Bug 767020 (CVE-2011-4608) - CVE-2011-4608 mod_cluster: malicious worker nodes can register on any vhost
Summary: CVE-2011-4608 mod_cluster: malicious worker nodes can register on any vhost
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-4608
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 767420 767421 767422
Blocks: 767021
TreeView+ depends on / blocked
 
Reported: 2011-12-13 01:24 UTC by David Jorm
Modified: 2019-09-29 12:48 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2012-01-18 23:24:08 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker JBPAPP-7708 0 Blocker Closed Workers register with balancer on any port it is listening on 2017-09-20 12:00:55 UTC
Red Hat Product Errata RHSA-2012:0035 0 normal SHIPPED_LIVE Important: mod_cluster-native security update 2012-01-19 00:24:29 UTC
Red Hat Product Errata RHSA-2012:0036 0 normal SHIPPED_LIVE Important: mod_cluster-native security update 2012-01-19 00:24:23 UTC
Red Hat Product Errata RHSA-2012:0037 0 normal SHIPPED_LIVE Important: mod_cluster-native security update 2012-01-19 00:24:18 UTC
Red Hat Product Errata RHSA-2012:0038 0 normal SHIPPED_LIVE Important: mod_cluster-native security update 2012-01-19 00:24:13 UTC
Red Hat Product Errata RHSA-2012:0039 0 normal SHIPPED_LIVE Important: mod_cluster-native security update 2012-01-19 00:24:08 UTC
Red Hat Product Errata RHSA-2012:0040 0 normal SHIPPED_LIVE Important: mod_cluster-native security update 2012-01-19 00:24:03 UTC

Description David Jorm 2011-12-13 01:24:21 UTC 
It was found that mod_cluster allowed worker nodes to register on any vhost, regardless of the security constraints applied to other vhosts. In a typical environment there will be one vhost configured internally for worker nodes, and another configured externally for serving content. A remote attacker could exploit this flaw by registering a worker node via an external vhost that is not configured to apply security constraints, then use this worker node to serve malicious content, intercept credentials and hijack user sessions.
Comment 5 errata-xmlrpc 2012-01-18 19:25:09 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.1.2

Via RHSA-2012:0040 https://rhn.redhat.com/errata/RHSA-2012-0040.html
Comment 6 errata-xmlrpc 2012-01-18 19:25:13 UTC 
This issue has been addressed in following products:

  JBEWP 5 for RHEL 4
  JBEWP 5 for RHEL 5
  JBEWP 5 for RHEL 6

Via RHSA-2012:0039 https://rhn.redhat.com/errata/RHSA-2012-0039.html
Comment 7 errata-xmlrpc 2012-01-18 19:25:17 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.1.2

Via RHSA-2012:0038 https://rhn.redhat.com/errata/RHSA-2012-0038.html
Comment 8 errata-xmlrpc 2012-01-18 19:25:21 UTC 
This issue has been addressed in following products:

  JBEAP 5 for RHEL 4
  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 6

Via RHSA-2012:0037 https://rhn.redhat.com/errata/RHSA-2012-0037.html
Comment 9 errata-xmlrpc 2012-01-18 19:25:24 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Web Server 1.0.2

Via RHSA-2012:0036 https://rhn.redhat.com/errata/RHSA-2012-0036.html
Comment 10 errata-xmlrpc 2012-01-18 19:25:30 UTC 
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 4
  JBEWS 1.0 for RHEL 5
  JBEWS 1.0 for RHEL 6

Via RHSA-2012:0035 https://rhn.redhat.com/errata/RHSA-2012-0035.html
Comment 11 JBoss JIRA Server 2012-01-25 14:51:06 UTC 
Michal Babacek <mbabacek> made a comment on jira JBPAPP-7708

I am going to verify and close as soon as the patch is commited to Mod_cluster 1.2.0.Beta4 source.
Comment 12 JBoss JIRA Server 2012-02-27 14:40:05 UTC 
Michal Babacek <mbabacek> updated the status of jira JBPAPP-7708 to Resolved
Comment 13 JBoss JIRA Server 2012-02-27 14:40:05 UTC 
Michal Babacek <mbabacek> made a comment on jira JBPAPP-7708

[~jfclere] has fixed it. Resolving.
Comment 14 JBoss JIRA Server 2012-02-27 14:45:06 UTC 
Michal Babacek <mbabacek> updated the status of jira JBPAPP-7708 to Closed
Comment 15 JBoss JIRA Server 2012-02-27 14:45:06 UTC 
Michal Babacek <mbabacek> made a comment on jira JBPAPP-7708

Verified with *{color:black}m_c 1.2.Final{color}*, one has to add {noformat}EnableMCPMReceive{noformat} in vhost conf (/).
Note You need to log in before you can comment on or make changes to this bug.