Red Hat RHSA-2012:1010: JBoss EAP mod_cluster Root Context Exposure Vulnerability (CVE-2012-1154)

Vulnerability Information Identifier - RHSA-2012:1010 Summary - Provides a security update for mod_cluster, fixing a security issue that could lead to exposure of the server's root context. Type/Severity - Security Advisory: Moderate Subject - Provides an update for JBoss Enterprise Application Platform 5.1.2 to fix a security issue in the mod_cluster component that could lead to context exposure. Vulnerability Description - mod_cluster, a load balancer based on the Apache HTTP Server, has a regression issue in JBoss Enterprise Application Platform 5.1.2. Even when ROOT is listed in the excluded contexts, mod_cluster still registers and exposes the server's root context. If an application is deployed on the root context, a remote attacker could exploit this vulnerability to bypass access restrictions and access the application. Remediation - This issue can be resolved by applying the security update. Users should first back up their existing JBoss Enterprise Application Platform installation (including all applications and configuration files), download and apply the update, and then restart the JBoss server process to activate the update. Affected Products - JBoss Enterprise Application Platform Vulnerability - CVE-2012-1154 References - Red Hat Security Advisory Classification (Moderate) - JBoss Enterprise Application Platform 5.1.2 Security Patch - RHSA-2011:1805 Contact - Security Contact Email: secalert@redhat.com - More Contact Information

Goal Reached Thanks to every supporter — we hit 100%!

Red Hat RHSA-2012:1010: JBoss EAP mod_cluster Root Context Exposure Vulnerability (CVE-2012-1154)