Key Information Security Advisory Number: RHSA-2014:0171 Release Date: 2014-02-13 Update Date: 2014-02-13 Severity: Moderate Affected Product: Red Hat JBoss Enterprise Application Platform 6.2.1 Subject Provides update packages for Red Hat JBoss Enterprise Application Platform 6.2.1, fixing three security issues, multiple bugs, and adding various enhancements. The Red Hat Security Response Team has rated this update as having moderate security impact. CVSS base scores for each vulnerability can be found via the CVE links in the references section for detailed severity ratings. Description Describes a vulnerability in the OpenSAML Java implementation within JBoss Enterprise Application Platform 6, where parser pool and decryptor classes parse external entities, enabling XML External Entity (XXE) attacks. This could allow remote attackers to read files and perform more advanced XXE attacks. Describes an issue in the Apache Santuario XML Security project, where documents with DTDs are processed even when security validation is enabled, potentially allowing remote attackers to exhaust all available memory on the system, leading to a denial of service. Describes a flaw in JBoss Enterprise Application Platform where code deployed with a security manager can access the Modular Service Container (MSC) service registry without any permission checks, potentially allowing malicious deployments to modify the server’s internal state in various ways. Solution Before applying this update, ensure that all previously released errata relevant to your system have been applied. Additionally, back up any customized Red Hat JBoss Enterprise Application Platform 6 configuration files. During the update process, locally modified configuration files will not be overwritten. This update can be obtained via Red Hat Network. Affected Products Lists affected product versions and platforms. Fixes Lists related bug tracking, CVE numbers, and RPM upgrade information. CVE Numbers CVE-2014-0018: Unchecked access to JSM under MSC service registry. CVE-2013-4517: Denial of service attack in Apache Santuario XML Security. CVE-2013-6440: XML External Entity (XXE) vulnerability. References Provides links to security classification and release notes.