Bug 574105 - (CVE-2010-0738) CVE-2010-0738 JBoss EAP jmx authentication bypass with crafted HTTP request
CVE-2010-0738 JBoss EAP jmx authentication bypass with crafted HTTP request
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Red Hat Product Security
impact=critical,public=20100426,repor...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-03-16 12:20 EDT by Marc Schoenefeld
Modified: 2015-08-19 04:44 EDT (History)
13 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-05-17 01:07:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Marc Schoenefeld 2010-03-16 12:20:35 EDT
By using a specially crafted HTTP request, the authentication 
of the jmx-console can be bypassed, as the access restrictions 
only apply for GET and POST. 

Current setting is: 

<security-constraint>
   <web-resource-collection>
     <web-resource-name>HtmlAdaptor</web-resource-name>
     <description>An example security config that only allows users with the
       role JBossAdmin to access the HTML JMX console web application
     </description>
     <url-pattern>/*</url-pattern>
     <http-method>GET</http-method>
     <http-method>POST</http-method>
   </web-resource-collection>
   <auth-constraint>
     <role-name>JBossAdmin</role-name>
   </auth-constraint>
 </security-constraint>


and should be changed to block ALL http-methods.

Acknowledgements:

Red Hat would like to thank Stefano Di Paola and Giorgio Fedon of Minded Security for responsibly reporting this issue.
Comment 5 errata-xmlrpc 2010-04-26 23:19:55 EDT
This issue has been addressed in following products:

  JBEAP 4.2.0 for RHEL 4

Via RHSA-2010:0376 https://rhn.redhat.com/errata/RHSA-2010-0376.html
Comment 6 errata-xmlrpc 2010-04-26 23:39:10 EDT
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 4

Via RHSA-2010:0377 https://rhn.redhat.com/errata/RHSA-2010-0377.html
Comment 7 errata-xmlrpc 2010-04-26 23:55:21 EDT
This issue has been addressed in following products:

  JBEAP 4.2.0 for RHEL 5

Via RHSA-2010:0378 https://rhn.redhat.com/errata/RHSA-2010-0378.html
Comment 8 errata-xmlrpc 2010-04-27 00:15:48 EDT
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 5

Via RHSA-2010:0379 https://rhn.redhat.com/errata/RHSA-2010-0379.html
Comment 9 Mark J. Cox (Product Security) 2011-10-20 09:30:36 EDT
External References:

https://access.redhat.com/kb/docs/DOC-30741
Comment 10 nlfdwms2006 2012-03-19 03:48:47 EDT
(In reply to comment #0)
> By using a specially crafted HTTP request, the authentication 
> of the jmx-console can be bypassed, as the access restrictions 
> only apply for GET and POST. 
> Current setting is: 
> <security-constraint>
>    <web-resource-collection>
>      <web-resource-name>HtmlAdaptor</web-resource-name>
>      <description>An example security config that only allows users with the
>        role JBossAdmin to access the HTML JMX console web application
>      </description>
>      <url-pattern>/*</url-pattern>
>      <http-method>GET</http-method>
>      <http-method>POST</http-method>
>    </web-resource-collection>
>    <auth-constraint>
>      <role-name>JBossAdmin</role-name>
>    </auth-constraint>
>  </security-constraint>
> and should be changed to block ALL http-methods.
> Acknowledgements:
> Red Hat would like to thank Stefano Di Paola and Giorgio Fedon of Minded
> Security for responsibly reporting this issue.
Comment 11 David Jorm 2012-05-17 01:07:27 EDT
Community releases of the JBoss Application Server prior to version 6.0.0.M3 are potentially vulnerable to this flaw if the default authentication settings are applied. Users of the community JBoss Application Server can secure their JMX Console on vulnerable versions by following the instructions here:

https://community.jboss.org/wiki/SecureTheJmxConsole

Note You need to log in before you can comment on or make changes to this bug.