- --------------------------------------------------------------------- Red Hat Security Advisory
Synopsis: Low: struts security update for Red Hat Application Server Advisory ID: RHSA-2006:0157-01 Advisory URL: https://rhn.redhat.com/errata/RHSA-2006-0157.html Issue date: 2006-01-11 Updated on: 2006-01-11 Product: Red Hat Application Server CVE Names: CVE-2005-3745 - ---------------------------------------------------------------------
1. Summary:
Updated Red Hat Application Server components are now available including a security update for Struts.
This update has been rated as having low security impact by the Red Hat Security Response Team.
2. Relevant releases/architectures:
Red Hat Application Server 3AS - noarch Red Hat Application Server 3ES - noarch Red Hat Application Server 3WS - noarch
3. Problem description:
Red Hat Application Server packages provide a J2EE Application Server and Web container as well as the underlying Java stack.
A cross-site scripting flaw was found in the way Struts displays error pages. It may be possible for an attacker to construct a specially crafted URL which could fool a victim into believing they are viewing a trusted site. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3745 to this issue. Please note that this issue does not affect Struts running on Tomcat or JOnAS, which is our supported usage of Struts.
All users of Red Hat Application Server should upgrade to these updated packages, which contain Struts version 1.2.8 which is not vulnerable to this issue.
4. Solution:
Before applying this update, make sure all previously released errata relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs.
Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command:
up2date
This will start an interactive process that will result in the appropriate RPMs being upgraded on your system.