {
        "category": "external",
        "summary": "1247695",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1247695"
      },
      {
        "category": "external",
        "summary": "1247697",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1247697"
      },
      {
        "category": "external",
        "summary": "1247702",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1247702"
      },
      {
        "category": "external",
        "summary": "1247707",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1247707"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_1672.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform security update",
    "tracking": {
      "current_release_date": "2025-04-09T15:46:57+00:00",
      "generator": {
        "date": "2025-04-09T15:46:57+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.4.2"
        }
      },
      "id": "RHSA-2015:1672",
      "initial_release_date": "2015-08-24T15:52:20+00:00",
      "revision_history": [
        {
          "date": "2015-08-24T15:52:20+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2015-08-24T15:52:20+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-04-09T15:46:57+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss Enterprise Application Platform 6.4",
                "product": {
                  "name": "Red Hat JBoss Enterprise Application Platform 6.4",
                  "product_id": "Red Hat JBoss Enterprise Application Platform 6.4",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6.4"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Enterprise Application Platform"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2015-3158",
      "discovery_date": "2015-04-27T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1216123"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the PicketLink Identity Provider Configuration (IDP) where, under specific conditions, the IDP ignores role-based authorization. This could lead to an authenticated user being able to access application resources that are not permitted for a given role.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "PicketLink: PicketLink IDP ignores role based authorization",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 6.4"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2015-3158"
        },
        {
          "category": "external",
          "summary": "RHBZ#1216123",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1216123"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2015-3158",
          "url": "https://www.cve.org/CVERecord?id=CVE-2015-3158"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-3158",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3158"
        }
      ],
      "release_date": "2015-06-05T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2015-08-24T15:52:20+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 6.4"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2015:1672"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 6.4"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "PicketLink: PicketLink IDP ignores role based authorization"
    }
  ]
}

CVE-2015-3158 (GCVE-0-2015-3158)

Vulnerability from cvelistv5

Published

2015-08-26 19:00

Modified

2024-08-06 05:39

Severity ?

CWE

Summary

The invokeNextValve function in identity/federation/bindings/tomcat/idp/AbstractIDPValve.java in PicketLink before 2.8.0.Beta1 does not properly check role based authorization, which allows remote authenticated users to gain access to restricted application resources via a (1) direct request or (2) request through an SP initiated flow.

References

►

URL

Tags

	http://rhn.redhat.com/errata/RHSA-2015-1671.html	vendor-advisory, x_refsource_REDHAT
	http://rhn.redhat.com/errata/RHSA-2015-1672.html	vendor-advisory, x_refsource_REDHAT
	http://rhn.redhat.com/errata/RHSA-2015-1673.html	vendor-advisory, x_refsource_REDHAT
	http://rhn.redhat.com/errata/RHSA-2015-1670.html	vendor-advisory, x_refsource_REDHAT
	https://github.com/picketlink/picketlink-bindings/pull/124	x_refsource_CONFIRM
	https://issues.jboss.org/browse/PLINK-708	x_refsource_CONFIRM
	http://rhn.redhat.com/errata/RHSA-2015-1669.html	vendor-advisory, x_refsource_REDHAT
	https://bugzilla.redhat.com/show_bug.cgi?id=1216123	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website