It was found that hawtio contains a CSRF flaw that allows unrelated websites to perform actions as the authenticated in user. Attacker could use this vulnerability to trick the user to visit his website that contains a malicious script which can be submitted to hawtio server on behalf of the user.
Mitigation: the recommended mitigation to this problem is to manually setup <allow-origin> lists and <strict-checking /> in a custom jolokia-access.xml for production environment: <restrict> <cors> <allow-origin>http*://localhost:*</allow-origin> <allow-origin>http*://127.0.0.1:*</allow-origin> <allow-origin>http*://myhostname1:*</allow-origin> <allow-origin>http*://myhostname2:*</allow-origin> <allow-origin>http*://myhostname3:*</allow-origin> <strict-checking /> </cors> </restrict> and add a new system property to include jolokia access configuration: EXTRA_JAVA_OPTS='-Djolokia.policyLocation=file:///home/fuse/jolokia-access.xml' bin/fuse
Hawtio is not included in OCP. Setting as notaffected.
This vulnerability is out of security support scope for the following products: * Red Hat JBoss Fuse 6 * Red Hat JBoss A-MQ 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2017-7556