Bug 802200 (CVE-2012-1154) - CVE-2012-1154 mod_cluster registers and exposes the root context of a server by default, despite ROOT being in the excluded-contexts list
Summary: CVE-2012-1154 mod_cluster registers and exposes the root context of a server ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-1154
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 806139 806140 806141
Blocks: 802216 807573
TreeView+ depends on / blocked
 
Reported: 2012-03-12 03:34 UTC by David Jorm
Modified: 2019-09-29 12:51 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-08-14 01:15:37 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:1010 0 normal SHIPPED_LIVE Moderate: mod_cluster security update 2012-06-19 23:23:45 UTC
Red Hat Product Errata RHSA-2012:1011 0 normal SHIPPED_LIVE Moderate: mod_cluster security update 2012-06-19 23:23:41 UTC
Red Hat Product Errata RHSA-2012:1012 0 normal SHIPPED_LIVE Moderate: mod_cluster security update 2012-06-19 23:23:36 UTC
Red Hat Product Errata RHSA-2012:1052 0 normal SHIPPED_LIVE Moderate: mod_cluster security update 2012-07-03 12:58:52 UTC
Red Hat Product Errata RHSA-2012:1053 0 normal SHIPPED_LIVE Moderate: mod_cluster security update 2012-07-03 13:08:59 UTC
Red Hat Product Errata RHSA-2012:1166 0 normal SHIPPED_LIVE Moderate: mod_cluster security update 2012-08-13 19:57:58 UTC

Description David Jorm 2012-03-12 03:34:05 UTC
mod_cluster 1.0.10 CP02 and 1.1.3 registers and exposes the root context of a server by default, despite ROOT being in the excludedContexts list. This is due to a regression that bypassed context filtering for the root context, causing the root context to be enabled inadvertently. This flaw is fixed in mod_cluster 1.0.10 CP03 and 1.1.4.

Comment 1 David Jorm 2012-03-12 06:57:27 UTC
The following products are affected by this flaw:

JBoss Enterprise Web Server 1.0.2
JBoss Enterprise Application Platform 5.1.2
JBoss Enterprise Web Platform 5.1.2
JBoss Communications Platform 5.1.3

Comment 2 David Jorm 2012-03-13 01:52:42 UTC
Upstream bug report:

https://issues.jboss.org/browse/MODCLUSTER-253

Comment 4 errata-xmlrpc 2012-06-19 19:24:23 UTC
This issue has been addressed in following products:

  JBoss Enterprise Web Server 1.0.2

Via RHSA-2012:1012 https://rhn.redhat.com/errata/RHSA-2012-1012.html

Comment 5 errata-xmlrpc 2012-06-19 19:24:55 UTC
This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.1.2

Via RHSA-2012:1011 https://rhn.redhat.com/errata/RHSA-2012-1011.html

Comment 6 errata-xmlrpc 2012-06-19 19:25:27 UTC
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.1.2

Via RHSA-2012:1010 https://rhn.redhat.com/errata/RHSA-2012-1010.html

Comment 7 errata-xmlrpc 2012-07-03 09:01:13 UTC
This issue has been addressed in following products:

  JBEAP 5 for RHEL 4
  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 6

Via RHSA-2012:1052 https://rhn.redhat.com/errata/RHSA-2012-1052.html

Comment 8 errata-xmlrpc 2012-07-03 09:10:05 UTC
This issue has been addressed in following products:

  JBEWP 5 for RHEL 4
  JBEWP 5 for RHEL 5
  JBEWP 5 for RHEL 6

Via RHSA-2012:1053 https://rhn.redhat.com/errata/RHSA-2012-1053.html

Comment 9 errata-xmlrpc 2012-08-13 15:58:23 UTC
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 5
  JBEWS 1.0 for RHEL 6

Via RHSA-2012:1166 https://rhn.redhat.com/errata/RHSA-2012-1166.html


Note You need to log in before you can comment on or make changes to this bug.