PATCH NAME: BZ-1183067 PRODUCT NAME: JBoss Fuse Service Works 6 VERSION: 6.0.0 SHORT DESCRIPTION: Roll up patch FSW_6.0_1_2015 LONG DESCRIPTION: This is a roll-up patch for FSW 6.0.0. This patch includes the following fixes: [BZ-1133773] CVE-2013-7398 async-http-client: missing hostname verification for SSL certificates [BZ-1133769] CVE-2013-7397 async-http-client: SSL/TLS certificate verification is disabled under certain conditions [BZ-1174871] (6.1.3 patch) SECURITY-871, WFLY-1904 - Vault fixes for system properties and LDAP integration [BZ-1191864] (6.0.x) WSS UsernameToken fails to propagate at SOAP reference binding with WSS Policy [BZ-1197881] Roll up 3 has broken FSW. Only the most recent REST application will function correctly. [BZ-1202701] (6.0.x) Unexpected behavior in fault handling with doTry/doCatch in Camel service [BZ-1203814] XmlValidator converts String contents to platform default encoding, causes data corruption and includes the following fixes from Roll up patch FSW_6.0_4_2014 [BZ-1017768] Throttling timePeriod configuration in switchyard.xml not used at runtime [BZ-1092783] CVE-2014-0193 netty: DoS via memory exhaustion during data aggregation [BZ-1088342] CVE-2014-0096 Tomcat/JBossWeb: XXE vulnerability via user supplied XSLTs [BZ-1102030] CVE-2014-0099 Tomcat/JBossWeb: Request smuggling via malicious content length header [BZ-1072776] CVE-2014-0075 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding input filter [BZ-1102038] CVE-2014-0119 Tomcat/JBossWeb: XML parser hijack by malicious web application [BZ-1109196] CVE-2014-0227 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding input filter [BZ-1112987] CVE-2014-3530 PicketLink: XXE via insecure DocumentBuilderFactory usage [BZ-1103815] CVE-2014-3472 JBoss AS Security: Invalid EJB caller role check implementation [BZ-1120495] CVE-2014-3558 Hibernate Validator: JSM bypass via ReflectionHelper [BZ-1107901] CVE-2014-3490 RESTEasy: XXE via parameter entities [BZ-1105242] CVE-2014-3481 JBoss AS JAX-RS: Information disclosure via XML eXternal Entity (XXE) [BZ-1128720] DTGov: Artifact undeployment not using classifier/type info [BZ-1129074] CVE-2014-3577 Apache HttpComponents client: SSL hostname verification bypass, incomplete CVE-2012-6153 fix [BZ-1129916] CVE-2012-6153 Apache HttpComponents client: SSL hostname verification bypass, incomplete CVE-2012-5783 fix [BZ-1141960] Please fix 'org.postgresql.util.PSQLException: Large Objects may not be used in auto-commit mode.' bug in DTGov/Postgres [BZ-1145207] s-ramp-demos-switchyard-multiapp is not properly deployed, rework [BZ-1145976] BPM/Rules properties are not set in org.kie.api.runtime.Environment [BZ-1152670] Multiple BPEL jars deployed in an .ear result in monitor contention [BZ-1019176] CVE-2013-4002 Xerces-J2 OpenJDK: XML parsing Denial of Service (JAXP, 8017298) [BZ-1164809] Unexpected behavior of 'Fail' button [BZ-1131882] CVE-2014-3578 Spring Framework: Directory traversal [BZ-1165936] CVE-2014-3625 Spring Framework: directory traversal flaw [BZ-1065139] CVE-2013-5855 Mojarra JSF: XSS due to insufficient escaping of user-supplied content in outputText tags and EL expressions [BZ-1049736] CVE-2014-0005 PicketBox/JBossSX: Unauthorized access to and modification of application server configuration and state by application [BZ-1167422] Please implement mechanisms to compensate for partner link exceptions [BZ-878082] [BZ-1170277] Upgrade Camel version to Fuse build 60065 [BZ-1182877] Camel OutboundHandler doesn't apply MessageComposer to out message and includes the following fixes from roll up patch FSW_6.0_3_2014: [BZ-958618] CVE-2013-2035 jansi: HawtJNI: predictable temporary file name leading to local arbitrary code execution [fsw-6] [BZ-1043332] CVE-2013-6440 xmltooling: XMLTooling-J/OpenSAML Java: XML eXternal Entity (XXE) flaw in ParserPool and Decrypter [fsw-6] [BZ-1052783] CVE-2014-0018 jboss-as-server: Unchecked access to MSC Service Registry under JSM [fsw-6] [BZ-1070046] CVE-2014-0093 eap: JBoss EAP 6: JSM policy not respected by deployed applications [fsw-6] [BZ-1063641] CVE-2014-0058 eap: Red Hat JBoss EAP6: Plain text password logging during security audit [fsw-6] [BZ-1080248] CVE-2014-0107 xalan-j2: Xalan-Java: insufficient constraints in secure processing feature (oCERT-2014-002) [fsw-6] [BZ-1120380] Please include EAP 6.1.2 in the next FSW Roll up patch. [BZ-1131156] Please fix SOAP fault handling in FSW 6.0 [BZ-1138135] CVE-2014-3574 CVE-2014-3529 apache-poi: various flaws [fsw-6.0.x] [BZ-1138738] Please apply Context Class Loader fix to SCA Invoker [BZ-1142876] Timeout occurs when setting handled(true) in Camel route's onException() [BZ-1144127] Please fix NPE while serializing SOAPFaultInfo#role property [BZ-1144148] Runtime access to config model in SCA binding [BZ-1146205] Context properties from RemoteMessage not passed to service [BZ-1146206] RTGov UI no longer working on FSW 6.0 [BZ-1146207] RemoteMessage#context is empty [BZ-1146241] Null details in SOAP fault returned to Camel Route [BZ-1146951] java.lang.IllegalArgumentException after redeploy application [BZ-1146953] Namespace context not set for camel bindings with unmanaged threads [BZ-1149180] Elastrcsearch mapping for rtgov activities results in spurious events included in call trace and the following fixes from roll up patch FSW_6.0_2_2014: [BZ-1067642] Switchyard component hot deployment via JBoss CLI fails. [BZ-1076358] XmlValidator converts String contents to platform default encoding, causes data corruption [BZ-1092697] Authentication/Authorization fails with RESTEasy component [BZ-1105052] Missing lucene-queryparser jar in fsw 6.0.0.GA repository [BZ-1110484] [GSS] (one-off) EAP 6.1.1, Cannot get exception as pass-by-reference (for FSW) [BZ-1114732] Please do not allow types with spaces, these break the repository and the following fixes from roll up patch FSW_6.0_1_2014: [BZ-1030518] s-ramp-demos-switchyard-multiapp is not properly deployed [BZ-1049696] CVE-2014-0002 Camel: XML eXternal Entity (XXE) flaw in XSLT component [BZ-1049700] CVE-2014-0003 Camel: remote code execution via XSL [BZ-1057210] There is no pagination in DTGov TaskInbox [BZ-1063344] bpm signal_event returns null when completing existing process [BZ-1067501] Switchyard component hot deployment via JBoss CLI fails. [BZ-1067634] Please change SCAInvoker so it contains setOperation() to enable multiple-operation interfaces [BZ-1063604] CVE-2013-7285 XStream: remote code execution due to insecure XML deserialization [fsw-6] [BZ-1072509] CVE-2013-4286 jbossweb: various flaws [fsw-6] [BZ-1064679] CVE-2014-0050 apache-commons-fileupload: denial of service due to too-small buffer size used bt MultipartStream [fsw-6] PATCH INSTALLATION INSTRUCTIONS: Backup and remove every file and directory listed in the files: All installations: removed-list-base.txt DT-Gov installations: removed-list-dtgov.txt RT-Gov Client installations: removed-list-rtgov-client.txt - This step is valid if you ONLY have the RT-Gov client components installed RT-Gov Server installations: removed-list-rtgov-server.txt - This step is valid if you have installed the RT-Gov Server components installed S-RAMP installations: removed-list-s-ramp.txt SwitchYard installations: removed-list-switchyard.txt At the directory containing the jboss-eap-6.1 directory, unzip the files: All installations: fsw-6.0_1_2015-base.zip DT-Gov installations: fsw-6.0_1_2015-dtgov.zip RT-Gov Server installations: fsw-6.0_1_2015-rtgov-server.zip - This step is valid if you ONLY have the RT-Gov Server components installed RT-Gov Client installations: fsw-6.0_1_2015-rtgov-client.zip - This step is valid if you have installed the RT-Gov Client components installed S-RAMP installations: fsw-6.0_1_2015-s-ramp.zip SwitchYard installations: fsw-6.0_1_2015-switchyard.zip NOTES: This patch includes upgrades to the underlying EAP component, some of which affect operation of the Java Security Manager. If your do not run with JSM (a common practice) you do not need to be further concerned. If you do use JSM, Red Hat recommends you start the server with the following arguments: "-Djboss.modules.policy-permissions=true" -secmgr Edit the jboss-eap-6.1/standalone/configuration/dtgov.properties file and remove the JavaArchive governance query. The single line to be removed starts with this text: governance.queries=/s-ramp/ext/JavaArchive|overlord.demo.SimpleReleaseProcess COMPATIBILITY: JBoss Fuse Service Works 6 DEPENDENCIES: N/A SUPERSEDES: BZ-1146192 CREATOR: G Varsamis DATE: 12 June, 2015