Bug 574105 (CVE-2010-0738) - CVE-2010-0738 JBoss EAP jmx authentication bypass with crafted HTTP request
Summary: CVE-2010-0738 JBoss EAP jmx authentication bypass with crafted HTTP request
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-0738
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-03-16 16:20 UTC by Marc Schoenefeld
Modified: 2021-08-04 13:57 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-05-17 05:07:27 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0376 0 normal SHIPPED_LIVE Critical: JBoss Enterprise Application Platform 4.2.0.CP09 update 2010-04-27 03:19:52 UTC
Red Hat Product Errata RHSA-2010:0377 0 normal SHIPPED_LIVE Critical: JBoss Enterprise Application Platform 4.3.0.CP08 update 2010-04-27 03:39:07 UTC
Red Hat Product Errata RHSA-2010:0378 0 normal SHIPPED_LIVE Critical: JBoss Enterprise Application Platform 4.2.0.CP09 update 2010-04-27 03:55:18 UTC
Red Hat Product Errata RHSA-2010:0379 0 normal SHIPPED_LIVE Critical: JBoss Enterprise Application Platform 4.3.0.CP08 update 2010-04-27 04:15:45 UTC

Description Marc Schoenefeld 2010-03-16 16:20:35 UTC 
By using a specially crafted HTTP request, the authentication 
of the jmx-console can be bypassed, as the access restrictions 
only apply for GET and POST. 

Current setting is: 

<security-constraint>
   <web-resource-collection>
     <web-resource-name>HtmlAdaptor</web-resource-name>
     <description>An example security config that only allows users with the
       role JBossAdmin to access the HTML JMX console web application
     </description>
     <url-pattern>/*</url-pattern>
     <http-method>GET</http-method>
     <http-method>POST</http-method>
   </web-resource-collection>
   <auth-constraint>
     <role-name>JBossAdmin</role-name>
   </auth-constraint>
 </security-constraint>


and should be changed to block ALL http-methods.

Acknowledgements:

Red Hat would like to thank Stefano Di Paola and Giorgio Fedon of Minded Security for responsibly reporting this issue.
Comment 5 errata-xmlrpc 2010-04-27 03:19:55 UTC 
This issue has been addressed in following products:

  JBEAP 4.2.0 for RHEL 4

Via RHSA-2010:0376 https://rhn.redhat.com/errata/RHSA-2010-0376.html
Comment 6 errata-xmlrpc 2010-04-27 03:39:10 UTC 
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 4

Via RHSA-2010:0377 https://rhn.redhat.com/errata/RHSA-2010-0377.html
Comment 7 errata-xmlrpc 2010-04-27 03:55:21 UTC 
This issue has been addressed in following products:

  JBEAP 4.2.0 for RHEL 5

Via RHSA-2010:0378 https://rhn.redhat.com/errata/RHSA-2010-0378.html
Comment 8 errata-xmlrpc 2010-04-27 04:15:48 UTC 
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 5

Via RHSA-2010:0379 https://rhn.redhat.com/errata/RHSA-2010-0379.html
Comment 9 Mark J. Cox 2011-10-20 13:30:36 UTC 
External References:

https://access.redhat.com/kb/docs/DOC-30741
Comment 10 nlfdwms2006 2012-03-19 07:48:47 UTC 
(In reply to comment #0)
> By using a specially crafted HTTP request, the authentication 
> of the jmx-console can be bypassed, as the access restrictions 
> only apply for GET and POST. 
> Current setting is: 
> <security-constraint>
>    <web-resource-collection>
>      <web-resource-name>HtmlAdaptor</web-resource-name>
>      <description>An example security config that only allows users with the
>        role JBossAdmin to access the HTML JMX console web application
>      </description>
>      <url-pattern>/*</url-pattern>
>      <http-method>GET</http-method>
>      <http-method>POST</http-method>
>    </web-resource-collection>
>    <auth-constraint>
>      <role-name>JBossAdmin</role-name>
>    </auth-constraint>
>  </security-constraint>
> and should be changed to block ALL http-methods.
> Acknowledgements:
> Red Hat would like to thank Stefano Di Paola and Giorgio Fedon of Minded
> Security for responsibly reporting this issue.
Comment 11 David Jorm 2012-05-17 05:07:27 UTC 
Community releases of the JBoss Application Server prior to version 6.0.0.M3 are potentially vulnerable to this flaw if the default authentication settings are applied. Users of the community JBoss Application Server can secure their JMX Console on vulnerable versions by following the instructions here:

https://community.jboss.org/wiki/SecureTheJmxConsole
Note You need to log in before you can comment on or make changes to this bug.