Bug 767020 (CVE-2011-4608)

Summary: CVE-2011-4608 mod_cluster: malicious worker nodes can register on any vhost
Product: [Other] Security Response Reporter: David Jorm <djorm>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: akostadi, jclere, mbabacek, mjc, rcvalle, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-01-18 23:24:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 767420, 767421, 767422    
Bug Blocks: 767021    

Description David Jorm 2011-12-13 01:24:21 UTC 
It was found that mod_cluster allowed worker nodes to register on any vhost, regardless of the security constraints applied to other vhosts. In a typical environment there will be one vhost configured internally for worker nodes, and another configured externally for serving content. A remote attacker could exploit this flaw by registering a worker node via an external vhost that is not configured to apply security constraints, then use this worker node to serve malicious content, intercept credentials and hijack user sessions.
Comment 5 errata-xmlrpc 2012-01-18 19:25:09 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.1.2

Via RHSA-2012:0040 https://rhn.redhat.com/errata/RHSA-2012-0040.html
Comment 6 errata-xmlrpc 2012-01-18 19:25:13 UTC 
This issue has been addressed in following products:

  JBEWP 5 for RHEL 4
  JBEWP 5 for RHEL 5
  JBEWP 5 for RHEL 6

Via RHSA-2012:0039 https://rhn.redhat.com/errata/RHSA-2012-0039.html
Comment 7 errata-xmlrpc 2012-01-18 19:25:17 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.1.2

Via RHSA-2012:0038 https://rhn.redhat.com/errata/RHSA-2012-0038.html
Comment 8 errata-xmlrpc 2012-01-18 19:25:21 UTC 
This issue has been addressed in following products:

  JBEAP 5 for RHEL 4
  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 6

Via RHSA-2012:0037 https://rhn.redhat.com/errata/RHSA-2012-0037.html
Comment 9 errata-xmlrpc 2012-01-18 19:25:24 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Web Server 1.0.2

Via RHSA-2012:0036 https://rhn.redhat.com/errata/RHSA-2012-0036.html
Comment 10 errata-xmlrpc 2012-01-18 19:25:30 UTC 
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 4
  JBEWS 1.0 for RHEL 5
  JBEWS 1.0 for RHEL 6

Via RHSA-2012:0035 https://rhn.redhat.com/errata/RHSA-2012-0035.html
Comment 11 JBoss JIRA Server 2012-01-25 14:51:06 UTC 
Michal Babacek <mbabacek> made a comment on jira JBPAPP-7708

I am going to verify and close as soon as the patch is commited to Mod_cluster 1.2.0.Beta4 source.
Comment 12 JBoss JIRA Server 2012-02-27 14:40:05 UTC 
Michal Babacek <mbabacek> updated the status of jira JBPAPP-7708 to Resolved
Comment 13 JBoss JIRA Server 2012-02-27 14:40:05 UTC 
Michal Babacek <mbabacek> made a comment on jira JBPAPP-7708

[~jfclere] has fixed it. Resolving.
Comment 14 JBoss JIRA Server 2012-02-27 14:45:06 UTC 
Michal Babacek <mbabacek> updated the status of jira JBPAPP-7708 to Closed
Comment 15 JBoss JIRA Server 2012-02-27 14:45:06 UTC 
Michal Babacek <mbabacek> made a comment on jira JBPAPP-7708

Verified with *{color:black}m_c 1.2.Final{color}*, one has to add {noformat}EnableMCPMReceive{noformat} in vhost conf (/).