It was found that hawtio contains a CSRF flaw that allows unrelated websites to perform actions as the authenticated in user. Attacker could use this vulnerability to trick the user to visit his website that contains a malicious script which can be submitted to hawtio server on behalf of the user.
Mitigation: the recommended mitigation to this problem is to manually setup <allow-origin> lists and <strict-checking /> in a custom jolokia-access.xml for production environment:
and add a new system property to include jolokia access configuration:
Hawtio is not included in OCP. Setting as notaffected.
This vulnerability is out of security support scope for the following products:
* Red Hat JBoss Fuse 6
* Red Hat JBoss A-MQ 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):