By using a specially crafted HTTP request, the authentication of the jmx-console can be bypassed, as the access restrictions only apply for GET and POST. Current setting is: <security-constraint> <web-resource-collection> <web-resource-name>HtmlAdaptor</web-resource-name> <description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application </description> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>JBossAdmin</role-name> </auth-constraint> </security-constraint> and should be changed to block ALL http-methods. Acknowledgements: Red Hat would like to thank Stefano Di Paola and Giorgio Fedon of Minded Security for responsibly reporting this issue.
This issue has been addressed in following products: JBEAP 4.2.0 for RHEL 4 Via RHSA-2010:0376 https://rhn.redhat.com/errata/RHSA-2010-0376.html
This issue has been addressed in following products: JBEAP 4.3.0 for RHEL 4 Via RHSA-2010:0377 https://rhn.redhat.com/errata/RHSA-2010-0377.html
This issue has been addressed in following products: JBEAP 4.2.0 for RHEL 5 Via RHSA-2010:0378 https://rhn.redhat.com/errata/RHSA-2010-0378.html
This issue has been addressed in following products: JBEAP 4.3.0 for RHEL 5 Via RHSA-2010:0379 https://rhn.redhat.com/errata/RHSA-2010-0379.html
External References: https://access.redhat.com/kb/docs/DOC-30741
(In reply to comment #0) > By using a specially crafted HTTP request, the authentication > of the jmx-console can be bypassed, as the access restrictions > only apply for GET and POST. > Current setting is: > <security-constraint> > <web-resource-collection> > <web-resource-name>HtmlAdaptor</web-resource-name> > <description>An example security config that only allows users with the > role JBossAdmin to access the HTML JMX console web application > </description> > <url-pattern>/*</url-pattern> > <http-method>GET</http-method> > <http-method>POST</http-method> > </web-resource-collection> > <auth-constraint> > <role-name>JBossAdmin</role-name> > </auth-constraint> > </security-constraint> > and should be changed to block ALL http-methods. > Acknowledgements: > Red Hat would like to thank Stefano Di Paola and Giorgio Fedon of Minded > Security for responsibly reporting this issue.
Community releases of the JBoss Application Server prior to version 6.0.0.M3 are potentially vulnerable to this flaw if the default authentication settings are applied. Users of the community JBoss Application Server can secure their JMX Console on vulnerable versions by following the instructions here: https://community.jboss.org/wiki/SecureTheJmxConsole