Bug 802200 (CVE-2012-1154)

Summary: CVE-2012-1154 mod_cluster registers and exposes the root context of a server by default, despite ROOT being in the excluded-contexts list
Product: [Other] Security Response Reporter: David Jorm <djorm>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: mjc, rbrackma
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-14 01:15:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 806139, 806140, 806141    
Bug Blocks: 802216, 807573    

Description David Jorm 2012-03-12 03:34:05 UTC 
mod_cluster 1.0.10 CP02 and 1.1.3 registers and exposes the root context of a server by default, despite ROOT being in the excludedContexts list. This is due to a regression that bypassed context filtering for the root context, causing the root context to be enabled inadvertently. This flaw is fixed in mod_cluster 1.0.10 CP03 and 1.1.4.
Comment 1 David Jorm 2012-03-12 06:57:27 UTC 
The following products are affected by this flaw:

JBoss Enterprise Web Server 1.0.2
JBoss Enterprise Application Platform 5.1.2
JBoss Enterprise Web Platform 5.1.2
JBoss Communications Platform 5.1.3
Comment 2 David Jorm 2012-03-13 01:52:42 UTC 
Upstream bug report:

https://issues.jboss.org/browse/MODCLUSTER-253
Comment 4 errata-xmlrpc 2012-06-19 19:24:23 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Web Server 1.0.2

Via RHSA-2012:1012 https://rhn.redhat.com/errata/RHSA-2012-1012.html
Comment 5 errata-xmlrpc 2012-06-19 19:24:55 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.1.2

Via RHSA-2012:1011 https://rhn.redhat.com/errata/RHSA-2012-1011.html
Comment 6 errata-xmlrpc 2012-06-19 19:25:27 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.1.2

Via RHSA-2012:1010 https://rhn.redhat.com/errata/RHSA-2012-1010.html
Comment 7 errata-xmlrpc 2012-07-03 09:01:13 UTC 
This issue has been addressed in following products:

  JBEAP 5 for RHEL 4
  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 6

Via RHSA-2012:1052 https://rhn.redhat.com/errata/RHSA-2012-1052.html
Comment 8 errata-xmlrpc 2012-07-03 09:10:05 UTC 
This issue has been addressed in following products:

  JBEWP 5 for RHEL 4
  JBEWP 5 for RHEL 5
  JBEWP 5 for RHEL 6

Via RHSA-2012:1053 https://rhn.redhat.com/errata/RHSA-2012-1053.html
Comment 9 errata-xmlrpc 2012-08-13 15:58:23 UTC 
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 5
  JBEWS 1.0 for RHEL 6

Via RHSA-2012:1166 https://rhn.redhat.com/errata/RHSA-2012-1166.html