Bug 767020 – CVE-2011-4608 mod_cluster: malicious worker nodes can register on any vhost

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 767020 - (CVE-2011-4608) CVE-2011-4608 mod_cluster: malicious worker nodes can register on any vhost

Summary:	CVE-2011-4608 mod_cluster: malicious worker nodes can register on any vhost

Status:	CLOSED ERRATA

Aliases:	CVE-2011-4608

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	high Severity high
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=important,public=20120118,repo...
Keywords:	Security

Depends On:	767420 767421 767422
Blocks:	767021
	Show dependency tree / graph

Reported:	2011-12-12 20:24 EST by David Jorm
Modified:	2014-10-20 20:01 EDT (History)
CC List:	6 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2012-01-18 18:24:08 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
JBoss Issue Tracker	JBPAPP-7708	Blocker	Closed	Workers register with balancer on any port it is listening on	2017-09-20 08:00 EDT
Red Hat Product Errata	RHSA-2012:0035	normal	SHIPPED_LIVE	Important: mod_cluster-native security update	2012-01-18 19:24:29 EST
Red Hat Product Errata	RHSA-2012:0036	normal	SHIPPED_LIVE	Important: mod_cluster-native security update	2012-01-18 19:24:23 EST
Red Hat Product Errata	RHSA-2012:0037	normal	SHIPPED_LIVE	Important: mod_cluster-native security update	2012-01-18 19:24:18 EST
Red Hat Product Errata	RHSA-2012:0038	normal	SHIPPED_LIVE	Important: mod_cluster-native security update	2012-01-18 19:24:13 EST
Red Hat Product Errata	RHSA-2012:0039	normal	SHIPPED_LIVE	Important: mod_cluster-native security update	2012-01-18 19:24:08 EST
Red Hat Product Errata	RHSA-2012:0040	normal	SHIPPED_LIVE	Important: mod_cluster-native security update	2012-01-18 19:24:03 EST

Groups: None (edit)

Description David Jorm 2011-12-12 20:24:21 EST

It was found that mod_cluster allowed worker nodes to register on any vhost, regardless of the security constraints applied to other vhosts. In a typical environment there will be one vhost configured internally for worker nodes, and another configured externally for serving content. A remote attacker could exploit this flaw by registering a worker node via an external vhost that is not configured to apply security constraints, then use this worker node to serve malicious content, intercept credentials and hijack user sessions.

Comment 5 errata-xmlrpc 2012-01-18 14:25:09 EST

This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.1.2

Via RHSA-2012:0040 https://rhn.redhat.com/errata/RHSA-2012-0040.html

Comment 6 errata-xmlrpc 2012-01-18 14:25:13 EST

This issue has been addressed in following products:

  JBEWP 5 for RHEL 4
  JBEWP 5 for RHEL 5
  JBEWP 5 for RHEL 6

Via RHSA-2012:0039 https://rhn.redhat.com/errata/RHSA-2012-0039.html

Comment 7 errata-xmlrpc 2012-01-18 14:25:17 EST

This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.1.2

Via RHSA-2012:0038 https://rhn.redhat.com/errata/RHSA-2012-0038.html

Comment 8 errata-xmlrpc 2012-01-18 14:25:21 EST

This issue has been addressed in following products:

  JBEAP 5 for RHEL 4
  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 6

Via RHSA-2012:0037 https://rhn.redhat.com/errata/RHSA-2012-0037.html

Comment 9 errata-xmlrpc 2012-01-18 14:25:24 EST

This issue has been addressed in following products:

  JBoss Enterprise Web Server 1.0.2

Via RHSA-2012:0036 https://rhn.redhat.com/errata/RHSA-2012-0036.html

Comment 10 errata-xmlrpc 2012-01-18 14:25:30 EST

This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 4
  JBEWS 1.0 for RHEL 5
  JBEWS 1.0 for RHEL 6

Via RHSA-2012:0035 https://rhn.redhat.com/errata/RHSA-2012-0035.html

Comment 11 JBoss JIRA Server 2012-01-25 09:51:06 EST

Michal Babacek <mbabacek@redhat.com> made a comment on jira JBPAPP-7708

I am going to verify and close as soon as the patch is commited to Mod_cluster 1.2.0.Beta4 source.

Comment 12 JBoss JIRA Server 2012-02-27 09:40:05 EST

Michal Babacek <mbabacek@redhat.com> updated the status of jira JBPAPP-7708 to Resolved

Comment 13 JBoss JIRA Server 2012-02-27 09:40:05 EST

Michal Babacek <mbabacek@redhat.com> made a comment on jira JBPAPP-7708

[~jfclere] has fixed it. Resolving.

Comment 14 JBoss JIRA Server 2012-02-27 09:45:06 EST

Michal Babacek <mbabacek@redhat.com> updated the status of jira JBPAPP-7708 to Closed

Comment 15 JBoss JIRA Server 2012-02-27 09:45:06 EST

Michal Babacek <mbabacek@redhat.com> made a comment on jira JBPAPP-7708

Verified with *{color:black}m_c 1.2.Final{color}*, one has to add {noformat}EnableMCPMReceive{noformat} in vhost conf (/).

Note You need to log in before you can comment on or make changes to this bug.