Bug 216177
Summary: | JBossAS needs to be bound to localhost by default | ||
---|---|---|---|
Product: | [Retired] Red Hat Web Application Stack | Reporter: | Deepak Bhole <dbhole> |
Component: | jbossas | Assignee: | Deepak Bhole <dbhole> |
Status: | CLOSED ERRATA | QA Contact: | Len DiMaggio <ldimaggi> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | v1 | CC: | security-response-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | RHSA-2006-0743 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-11-27 15:43:12 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Deepak Bhole
2006-11-17 17:01:43 UTC
An issue we have to consider with this bz is that if we replace config files to resolve the problem, and customers have already customized those files, their customizations will be lost. We'll have to be careful/clear in documenting this for customers. In case we add JBOSS_IP="127.0.0.1" to /etc/sysconfig/jbossas all future installations will listen to localhost only and the default installation will be safe. This still requires documentation to secure the console when opening the JBoss AS to the public. Which should be added anyway and since there exists already a wiki page about securing the console it should be no big deal. It is only a matter of putting that into the right places of the installation manual so that customers are aware of it. The case of already installed servers is different, because /etc/sysconfig/jbossas is a noreplace config file from the RPM point of view. Which is a good thing since the customers made have deployed a public server and forcing it to localhost only with an update would break their setup. However they are still vulnerable and this is the job of a kbase article and the errata text to make them aware of the security issue. So this is not a big deal. The case that we wanna make the console secure even for public available installation by default, is another thing. I have not enough internal insights into JBoss AS to give any advice for it. So this is up to you to find a solution. removing embargo. See also http://kbase.redhat.com/faq/FAQ_107_9629.shtm An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2006-0743.html |