It was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.
Acknowledgments: Name: Joao F M Figueiredo
Mitigation: Secure the access to the entire http-invoker contexts by adding <url-pattern>/*</url-pattern> to the security-constraints in the web.xml file of the http-invoker.sar.The users who do not wish to use the http-invoker.sar can remove it.
Statement: Red Hat JBoss Enterprise Application Platform 6 and 7 do not ship the http invoker so they are not affected.
(In reply to Bharti Kundal from comment #2) > Mitigation: > > Secure the access to the entire http-invoker contexts by adding > <url-pattern>/*</url-pattern> to the security-constraints in the web.xml > file of the http-invoker.sar.The users who do not wish to use the > http-invoker.sar can remove it. But I have found two web.xml files which are all under http-invoker.sar folders, please refer to bellow file paths: ......\server\web\deploy\http-invoker.sar\invoker.war\WEB-INF\web.xml ......\server\default\deploy\http-invoker.sar\invoker.war\WEB-INF\web.xml I would like to know which web.xml file should be removed or all of them should be removed? Thanks
(In reply to Samson from comment #5) > (In reply to Bharti Kundal from comment #2) > > Mitigation: > > > > Secure the access to the entire http-invoker contexts by adding > > <url-pattern>/*</url-pattern> to the security-constraints in the web.xml > > file of the http-invoker.sar.The users who do not wish to use the > > http-invoker.sar can remove it. > > But I have found two web.xml files which are all under http-invoker.sar > folders, please refer to bellow file paths: > > ......\server\web\deploy\http-invoker.sar\invoker.war\WEB-INF\web.xml > ......\server\default\deploy\http-invoker.sar\invoker.war\WEB-INF\web.xml > > I would like to know which web.xml file should be removed or all of them > should be removed? > > Thanks Hi Samson, It depends on which profile you want to run your server like default or web or all etc.There are various profiles in EAP.For an example you can run your server as : run.sh -c all or run.sh -c web . The profiles are found under:EAP5.2/jboss-eap-5.2/jboss-as/server 1)all 2)default 3)minimal 4)production 5)standard 6)web
(In reply to Bharti Kundal from comment #6) > (In reply to Samson from comment #5) > > (In reply to Bharti Kundal from comment #2) > > > Mitigation: > > > > > > Secure the access to the entire http-invoker contexts by adding > > > <url-pattern>/*</url-pattern> to the security-constraints in the web.xml > > > file of the http-invoker.sar.The users who do not wish to use the > > > http-invoker.sar can remove it. > > > > But I have found two web.xml files which are all under http-invoker.sar > > folders, please refer to bellow file paths: > > > > ......\server\web\deploy\http-invoker.sar\invoker.war\WEB-INF\web.xml > > ......\server\default\deploy\http-invoker.sar\invoker.war\WEB-INF\web.xml > > > > I would like to know which web.xml file should be removed or all of them > > should be removed? > > > > Thanks > > Hi Samson, > > It depends on which profile you want to run your server like default or web > or all etc.There are various profiles in EAP.For an example you can run > your server as : > run.sh -c all or run.sh -c web . > > > The profiles are found under:EAP5.2/jboss-eap-5.2/jboss-as/server > > 1)all > 2)default > 3)minimal > 4)production > 5)standard > 6)web Hi, What if remove web.xml from both paths ? Thanks
(In reply to Samson from comment #7) > (In reply to Bharti Kundal from comment #6) > > (In reply to Samson from comment #5) > > > (In reply to Bharti Kundal from comment #2) > > > > Mitigation: > > > > > > > > Secure the access to the entire http-invoker contexts by adding > > > > <url-pattern>/*</url-pattern> to the security-constraints in the web.xml > > > > file of the http-invoker.sar.The users who do not wish to use the > > > > http-invoker.sar can remove it. > > > > > > But I have found two web.xml files which are all under http-invoker.sar > > > folders, please refer to bellow file paths: > > > > > > ......\server\web\deploy\http-invoker.sar\invoker.war\WEB-INF\web.xml > > > ......\server\default\deploy\http-invoker.sar\invoker.war\WEB-INF\web.xml > > > > > > I would like to know which web.xml file should be removed or all of them > > > should be removed? > > > > > > Thanks > > > > Hi Samson, > > > > It depends on which profile you want to run your server like default or web > > or all etc.There are various profiles in EAP.For an example you can run > > your server as : > > run.sh -c all or run.sh -c web . > > > > > > The profiles are found under:EAP5.2/jboss-eap-5.2/jboss-as/server > > > > 1)all > > 2)default > > 3)minimal > > 4)production > > 5)standard > > 6)web > > Hi, > > What if remove web.xml from both paths ? > > Thanks Hi Samson, Is there any purpose behind removing the web.xml.It is a deployment descriptor ,removing it may lead to errors. Regards, Bharti
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 5.2 security update Via RHSA-2018:1608 https://access.redhat.com/errata/RHSA-2018:1608
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Via RHSA-2018:1607 https://access.redhat.com/errata/RHSA-2018:1607