Bug 896527

Summary: CVE-2012-3546 Tomcat/JBoss Web - Bypass of security constraints [BRMS-5.3.0]
Product: [JBoss] JBoss Enterprise BRMS Platform 5 Reporter: nwallace <nwallace>
Component: SecurityAssignee: trev <tkirby>
Status: CLOSED ERRATA QA Contact: Petr Široký <psiroky>
Severity: high Docs Contact:
Priority: unspecified    
Version: BRMS 5.3.0.GACC: brms-jira, djorm
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
PATCH NAME: BZ-896527 PRODUCT NAME: JBoss Enterprise BRMS Platform VERSION: SHORT DESCRIPTION: Security patch LONG DESCRIPTION: This is a security patch for BRMS-5.3.0.GA. This patch includes the following fi x: [BZ-896527] CVE-2012-3546 Tomcat/JBoss Web - Bypass of security constraints MANUAL INSTALL INSTRUCTIONS : Apply the patch jars: - Remove the following jars: $JBOSS_HOME/jboss-as/server/<configuration>/deploy/jbossweb.sar/jbossweb.jar - Copy the jar(s) from BZ-896527.zip to the same locations: $JBOSS_HOME/jboss-as/server/<configuration>/deploy/jbossweb.sar/jbossweb.jar COMPATIBILITY: NA DEPENDENCIES: NA SUPERSEDES: NA SUPERSEDED BY: NA CREATOR: Neil Wallace DATE: 16th January 2013
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-05 01:37:14 UTC Type: Support Patch
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 883634    

Description nwallace 2013-01-17 13:50:34 UTC 
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 David Jorm 2013-01-17 22:59:02 UTC 
I have tested the patch here:

http://jawa05.englab.brq.redhat.com/patches/BZ-896527/BZ-896527.zip

With the reproducer, and found that it successfully resolves CVE-2012-3546. QE should perform regression testing before we say this is ready for release.
Comment 2 Petr Široký 2013-01-24 14:59:21 UTC 
The patched jbossweb.jar is _not_ signed. It has to be signed in order to release it as patch. Can we get a signed version?
Comment 3 David Jorm 2013-01-24 23:30:07 UTC 
Neil, can you please provide a signed version?
Comment 4 David Jorm 2013-01-31 06:17:06 UTC 
Neil has now updated http://jawa05.englab.brq.redhat.com/patches/BZ-896527/BZ-896527.zip to include a signed JAR. Petr, can you please test it ASAP? If we can get it tested this week to ship on Monday that would be ideal.
Comment 5 Petr Široký 2013-01-31 10:36:06 UTC 
Hi David,

yes, I will look at this today.
Comment 6 Petr Široký 2013-01-31 13:30:52 UTC 
Regression tests passed with patched BRMS 5.3.0.GA standalone, no issues were found.

md5sums:
dfe206bdb255fe88dfa4e4639a85e2f0  BZ-896527.zip
d6ec6d191b2e81b3823cdfc3bc39a110  jbossweb.jar
Comment 7 David Jorm 2013-02-05 01:37:14 UTC 
Shipped live:

https://rhn.redhat.com/errata/RHSA-2013-0235.html