Bug 1486220 (CVE-2017-12149)

Summary: CVE-2017-12149 jbossas: Arbitrary code execution via unrestricted deserialization in ReadOnlyAccessFilter of HTTP Invoker.
Product: [Other] Security Response Reporter: Bharti Kundal <bkundal>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: asoldano, bbaranow, bmaxwell, brian.stansberry, cdewolf, chazlett, csutherl, darran.lofthouse, dimitris, dkreling, dosoudil, fgavrilo, fjuma, fnasser, istudens, ivassile, iweiss, jason.greene, jawilson, jboss-set, jondruse, jshepherd, jstourac, lgao, mosmerov, msochure, msvehla, myarboro, nwallace, pesilva, pgier, pjindal, pjurak, pmackay, ppalaga, psakar, pslavice, psotirop, rnetuka, rstancel, rsvoboda, security-response-team, smaestri, tom.jenkinson, twalsh, vtunka
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
It was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization. This allows an attacker to execute arbitrary code via crafted serialized data.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:22:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1487010    
Bug Blocks: 1484084    

Description Bharti Kundal 2017-08-29 09:02:09 UTC 
It was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.
Comment 1 Bharti Kundal 2017-08-29 09:02:13 UTC 
Acknowledgments:

Name: Joao F M Figueiredo
Comment 2 Bharti Kundal 2017-08-29 09:13:13 UTC 
Mitigation:

Secure the access to the entire http-invoker contexts by adding <url-pattern>/*</url-pattern> to the security-constraints in the web.xml file of the http-invoker.sar.The users who do not wish to use the http-invoker.sar can remove it.
Comment 4 Bharti Kundal 2017-09-01 17:39:28 UTC 
Statement:

Red Hat JBoss Enterprise Application Platform 6 and 7 do not ship the http invoker so they are not affected.
Comment 5 Samson 2017-09-15 04:23:00 UTC 
(In reply to Bharti Kundal from comment #2)
> Mitigation:
> 
> Secure the access to the entire http-invoker contexts by adding
> <url-pattern>/*</url-pattern> to the security-constraints in the web.xml
> file of the http-invoker.sar.The users who do not wish to use the
> http-invoker.sar can remove it.

But I have found two web.xml files which are all under http-invoker.sar folders, please refer to bellow file paths:

......\server\web\deploy\http-invoker.sar\invoker.war\WEB-INF\web.xml
......\server\default\deploy\http-invoker.sar\invoker.war\WEB-INF\web.xml

I would like to know which web.xml file should be removed or all of them should be removed?

Thanks
Comment 6 Bharti Kundal 2017-09-15 06:50:31 UTC 
(In reply to Samson from comment #5)
> (In reply to Bharti Kundal from comment #2)
> > Mitigation:
> > 
> > Secure the access to the entire http-invoker contexts by adding
> > <url-pattern>/*</url-pattern> to the security-constraints in the web.xml
> > file of the http-invoker.sar.The users who do not wish to use the
> > http-invoker.sar can remove it.
> 
> But I have found two web.xml files which are all under http-invoker.sar
> folders, please refer to bellow file paths:
> 
> ......\server\web\deploy\http-invoker.sar\invoker.war\WEB-INF\web.xml
> ......\server\default\deploy\http-invoker.sar\invoker.war\WEB-INF\web.xml
> 
> I would like to know which web.xml file should be removed or all of them
> should be removed?
> 
> Thanks

Hi Samson,

It depends on which profile you want to run your server like default or web or all etc.There are various profiles in EAP.For an example you can  run your server as :
run.sh -c all or run.sh -c web .


The profiles are found under:EAP5.2/jboss-eap-5.2/jboss-as/server

1)all
2)default
3)minimal
4)production
5)standard
6)web
Comment 7 Samson 2017-09-15 07:03:19 UTC 
(In reply to Bharti Kundal from comment #6)
> (In reply to Samson from comment #5)
> > (In reply to Bharti Kundal from comment #2)
> > > Mitigation:
> > > 
> > > Secure the access to the entire http-invoker contexts by adding
> > > <url-pattern>/*</url-pattern> to the security-constraints in the web.xml
> > > file of the http-invoker.sar.The users who do not wish to use the
> > > http-invoker.sar can remove it.
> > 
> > But I have found two web.xml files which are all under http-invoker.sar
> > folders, please refer to bellow file paths:
> > 
> > ......\server\web\deploy\http-invoker.sar\invoker.war\WEB-INF\web.xml
> > ......\server\default\deploy\http-invoker.sar\invoker.war\WEB-INF\web.xml
> > 
> > I would like to know which web.xml file should be removed or all of them
> > should be removed?
> > 
> > Thanks
> 
> Hi Samson,
> 
> It depends on which profile you want to run your server like default or web
> or all etc.There are various profiles in EAP.For an example you can  run
> your server as :
> run.sh -c all or run.sh -c web .
> 
> 
> The profiles are found under:EAP5.2/jboss-eap-5.2/jboss-as/server
> 
> 1)all
> 2)default
> 3)minimal
> 4)production
> 5)standard
> 6)web

Hi,

What if remove web.xml from both paths ? 

Thanks
Comment 8 Bharti Kundal 2017-10-10 12:30:43 UTC 
(In reply to Samson from comment #7)
> (In reply to Bharti Kundal from comment #6)
> > (In reply to Samson from comment #5)
> > > (In reply to Bharti Kundal from comment #2)
> > > > Mitigation:
> > > > 
> > > > Secure the access to the entire http-invoker contexts by adding
> > > > <url-pattern>/*</url-pattern> to the security-constraints in the web.xml
> > > > file of the http-invoker.sar.The users who do not wish to use the
> > > > http-invoker.sar can remove it.
> > > 
> > > But I have found two web.xml files which are all under http-invoker.sar
> > > folders, please refer to bellow file paths:
> > > 
> > > ......\server\web\deploy\http-invoker.sar\invoker.war\WEB-INF\web.xml
> > > ......\server\default\deploy\http-invoker.sar\invoker.war\WEB-INF\web.xml
> > > 
> > > I would like to know which web.xml file should be removed or all of them
> > > should be removed?
> > > 
> > > Thanks
> > 
> > Hi Samson,
> > 
> > It depends on which profile you want to run your server like default or web
> > or all etc.There are various profiles in EAP.For an example you can  run
> > your server as :
> > run.sh -c all or run.sh -c web .
> > 
> > 
> > The profiles are found under:EAP5.2/jboss-eap-5.2/jboss-as/server
> > 
> > 1)all
> > 2)default
> > 3)minimal
> > 4)production
> > 5)standard
> > 6)web
> 
> Hi,
> 
> What if remove web.xml from both paths ? 
> 
> Thanks

Hi Samson,

Is there any purpose behind removing the web.xml.It is a deployment descriptor ,removing it may lead to  errors.

Regards,
Bharti
Comment 14 errata-xmlrpc 2018-05-17 18:17:08 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 5.2 security update

Via RHSA-2018:1608 https://access.redhat.com/errata/RHSA-2018:1608
Comment 15 errata-xmlrpc 2018-05-17 18:22:16 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 5 for RHEL 5
  Red Hat JBoss Enterprise Application Platform 5 for RHEL 6

Via RHSA-2018:1607 https://access.redhat.com/errata/RHSA-2018:1607