1480060 – (CVE-2017-7556) CVE-2017-7556 Hawtio: CSRF flaw via jolokia

Bug 1480060 (CVE-2017-7556) - CVE-2017-7556 Hawtio: CSRF flaw via jolokia

Summary: CVE-2017-7556 Hawtio: CSRF flaw via jolokia

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2017-7556
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1480884
Blocks:	1479654
TreeView+	depends on / blocked

Reported:	2017-08-10 03:44 UTC by Hooman Broujerdi
Modified:	2019-09-29 14:18 UTC (History)
CC List:	20 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	It was found that hawtio contains a CSRF flaw that allows unrelated websites to perform actions as the authenticated user. Attackers could use this vulnerability to trick the user to visit his website that contains a malicious script which can be submitted to hawtio server on behalf of the user.
Clone Of:
Environment:
Last Closed:	2019-08-06 07:18:41 UTC
Embargoed:

Attachments	(Terms of Use)

Description Hooman Broujerdi 2017-08-10 03:44:22 UTC

It was found that hawtio contains a CSRF flaw that allows unrelated websites to perform actions as the authenticated in user. Attacker could use this vulnerability to trick the user to visit his website that contains a malicious script which can be submitted to hawtio server on behalf of the user.

Comment 2 Hooman Broujerdi 2017-08-28 23:14:32 UTC

Mitigation: the recommended mitigation to this problem is to manually setup <allow-origin> lists and <strict-checking /> in a custom jolokia-access.xml for production environment: 

<restrict>
    <cors>
        <allow-origin>http*://localhost:*</allow-origin>
        <allow-origin>http*://127.0.0.1:*</allow-origin>
        <allow-origin>http*://myhostname1:*</allow-origin>
        <allow-origin>http*://myhostname2:*</allow-origin>
        <allow-origin>http*://myhostname3:*</allow-origin>
        <strict-checking />
    </cors>
</restrict>

and add a new system property to include jolokia access configuration:
EXTRA_JAVA_OPTS='-Djolokia.policyLocation=file:///home/fuse/jolokia-access.xml' bin/fuse

Comment 3 Jason Shepherd 2018-04-03 04:24:42 UTC

Hawtio is not included in OCP. Setting as notaffected.

Comment 4 Joshua Padman 2019-08-06 04:25:11 UTC

This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Fuse 6
 * Red Hat JBoss A-MQ 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 5 Product Security DevOps Team 2019-08-06 07:18:41 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2017-7556

Note You need to log in before you can comment on or make changes to this bug.

ahardin
aileenc
bleanhar
ccoleman
chazlett
dbaker
dedgar
dmcphers
gvarsami
jcoleman
jgoulding
jkeck
jokerman
kconner
ldimaggi
mchappel
nwallace
rwagner
tcunning
tkirby