Red Hat JBoss Enterprise Application Platform 6 is a platform for Java
applications based on JBoss Application Server 7.
It was discovered that sending requests containing large headers to the Web
Console produced a Java OutOfMemoryError in the HTTP management interface.
An attacker could use this flaw to cause a denial of service.
(CVE-2015-5220)
It was discovered that the EAP Management Console could be opened in an
IFRAME, which made it possible to intercept and manipulate requests.
An attacker could use this flaw to trick a user into performing arbitrary
actions in the Console (clickjacking). (CVE-2015-5178)
Note: Resolving this issue required a change in the way http requests are
sent in the Console; this change may affect users. See the Release Notes
linked to in the References section for details about this change.
It was discovered that when uploading a file using a multipart/form-data
submission to the EAP Web Console, the Console was vulnerable to Cross-Site
Request Forgery (CSRF). This meant that an attacker could use the flaw
together with a forgery attack to make changes to an authenticated
instance. (CVE-2015-5188)
The CVE-2015-5220 issue was discovered by Aaron Ogburn of Red Hat GSS
Middleware Team, and the CVE-2015-5188 issue was discovered by Jason Greene
of the Red Hat Middleware Engineering Team.
All jboss-ec2-eap users of Red Hat JBoss Enterprise Application Platform
6.4 on Red Hat Enterprise Linux 6 are advised to upgrade to these updated
packages. The JBoss server process must be restarted for the update to
take effect.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
RedHat | 6 | noarch | jboss-ec2-eap | < 7.5.4-1.Final_redhat_4.ep6.el6 | jboss-ec2-eap-7.5.4-1.Final_redhat_4.ep6.el6.noarch.rpm |
RedHat | 6 | src | jboss-ec2-eap | < 7.5.4-1.Final_redhat_4.ep6.el6 | jboss-ec2-eap-7.5.4-1.Final_redhat_4.ep6.el6.src.rpm |
RedHat | 6 | noarch | jboss-ec2-eap-samples | < 7.5.4-1.Final_redhat_4.ep6.el6 | jboss-ec2-eap-samples-7.5.4-1.Final_redhat_4.ep6.el6.noarch.rpm |