Bug 574105 (CVE-2010-0738) - CVE-2010-0738 JBoss EAP jmx authentication bypass with crafted HTTP request
Summary: CVE-2010-0738 JBoss EAP jmx authentication bypass with crafted HTTP request
Status: CLOSED ERRATA
Alias: CVE-2010-0738
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=critical,public=20100426,repor...
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-03-16 16:20 UTC by Marc Schoenefeld
Modified: 2018-08-15 21:40 UTC (History)
13 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2012-05-17 05:07:27 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0376 normal SHIPPED_LIVE Critical: JBoss Enterprise Application Platform 4.2.0.CP09 update 2010-04-27 03:19:52 UTC
Red Hat Product Errata RHSA-2010:0377 normal SHIPPED_LIVE Critical: JBoss Enterprise Application Platform 4.3.0.CP08 update 2010-04-27 03:39:07 UTC
Red Hat Product Errata RHSA-2010:0378 normal SHIPPED_LIVE Critical: JBoss Enterprise Application Platform 4.2.0.CP09 update 2010-04-27 03:55:18 UTC
Red Hat Product Errata RHSA-2010:0379 normal SHIPPED_LIVE Critical: JBoss Enterprise Application Platform 4.3.0.CP08 update 2010-04-27 04:15:45 UTC

Description Marc Schoenefeld 2010-03-16 16:20:35 UTC
By using a specially crafted HTTP request, the authentication 
of the jmx-console can be bypassed, as the access restrictions 
only apply for GET and POST. 

Current setting is: 

<security-constraint>
   <web-resource-collection>
     <web-resource-name>HtmlAdaptor</web-resource-name>
     <description>An example security config that only allows users with the
       role JBossAdmin to access the HTML JMX console web application
     </description>
     <url-pattern>/*</url-pattern>
     <http-method>GET</http-method>
     <http-method>POST</http-method>
   </web-resource-collection>
   <auth-constraint>
     <role-name>JBossAdmin</role-name>
   </auth-constraint>
 </security-constraint>


and should be changed to block ALL http-methods.

Acknowledgements:

Red Hat would like to thank Stefano Di Paola and Giorgio Fedon of Minded Security for responsibly reporting this issue.

Comment 5 errata-xmlrpc 2010-04-27 03:19:55 UTC
This issue has been addressed in following products:

  JBEAP 4.2.0 for RHEL 4

Via RHSA-2010:0376 https://rhn.redhat.com/errata/RHSA-2010-0376.html

Comment 6 errata-xmlrpc 2010-04-27 03:39:10 UTC
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 4

Via RHSA-2010:0377 https://rhn.redhat.com/errata/RHSA-2010-0377.html

Comment 7 errata-xmlrpc 2010-04-27 03:55:21 UTC
This issue has been addressed in following products:

  JBEAP 4.2.0 for RHEL 5

Via RHSA-2010:0378 https://rhn.redhat.com/errata/RHSA-2010-0378.html

Comment 8 errata-xmlrpc 2010-04-27 04:15:48 UTC
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 5

Via RHSA-2010:0379 https://rhn.redhat.com/errata/RHSA-2010-0379.html

Comment 9 Mark J. Cox 2011-10-20 13:30:36 UTC
External References:

https://access.redhat.com/kb/docs/DOC-30741

Comment 10 nlfdwms2006 2012-03-19 07:48:47 UTC
(In reply to comment #0)
> By using a specially crafted HTTP request, the authentication 
> of the jmx-console can be bypassed, as the access restrictions 
> only apply for GET and POST. 
> Current setting is: 
> <security-constraint>
>    <web-resource-collection>
>      <web-resource-name>HtmlAdaptor</web-resource-name>
>      <description>An example security config that only allows users with the
>        role JBossAdmin to access the HTML JMX console web application
>      </description>
>      <url-pattern>/*</url-pattern>
>      <http-method>GET</http-method>
>      <http-method>POST</http-method>
>    </web-resource-collection>
>    <auth-constraint>
>      <role-name>JBossAdmin</role-name>
>    </auth-constraint>
>  </security-constraint>
> and should be changed to block ALL http-methods.
> Acknowledgements:
> Red Hat would like to thank Stefano Di Paola and Giorgio Fedon of Minded
> Security for responsibly reporting this issue.

Comment 11 David Jorm 2012-05-17 05:07:27 UTC
Community releases of the JBoss Application Server prior to version 6.0.0.M3 are potentially vulnerable to this flaw if the default authentication settings are applied. Users of the community JBoss Application Server can secure their JMX Console on vulnerable versions by following the instructions here:

https://community.jboss.org/wiki/SecureTheJmxConsole


Note You need to log in before you can comment on or make changes to this bug.