2.13.  Issues fixed in this release

JBoss Enterprise Web Server 1.0.0 ships with Apache MyFaces 1.1.0. Apache MyFaces 1.1.0 does not support encrypted view state. When the application's view state is not encrypted, it is possible for an attacker to supply a new or modified view object as part of a request. This allows remote attackers to conduct cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements via vectors that involve modifying the serialized view object.

This issue is resolved in JBoss Enterprise Web Server 1.0.1 because it does not include Apache MyFaces.

A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handle session renegotiation on Red Hat Enterprise Linux 4 and 5. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client's session (for example, an HTTPS connection to a website). This could force the server to process an attacker's request as if authenticated using the victim's credentials.

Refer to the following Knowledgebase article for more information about how this issue affects JBoss Enterprise Web Server: http://kbase.redhat.com/faq/docs/DOC-20491

A flaw was found in the Apache mod_proxy_ftp module on Red Hat Enterprise Linux 4 and 5 such that, in a reverse proxy configuration, a remote attacker could bypass intended access restrictions by creating a HTTP Authorization header and send arbitrary commands to the FTP server. (RHSA-2010:0011)

A NULL pointer dereference flaw was found in the Apache mod_proxy_ftp module on Red Hat Enterprise Linux 4 and 5. A malicious FTP server to which requests were proxied could use this flaw to crash an httpd child process through a malformed reply to the EPSV or PASV commands, resulting in a limited denial of service. (RHSA-2010:0011)

A directory traversal flaw was found in the Tomcat deployment process. WAR file names were not being sanitized during Tomcat deployment in Red Hat Enterprise Linux 4 and 5. This could allow attackers to create a specially-crafted WAR file that could delete files in the Tomcat host's work directory. (RHSA-2010:0119)

A flaw was found in the way errors were handled in the Event Port back end in the Apache Portable Runtime (APR) library, used by the Apache HTTP Server. If an error was incorrectly handled while processing HTTP requests, httpd could hang. Note: This flaw only affected users running JBoss Enterprise Web Server on the Solaris operating system.

A directory traversal flaw was found in the Tomcat deployment process. An attacker could create a specially-crafted WAR file which, once deployed by an unsuspecting local user, would lead to attacker-controlled content being deployed outside the web root, into directories accessible to the Tomcat process. (RHSA-2010:0119)

Multiple integer overflow flaws that led to heap-based buffer overflows were found in the way the Apache Portable Runtime (APR) included in httpd22 manages memory pool and relocatable memory allocations on Red Hat Enterprise Linux 4. An attacker could use these flaws to issue a specially-crafted request for memory allocation, which would lead to a denial of service (application crash) or, potentially, execute arbitrary code with the privileges of an application using the APR libraries. (RHSA-2009:1462)

A denial of service flaw was found in the Apache HTTP Server apr-util Extensible Markup Language (XML) parser for Red Hat Enterprise Linux 4. A remote attacker could create a specially-crafted XML document that would cause excessive memory consumption when processed by the XML decoding engine. (RHSA-2009:1160)

A denial of service flaw was found in the Apache HTTP Server mod_deflate module for Red Hat Enterprise Linux 4 and 5. This module continued to compress large files until compression was complete, even if the network connection that requested the content was closed before compression completed. This caused mod_deflate to consume large amounts of CPU if mod_deflate was enabled for a large file. (RHSA-2009:1155, RHSA-2009:1160)

A denial of service flaw was found in the Apache HTTP Server mod_proxy module when it was used as a reverse proxy on Red Hat Enterprise Linux 4 and 5. A remote attacker could use this flaw to force a proxy process to consume large amounts of CPU time. (RHSA-2009:1155, RHSA-2009:1160)

In Apache HTTP Server on Red Hat Enterprise Linux 4 and 5, in configurations using the AllowOverride directive with certain Options= arguments, local users were not restricted from executing commands from a Server-Side-Include script as intended. (RHSA-2009:1155, RHSA-2009:1160)

In Tomcat 5 and 6 on Red Hat Enterprise Linux 4 and 5, web applications containing their own XML parsers could replace the XML parser that Tomcat uses to parse configuration files. A malicious web application running on a Tomcat instance could read or, potentially, modify the configuration and XML-based data of other web applications deployed on the same Tomcat instance. (RHSA-2009:1506, RHSA-2009:1454)

In Tomcat 5 and 6 on Red Hat Enterprise Linux 4 and 5, the error checking methods of certain authentication classes did not have sufficient error checking, allowing remote attackers to ennumerate (via brute force methods) usernames registered with applications running on Tomcat when FORM-based authentication was used. (RHSA-2009:1506, RHSA-2009:1454)

A flaw was found in the way that the Tomcat 5 and 6 AJP (Apache JServ Protocol) connector processed AJP connections on Red Hat Enterprise Linux 4 and 5. An attacker could use this flaw to send specially-crafted requests that would cause a temporary denial of service. (RHSA-2009:1506, RHSA-2009:1454)

A heap-based underwrite flaw was discovered in the way Apache HTTP Server's apr-util library created compiled forms of particular search patterns on Red Hat Enterprise Linux 4. An attacker could formulate a specially-crafted search keyword that would overwrite arbitrary heap memory locatons when processed by the pattern preparation engine. (RHSA-2009:1160)

In Tomcat 5 and 6 on Red Hat Enterprise Linux 4 and 5, request dispatchers did not properly normalize user requests that had trailing query strings, which allowed remote attackers to send specially-crafted requests that would cause an information leak. (RHSA-2009:1506, RHSA-2009:1454)

Tomcat 5 did not properly handle a certain character sequence in cookie values on Red Hat Enterprise Linux 4 and 5. A remote attacker could use this flaw to obtain sensitive information, such as session IDs, and use this information for session hijacking attacks. (RHSA-2009:1454)

org.apache.tomcat.util.http.ServerCookie.VERSION_SWITCH=false

org.apache.tomcat.util.http.ServerCookie.VERSION_SWITCH=false

An information disclosure flaw was found in Apache HTTP Server's mod_proxy_ajp module. In certain situations, if a user sent a specially-crafted HTTP request, the httpd server could return a response intended for another user. (RHSA-2009:1058)