Bug 1031829 (CVE-2013-4810)

Summary: CVE-2013-4810 HP ProCurve Manager (PCM): invoker servlets do not require authentication
Product: [Other] Security Response Reporter: David Jorm <djorm>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: bforte, mjc, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-18 21:53:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1830891    

Description David Jorm 2013-11-18 21:49:46 UTC 
The HP ProCurve Manager (PCM) was found to expose unauthenticated JMXInvokerServlet and EJBInvokerServlet interfaces. A remote attacker could exploit this flaw to invoke MBean methods and run arbitrary code in the context of the user running the PCM server.
Comment 1 David Jorm 2013-11-18 21:53:38 UTC 
Statement:

CVE-2013-4810 refers to the exposure of unauthenticated JMXInvokerServlet and EJBInvokerServlet interfaces on HP ProCurve Manager (PCM). These servlets are also, however, exposed without authentication on older, unsupported community releases of JBoss AS (WildFly) 4.x and 5.x.

All supported Red Hat JBoss products that include the JMXInvokerServlet and EJBInvokerServlet interfaces apply authentication by default and are not affected by this issue. 

Community releases of JBoss AS (WildFly) 7.x are also not affected by this issue.

Users of older, unsupported community releases of JBoss AS (WildFly) are advised to follow the instructions available here to apply authentication to the invoker servlet interfaces:

https://community.jboss.org/wiki/SecureJboss/

Note: Red Hat has been aware of this issue since 2012, as identified in CVE-2012-0874, and addressed the issue for supported Red Hat JBoss products based on JBoss AS 4.x and 5.x.
Comment 4 David Jorm 2013-11-19 00:48:51 UTC 
External References:

https://access.redhat.com/site/articles/545183