Google Site Search

Google
 

Wednesday, April 9, 2014

JBoss CommunityProjects (including WildFlyAs): OpenSSL HeartBleed Vulnerability

I want to take this post to summarize that "JBoss community projects including WildFly Application Server are not directly affected by the OpenSSL HeartBleed Vulnerability".


JBossWeb APR

JBossWeb APR functionality requires OpenSSL 0.9.7 or 0.9.8 which is not affected by this vulnerability.
https://docs.jboss.org/jbossweb/2.1.x/apr.html


I have consulted the Red Hat Security Response Team before posting this note. We continue to monitor the situation.
Feel free to report any anomalies using http://www.jboss.org/security

We do recommend taking the appropriate precautions.

Please use the links in the references section for gauging indirect exposure to the HeartBleed vulnerability.

Indirect exposure may be possible:
  • Maybe you have a web server in front of JBoss/WildFly Application Server that may be affected.
  • Maybe your operating system on which the JBoss community projects are running may be affected.
  • Maybe you have OpenSSL v1.0.1 used by your application infrastructure. 


References

Please refer to the following articles for more information:

Official OpenSSL Official Advisory: https://www.openssl.org/news/secadv_20140407.txt
HeartBleed Information: http://www.heartbleed.com

Red Hat Official Announcement: https://access.redhat.com/site/announcements/781953

CVE:  https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

Amazon Web Services Advisory: https://aws.amazon.com/amazon-linux-ami/security-bulletins/ALAS-2014-320/



Official Linux Distribution Pages

https://rhn.redhat.com/errata/RHSA-2014-0376.html
http://www.ubuntu.com/usn/usn-2165-1/ 

Thursday, November 21, 2013

SAML vs OAuth: Which one to use?

Please follow my DZone article on this important topic: http://architects.dzone.com/articles/saml-versus-oauth-which-one

Monday, June 17, 2013

PicketBox XACML v2.0.9.Final Released

PicketBox XACML v2.0.9.Final has been released.

You can download it from http://www.jboss.org/picketbox/downloads

Information available at https://community.jboss.org/wiki/PicketBoxXACMLJBossXACML

Mostly a bug fix release. Except that we have made the PDP evaluation configurable with locks.

Release Notes - PicketBox - Version picketbox_xacml_2.0.9.Final

Bug

  • [SECURITY-738] - XACML DatabaseResourceAttributeLocator fails when used with Oracle 11g Driver
  • [SECURITY-742] - JBossPDP.evaluate() lock should be flexible

Enhancement

  • [SECURITY-734] - Slow policy evaluation with a large number of policy sets

Release