Issued:: 2006-03-07
Updated:: 2006-03-07

RHSA-2006:0161 - RHAPS security and enhancement update

Synopsis

RHAPS security and enhancement update

Type/Severity

Security Advisory Moderate

Topic

Red Hat Application Server Release 2 Update 1 is now available.

This update contains an upgrade of several RHAPS components to newer releases, including JOnAS 4.6.3, Tomcat 5.5.12 and Struts 1.2.8.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

Description

Red Hat Application Server packages provide a J2EE Application Server and Web container as well as the underlying Java stack.

A denial of service flaw was found in the way Apache Tomcat displays directory listings. A remote attacker could cause Tomcat to consume large amounts of CPU resources by sending multiple requests for a directory containing a large number of files. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-3510 to this issue. This update contains a version of Apache Tomcat that will recover after the aforementioned attack. Users are also advised to disable directory listing for web directories that contain very large numbers of files.

A cross-site scripting flaw was found in the way Struts displays error pages. It may be possible for an attacker to construct a specially crafted URL which could fool a victim into believing they are viewing a trusted site. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-3745 to this issue. Please note that this issue does not affect Struts running on Tomcat or JOnAS, which is our supported usage of Struts.

Additionally, this update replaces some other outdated packages with new versions. Several bug fixes and enhancements are included in these new versions.

IMPORTANT: Before applying this update, read the detailed installation/upgrade instructions in the RELEASE_NOTES document.

All users of Red Hat Application Server should upgrade to these updated packages, which contain packages that are not vulnerable to these issues.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory only contains the desired RPMs.

Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate RPMs being upgraded on your system.

IMPORTANT: For this errata, use the 'up2date' command (with no arguments). DO NOT partially upgrade the packages for this errata as this can result in a non-consistent set of packages being installed.

The update will cause applications to be undeployed from the server. Redeploy all desired applications after the upgrade -- rerun GenIC for faster deployment by the server as it will not have to replace stubs from the previous version on the fly.

The 'jeremie' protocol option for the JOnAS J2EE Application Server is now deprecated and unsupported. If your JOnAS server is using the 'jeremie' protocol option, make sure you change the configuration to use the 'jrmp' protocol instead before restarting the server. A server configured to use the 'jeremie' protocol may not function properly after the upgrade.

Affected Products

Product	Version	Arch
Red Hat Application Server v.2	2	x86_64
Red Hat Application Server v.2	2	ppc
Red Hat Application Server v.2	2	ia64
Red Hat Application Server v.2	2	i386

Updated Packages

xml-commons-apis-javadoc-1.3.02-2jpp_1rh.noarch.rpm
ant-commons-net-1.6.5-1jpp_1rh.noarch.rpm
ant-apache-regexp-1.6.5-1jpp_1rh.noarch.rpm
tribe-0.3-1jpp_1rh.noarch.rpm
xerces-j2-javadoc-other-2.7.1-1jpp_1rh.noarch.rpm
ant-apache-oro-1.6.5-1jpp_1rh.noarch.rpm
xdoclet-javadoc-1.2.2-3jpp_1rh.noarch.rpm
howl-logger-javadoc-0.1.11-1jpp_1rh.noarch.rpm
tomcat5-server-lib-5.5.12-1jpp_11rh.noarch.rpm
servletapi3-javadoc-3.3.1-0.a.2jpp_4rh.noarch.rpm
octopus-3.4-1jpp_1rh.noarch.rpm
ant-commons-logging-1.6.5-1jpp_1rh.noarch.rpm
xerces-j2-javadoc-apis-2.7.1-1jpp_1rh.noarch.rpm
tomcat5-jsp-2.0-api-5.5.12-1jpp_11rh.noarch.rpm
classpathx-mail-javadoc-1.1.1-2jpp_8rh.noarch.rpm
mx4j-manual-3.0.1-1jpp_4rh.noarch.rpm
struts-webapps-tomcat5-1.2.8-1jpp_1rh.noarch.rpm
opensaml-1.1b-1jpp_1rh.noarch.rpm
xml-commons-which-1.3.02-2jpp_1rh.noarch.rpm
jorm-rdb-adapter-javadoc-3.1-1jpp_1rh.noarch.rpm
objectweb-emb-plugins-1.0.2-0.20051006.1jpp_3rh.noarch.rpm
xml-commons-apis-manual-1.3.02-2jpp_1rh.noarch.rpm
jacorb-javadoc-2.2.2-1jpp_3rh.noarch.rpm
objectweb-emb-api-1.0.2-0.20051006.1jpp_3rh.noarch.rpm
geronimo-saaj-1.1-api-1.0-0.M4.1jpp_10rh.noarch.rpm
tomcat5-jasper-5.5.12-1jpp_11rh.noarch.rpm
ant-apache-log4j-1.6.5-1jpp_1rh.noarch.rpm
jonathan-jeremie-javadoc-4.2.2-1jpp_1rh.noarch.rpm
rh-jonas-docs-4.6.3-2.noarch.rpm
jotm-demo-2.0.11-1jpp_1rh.noarch.rpm
tomcat5-webapps-5.5.12-1jpp_11rh.noarch.rpm
xdoclet-manual-1.2.2-3jpp_1rh.noarch.rpm
tomcat5-common-lib-5.5.12-1jpp_11rh.noarch.rpm
ant-jdepend-1.6.5-1jpp_1rh.noarch.rpm
ant-antlr-1.6.5-1jpp_1rh.noarch.rpm
speedo-1.3.3-1jpp_2rh.noarch.rpm
xml-security-javadoc-1.2.1-1jpp_1rh.noarch.rpm
ant-apache-bcel-1.6.5-1jpp_1rh.noarch.rpm
ant-trax-1.6.5-1jpp_1rh.noarch.rpm
carol-irmi-1.0.1-1jpp_1rh.noarch.rpm
xdoclet-1.2.2-3jpp_1rh.noarch.rpm
speedo-weblogic-1.3.3-1jpp_2rh.noarch.rpm
joram-adapter-4.3.9-1jpp_2rh.noarch.rpm
perseus-cache-javadoc-1.5.3-1jpp_1rh.noarch.rpm
jonas-examples-4.6.3-1jpp_5rh.noarch.rpm
ant-nodeps-1.6.5-1jpp_1rh.noarch.rpm
jonas-4.6.3-1jpp_5rh.noarch.rpm
geronimo-jaxr-1.0-api-1.0-0.M4.1jpp_10rh.noarch.rpm
avalon-logkit-javadoc-1.2-2jpp_4rh.noarch.rpm
tomcat5-admin-webapps-5.5.12-1jpp_11rh.noarch.rpm
objectweb-emb-javadoc-1.0.2-0.20051006.1jpp_3rh.noarch.rpm
struts-javadoc-1.2.8-1jpp_1rh.noarch.rpm
carol-2.0.11-1jpp_3rh.noarch.rpm
ant-jmf-1.6.5-1jpp_1rh.noarch.rpm
axis-manual-1.2.1-1jpp_3rh.noarch.rpm
struts-1.2.8-1jpp_1rh.noarch.rpm
speedo-javadoc-1.3.3-1jpp_2rh.noarch.rpm
ews-mapper-javadoc-1.1-1jpp_1rh.noarch.rpm
ws-fx-addressing-1.0-1jpp_1rh.noarch.rpm
jacorb-manual-2.2.2-1jpp_3rh.noarch.rpm
xml-security-demo-1.2.1-1jpp_1rh.noarch.rpm
wss4j-1.1.0-1jpp_1rh.noarch.rpm
geronimo-jaxrpc-1.1-api-1.0-0.M4.1jpp_10rh.noarch.rpm
joram-adapter-remote-4.3.9-1jpp_2rh.noarch.rpm
geronimo-corba-2.3-apis-1.0-0.M4.1jpp_10rh.noarch.rpm
ant-apache-resolver-1.6.5-1jpp_1rh.noarch.rpm
tomcat5-jsp-2.0-api-javadoc-5.5.12-1jpp_11rh.noarch.rpm
mx4j-javadoc-3.0.1-1jpp_4rh.noarch.rpm
geronimo-javamail-1.3.1-api-1.0-0.M4.1jpp_10rh.noarch.rpm
c-jdbc-1.1-1jpp_2rh.noarch.rpm
perseus-persistence-javadoc-1.5.1-1jpp_1rh.noarch.rpm
xerces-j2-javadoc-xni-2.7.1-1jpp_1rh.noarch.rpm
servletapi4-javadoc-4.0.4-3jpp_5rh.noarch.rpm
tribe-javadoc-0.3-1jpp_1rh.noarch.rpm
tomcat5-servlet-2.4-api-5.5.12-1jpp_11rh.noarch.rpm
jotm-2.0.11-1jpp_1rh.noarch.rpm
xml-commons-which-javadoc-1.3.02-2jpp_1rh.noarch.rpm
ant-swing-1.6.5-1jpp_1rh.noarch.rpm
tomcat5-servlet-2.4-api-javadoc-5.5.12-1jpp_11rh.noarch.rpm
servletapi3-3.3.1-0.a.2jpp_4rh.noarch.rpm
speedo-for-jonas-1.3.3-1jpp_2rh.noarch.rpm
joram-for-jonas-4.3.9-1jpp_2rh.noarch.rpm
ant-javamail-1.6.5-1jpp_1rh.noarch.rpm
speedo-client-1.3.3-1jpp_2rh.noarch.rpm
servletapi4-4.0.4-3jpp_5rh.noarch.rpm
jorm-javadoc-2.7-1jpp_1rh.noarch.rpm
ws-fx-addressing-javadoc-1.0-1jpp_1rh.noarch.rpm
carol-irmi-javadoc-1.0.1-1jpp_1rh.noarch.rpm
geronimo-jacc-1.0-api-1.0-0.M4.1jpp_10rh.noarch.rpm
jonas-client-4.6.3-1jpp_5rh.noarch.rpm
struts-manual-1.2.8-1jpp_1rh.noarch.rpm
tomcat5-5.5.12-1jpp_11rh.noarch.rpm
log4j-manual-1.2.12-1jpp_1rh.noarch.rpm
geronimo-jaf-1.0.2-api-1.0-0.M4.1jpp_10rh.noarch.rpm
xml-security-1.2.1-1jpp_1rh.noarch.rpm
medor-expression-javadoc-1.6.1-1jpp_1rh.noarch.rpm
ant-jsch-1.6.5-1jpp_1rh.noarch.rpm
struts-webapps-tomcat4-1.2.8-1jpp_1rh.noarch.rpm
objectweb-emb-1.0.2-0.20051006.1jpp_3rh.noarch.rpm
c-jdbc-javadoc-1.1-1jpp_2rh.noarch.rpm
ant-scripts-1.6.5-1jpp_1rh.noarch.rpm
jacorb-2.2.2-1jpp_3rh.noarch.rpm
ant-manual-1.6.5-1jpp_1rh.noarch.rpm
ant-junit-1.6.5-1jpp_1rh.noarch.rpm
carol-javadoc-2.0.11-1jpp_3rh.noarch.rpm
wss4j-javadoc-1.1.0-1jpp_1rh.noarch.rpm
howl-logger-0.1.11-1jpp_1rh.noarch.rpm
jacorb-demo-2.2.2-1jpp_3rh.noarch.rpm
tribe-demo-0.3-1jpp_1rh.noarch.rpm
jonas-docs-4.6.3-1jpp_5rh.noarch.rpm
jorm-rdb-adapter-3.1-1jpp_1rh.noarch.rpm
tomcat5-jasper-javadoc-5.5.12-1jpp_11rh.noarch.rpm
perseus-cache-1.5.3-1jpp_1rh.noarch.rpm
medor-expression-1.6.1-1jpp_1rh.noarch.rpm
axis-javadoc-1.2.1-1jpp_3rh.noarch.rpm
joram-javadoc-4.3.9-1jpp_2rh.noarch.rpm
jotm-manual-2.0.11-1jpp_1rh.noarch.rpm
xerces-j2-scripts-2.7.1-1jpp_1rh.noarch.rpm
jotm-javadoc-2.0.11-1jpp_1rh.noarch.rpm
jonathan-jeremie-4.2.2-1jpp_1rh.noarch.rpm
medor-javadoc-1.6.1-1jpp_1rh.noarch.rpm
jorm-2.7-1jpp_1rh.noarch.rpm
ews-mapper-1.1-1jpp_1rh.noarch.rpm
classpathx-jaf-javadoc-1.0-2jpp_6rh.noarch.rpm
opensaml-javadoc-1.1b-1jpp_1rh.noarch.rpm
ant-javadoc-1.6.5-1jpp_1rh.noarch.rpm
medor-1.6.1-1jpp_1rh.noarch.rpm
xerces-j2-javadoc-impl-2.7.1-1jpp_1rh.noarch.rpm
ishmael-0.1.9-1jpp_1rh.noarch.rpm
perseus-persistence-1.5.1-1jpp_1rh.noarch.rpm
log4j-javadoc-1.2.12-1jpp_1rh.noarch.rpm
xerces-j2-demo-2.7.1-1jpp_1rh.noarch.rpm
geronimo-qname-1.1-api-1.0-0.M4.1jpp_10rh.noarch.rpm
ant-apache-bsf-1.6.5-1jpp_1rh.noarch.rpm
struts-webapps-tomcat3-1.2.8-1jpp_1rh.noarch.rpm
joram-4.3.9-1jpp_2rh.noarch.rpm

Fixes

CVEs

References

(none)

Additional information

The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.