2. Fixed Security-Related Issues

After extracting the rhq-remoting-cli-version.zip package, the JBoss ON CLI root directory had global read, write, and execute permissions. Any child directories and scripts old be accessed and modified by any local user. A local attacker could use these permissions to steal JBoss ON user credentials or to run arbitrary code.

If a user authenticating to JBoss ON through LDAP gave invalid credentials, they could still be logged into the JBoss ON UI as long as the user account had successfully logged in using LDAP credentials before.

A remote attacker could use this flaw to gain access to the JBoss ON server using an LDAP account without supplying a password.

In some circumstances, Tomcat could allow a denial of service attack if an attacker triggered predictable collisions in the hashing algorithms used by Java, Python, PHP, and other languages in POST statements. The collisions would cause CPU usage to spike to 100% and effectively cause a denial of service.

The version of JBossWeb used by the JBoss ON server has been upgraded to include fixes for CVE-2011-4858.