Bug 896527 - CVE-2012-3546 Tomcat/JBoss Web - Bypass of security constraints [BRMS-5.3.0]
CVE-2012-3546 Tomcat/JBoss Web - Bypass of security constraints [BRMS-5.3.0]
Product: JBoss Enterprise BRMS Platform 5
Classification: JBoss
Component: Security (Show other bugs)
BRMS 5.3.0.GA
Unspecified Unspecified
unspecified Severity high
: ---
: ---
Assigned To: trev
Petr Široký
Depends On:
Blocks: CVE-2012-3546
  Show dependency treegraph
Reported: 2013-01-17 08:50 EST by nwallace
Modified: 2013-02-04 20:37 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
PATCH NAME: BZ-896527 PRODUCT NAME: JBoss Enterprise BRMS Platform VERSION: SHORT DESCRIPTION: Security patch LONG DESCRIPTION: This is a security patch for BRMS-5.3.0.GA. This patch includes the following fi x: [BZ-896527] CVE-2012-3546 Tomcat/JBoss Web - Bypass of security constraints MANUAL INSTALL INSTRUCTIONS : Apply the patch jars: - Remove the following jars: $JBOSS_HOME/jboss-as/server/<configuration>/deploy/jbossweb.sar/jbossweb.jar - Copy the jar(s) from BZ-896527.zip to the same locations: $JBOSS_HOME/jboss-as/server/<configuration>/deploy/jbossweb.sar/jbossweb.jar COMPATIBILITY: NA DEPENDENCIES: NA SUPERSEDES: NA SUPERSEDED BY: NA CREATOR: Neil Wallace DATE: 16th January 2013
Story Points: ---
Clone Of:
Last Closed: 2013-02-04 20:37:14 EST
Type: Support Patch
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description nwallace 2013-01-17 08:50:34 EST
Description of problem:

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Actual results:

Expected results:

Additional info:
Comment 1 David Jorm 2013-01-17 17:59:02 EST
I have tested the patch here:


With the reproducer, and found that it successfully resolves CVE-2012-3546. QE should perform regression testing before we say this is ready for release.
Comment 2 Petr Široký 2013-01-24 09:59:21 EST
The patched jbossweb.jar is _not_ signed. It has to be signed in order to release it as patch. Can we get a signed version?
Comment 3 David Jorm 2013-01-24 18:30:07 EST
Neil, can you please provide a signed version?
Comment 4 David Jorm 2013-01-31 01:17:06 EST
Neil has now updated http://jawa05.englab.brq.redhat.com/patches/BZ-896527/BZ-896527.zip to include a signed JAR. Petr, can you please test it ASAP? If we can get it tested this week to ship on Monday that would be ideal.
Comment 5 Petr Široký 2013-01-31 05:36:06 EST
Hi David,

yes, I will look at this today.
Comment 6 Petr Široký 2013-01-31 08:30:52 EST
Regression tests passed with patched BRMS 5.3.0.GA standalone, no issues were found.

dfe206bdb255fe88dfa4e4639a85e2f0  BZ-896527.zip
d6ec6d191b2e81b3823cdfc3bc39a110  jbossweb.jar
Comment 7 David Jorm 2013-02-04 20:37:14 EST
Shipped live:


Note You need to log in before you can comment on or make changes to this bug.