| Summary: | CVE-2010-0738 JBoss EAP jmx authentication bypass with crafted HTTP request | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Marc Schoenefeld <mschoene> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | unspecified | CC: | bgeorges, ccrouch, dandread, djorm, fnasser, hithisisanand, ldimaggi, mjc, nlfdwms2006, osoukup, pinto.elia, rcvalle, remm, security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-05-17 05:07:27 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
This issue has been addressed in following products: JBEAP 4.2.0 for RHEL 4 Via RHSA-2010:0376 https://rhn.redhat.com/errata/RHSA-2010-0376.html This issue has been addressed in following products: JBEAP 4.3.0 for RHEL 4 Via RHSA-2010:0377 https://rhn.redhat.com/errata/RHSA-2010-0377.html This issue has been addressed in following products: JBEAP 4.2.0 for RHEL 5 Via RHSA-2010:0378 https://rhn.redhat.com/errata/RHSA-2010-0378.html This issue has been addressed in following products: JBEAP 4.3.0 for RHEL 5 Via RHSA-2010:0379 https://rhn.redhat.com/errata/RHSA-2010-0379.html External References: https://access.redhat.com/kb/docs/DOC-30741 (In reply to comment #0) > By using a specially crafted HTTP request, the authentication > of the jmx-console can be bypassed, as the access restrictions > only apply for GET and POST. > Current setting is: > <security-constraint> > <web-resource-collection> > <web-resource-name>HtmlAdaptor</web-resource-name> > <description>An example security config that only allows users with the > role JBossAdmin to access the HTML JMX console web application > </description> > <url-pattern>/*</url-pattern> > <http-method>GET</http-method> > <http-method>POST</http-method> > </web-resource-collection> > <auth-constraint> > <role-name>JBossAdmin</role-name> > </auth-constraint> > </security-constraint> > and should be changed to block ALL http-methods. > Acknowledgements: > Red Hat would like to thank Stefano Di Paola and Giorgio Fedon of Minded > Security for responsibly reporting this issue. Community releases of the JBoss Application Server prior to version 6.0.0.M3 are potentially vulnerable to this flaw if the default authentication settings are applied. Users of the community JBoss Application Server can secure their JMX Console on vulnerable versions by following the instructions here: https://community.jboss.org/wiki/SecureTheJmxConsole |
By using a specially crafted HTTP request, the authentication of the jmx-console can be bypassed, as the access restrictions only apply for GET and POST. Current setting is: <security-constraint> <web-resource-collection> <web-resource-name>HtmlAdaptor</web-resource-name> <description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application </description> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>JBossAdmin</role-name> </auth-constraint> </security-constraint> and should be changed to block ALL http-methods. Acknowledgements: Red Hat would like to thank Stefano Di Paola and Giorgio Fedon of Minded Security for responsibly reporting this issue.