Bug 802200 (CVE-2012-1154)

Summary: CVE-2012-1154 mod_cluster registers and exposes the root context of a server by default, despite ROOT being in the excluded-contexts list
Product: [Other] Security Response Reporter: David Jorm <djorm>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: mjc, rbrackma
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20110831,reported=20120309,source=internet,cvss2=4.3/AV:N/AC:M/Au:N/C:P/I:N/A:N,jbews-1/mod_cluster=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-13 21:15:37 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 806139, 806140, 806141    
Bug Blocks: 802216, 807573    

Description David Jorm 2012-03-11 23:34:05 EDT
mod_cluster 1.0.10 CP02 and 1.1.3 registers and exposes the root context of a server by default, despite ROOT being in the excludedContexts list. This is due to a regression that bypassed context filtering for the root context, causing the root context to be enabled inadvertently. This flaw is fixed in mod_cluster 1.0.10 CP03 and 1.1.4.
Comment 1 David Jorm 2012-03-12 02:57:27 EDT
The following products are affected by this flaw:

JBoss Enterprise Web Server 1.0.2
JBoss Enterprise Application Platform 5.1.2
JBoss Enterprise Web Platform 5.1.2
JBoss Communications Platform 5.1.3
Comment 2 David Jorm 2012-03-12 21:52:42 EDT
Upstream bug report:

https://issues.jboss.org/browse/MODCLUSTER-253
Comment 4 errata-xmlrpc 2012-06-19 15:24:23 EDT
This issue has been addressed in following products:

  JBoss Enterprise Web Server 1.0.2

Via RHSA-2012:1012 https://rhn.redhat.com/errata/RHSA-2012-1012.html
Comment 5 errata-xmlrpc 2012-06-19 15:24:55 EDT
This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.1.2

Via RHSA-2012:1011 https://rhn.redhat.com/errata/RHSA-2012-1011.html
Comment 6 errata-xmlrpc 2012-06-19 15:25:27 EDT
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.1.2

Via RHSA-2012:1010 https://rhn.redhat.com/errata/RHSA-2012-1010.html
Comment 7 errata-xmlrpc 2012-07-03 05:01:13 EDT
This issue has been addressed in following products:

  JBEAP 5 for RHEL 4
  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 6

Via RHSA-2012:1052 https://rhn.redhat.com/errata/RHSA-2012-1052.html
Comment 8 errata-xmlrpc 2012-07-03 05:10:05 EDT
This issue has been addressed in following products:

  JBEWP 5 for RHEL 4
  JBEWP 5 for RHEL 5
  JBEWP 5 for RHEL 6

Via RHSA-2012:1053 https://rhn.redhat.com/errata/RHSA-2012-1053.html
Comment 9 errata-xmlrpc 2012-08-13 11:58:23 EDT
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 5
  JBEWS 1.0 for RHEL 6

Via RHSA-2012:1166 https://rhn.redhat.com/errata/RHSA-2012-1166.html