It was found that the JBoss JNDI service allows unauthenticated remote write access by default. The JNDI service, HA-JNDI service and HAJNDIFactory invoker servlet are all affected. A remote attacker that is able to access port 1099 (JNDI), port 1100 (HA-JNDI) or the HAJNDIFactory invoker servlet on a JBoss server could exploit this flaw to add, delete and modify items in the JNDI tree. This could lead to a wide range of attacks, affecting the integrity, availability and confidentiality of the system.
Acknowledgements: Red Hat would like to thank Christian Schlüter (VIADA) for reporting this issue.
It was found that the JBoss HA-JNDI service also allows unauthenticated remote write access by default. A remote attacker that is able to access port 1100 on a JBoss server that has HA-JNDI enabled could exploit this flaw to add, delete and modify items in the JNDI tree. This could lead to a wide range of attacks, affecting the integrity, availability and confidentiality of the system.
It was found that the HAJNDIFactory invoker servlet also allows unauthenticated remote write access by default.
The HAJNDIFactory invoker servlet is only exposed by default in the "all" and "production" profiles on EAP 5.1.2.
This issue has been addressed in following products: JBEWP 5 for RHEL 4 JBEWP 5 for RHEL 5 JBEWP 5 for RHEL 6 Via RHSA-2012:1027 https://rhn.redhat.com/errata/RHSA-2012-1027.html
This issue has been addressed in following products: JBEAP 5 for RHEL 4 JBEAP 5 for RHEL 5 JBEAP 5 for RHEL 6 Via RHSA-2012:1026 https://rhn.redhat.com/errata/RHSA-2012-1026.html
This issue has been addressed in following products: JBEAP 4.3.0 for RHEL 4 JBEAP 4.3.0 for RHEL 5 Via RHSA-2012:1025 https://rhn.redhat.com/errata/RHSA-2012-1025.html
This issue has been addressed in following products: JBoss Enterprise Application Platform 4.3.0 CP10 Via RHSA-2012:1024 https://rhn.redhat.com/errata/RHSA-2012-1024.html
This issue has been addressed in following products: JBoss Enterprise Web Platform 5.1.2 Via RHSA-2012:1023 https://rhn.redhat.com/errata/RHSA-2012-1023.html
This issue has been addressed in following products: JBoss Enterprise Application Platform 5.1.2 Via RHSA-2012:1022 https://rhn.redhat.com/errata/RHSA-2012-1022.html
This issue has been addressed in following products: JBoss Enterprise BRMS Platform 5.3.0 Via RHSA-2012:1028 https://rhn.redhat.com/errata/RHSA-2012-1028.html
This issue has been addressed in following products: JBoss Enterprise Portal Platform 4.3 CP07 Via RHSA-2012:1109 https://rhn.redhat.com/errata/RHSA-2012-1109.html
This issue has been addressed in following products: JBoss Enterprise SOA Platform 5.3.0 Via RHSA-2012:1125 https://rhn.redhat.com/errata/RHSA-2012-1125.html
This issue has been addressed in following products: JBoss Enterprise Portal Platform 5.2.2 Via RHSA-2012:1232 https://rhn.redhat.com/errata/RHSA-2012-1232.html
This issue has been addressed in following products: JBoss Enterprise SOA Platform 4.2.0.CP05 and 4.3.0.CP05 Via RHSA-2012:1295 https://rhn.redhat.com/errata/RHSA-2012-1295.html