Bug 1486220 (CVE-2017-12149) - CVE-2017-12149 jbossas: Arbitrary code execution via unrestricted deserialization in ReadOnlyAccessFilter of HTTP Invoker.
Summary: CVE-2017-12149 jbossas: Arbitrary code execution via unrestricted deserializa...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-12149
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1487010
Blocks: 1484084
TreeView+ depends on / blocked
 
Reported: 2017-08-29 09:02 UTC by Bharti Kundal
Modified: 2021-03-11 15:40 UTC (History)
31 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization. This allows an attacker to execute arbitrary code via crafted serialized data.
Clone Of:
Environment:
Last Closed: 2019-06-08 03:22:25 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1607 0 None None None 2018-05-17 18:22:27 UTC
Red Hat Product Errata RHSA-2018:1608 0 None None None 2018-05-17 18:17:22 UTC

Description Bharti Kundal 2017-08-29 09:02:09 UTC
It was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.

Comment 1 Bharti Kundal 2017-08-29 09:02:13 UTC
Acknowledgments:

Name: Joao F M Figueiredo

Comment 2 Bharti Kundal 2017-08-29 09:13:13 UTC
Mitigation:

Secure the access to the entire http-invoker contexts by adding <url-pattern>/*</url-pattern> to the security-constraints in the web.xml file of the http-invoker.sar.The users who do not wish to use the http-invoker.sar can remove it.

Comment 4 Bharti Kundal 2017-09-01 17:39:28 UTC
Statement:

Red Hat JBoss Enterprise Application Platform 6 and 7 do not ship the http invoker so they are not affected.

Comment 5 Samson 2017-09-15 04:23:00 UTC
(In reply to Bharti Kundal from comment #2)
> Mitigation:
> 
> Secure the access to the entire http-invoker contexts by adding
> <url-pattern>/*</url-pattern> to the security-constraints in the web.xml
> file of the http-invoker.sar.The users who do not wish to use the
> http-invoker.sar can remove it.

But I have found two web.xml files which are all under http-invoker.sar folders, please refer to bellow file paths:

......\server\web\deploy\http-invoker.sar\invoker.war\WEB-INF\web.xml
......\server\default\deploy\http-invoker.sar\invoker.war\WEB-INF\web.xml

I would like to know which web.xml file should be removed or all of them should be removed?

Thanks

Comment 6 Bharti Kundal 2017-09-15 06:50:31 UTC
(In reply to Samson from comment #5)
> (In reply to Bharti Kundal from comment #2)
> > Mitigation:
> > 
> > Secure the access to the entire http-invoker contexts by adding
> > <url-pattern>/*</url-pattern> to the security-constraints in the web.xml
> > file of the http-invoker.sar.The users who do not wish to use the
> > http-invoker.sar can remove it.
> 
> But I have found two web.xml files which are all under http-invoker.sar
> folders, please refer to bellow file paths:
> 
> ......\server\web\deploy\http-invoker.sar\invoker.war\WEB-INF\web.xml
> ......\server\default\deploy\http-invoker.sar\invoker.war\WEB-INF\web.xml
> 
> I would like to know which web.xml file should be removed or all of them
> should be removed?
> 
> Thanks

Hi Samson,

It depends on which profile you want to run your server like default or web or all etc.There are various profiles in EAP.For an example you can  run your server as :
run.sh -c all or run.sh -c web .


The profiles are found under:EAP5.2/jboss-eap-5.2/jboss-as/server

1)all
2)default
3)minimal
4)production
5)standard
6)web

Comment 7 Samson 2017-09-15 07:03:19 UTC
(In reply to Bharti Kundal from comment #6)
> (In reply to Samson from comment #5)
> > (In reply to Bharti Kundal from comment #2)
> > > Mitigation:
> > > 
> > > Secure the access to the entire http-invoker contexts by adding
> > > <url-pattern>/*</url-pattern> to the security-constraints in the web.xml
> > > file of the http-invoker.sar.The users who do not wish to use the
> > > http-invoker.sar can remove it.
> > 
> > But I have found two web.xml files which are all under http-invoker.sar
> > folders, please refer to bellow file paths:
> > 
> > ......\server\web\deploy\http-invoker.sar\invoker.war\WEB-INF\web.xml
> > ......\server\default\deploy\http-invoker.sar\invoker.war\WEB-INF\web.xml
> > 
> > I would like to know which web.xml file should be removed or all of them
> > should be removed?
> > 
> > Thanks
> 
> Hi Samson,
> 
> It depends on which profile you want to run your server like default or web
> or all etc.There are various profiles in EAP.For an example you can  run
> your server as :
> run.sh -c all or run.sh -c web .
> 
> 
> The profiles are found under:EAP5.2/jboss-eap-5.2/jboss-as/server
> 
> 1)all
> 2)default
> 3)minimal
> 4)production
> 5)standard
> 6)web

Hi,

What if remove web.xml from both paths ? 

Thanks

Comment 8 Bharti Kundal 2017-10-10 12:30:43 UTC
(In reply to Samson from comment #7)
> (In reply to Bharti Kundal from comment #6)
> > (In reply to Samson from comment #5)
> > > (In reply to Bharti Kundal from comment #2)
> > > > Mitigation:
> > > > 
> > > > Secure the access to the entire http-invoker contexts by adding
> > > > <url-pattern>/*</url-pattern> to the security-constraints in the web.xml
> > > > file of the http-invoker.sar.The users who do not wish to use the
> > > > http-invoker.sar can remove it.
> > > 
> > > But I have found two web.xml files which are all under http-invoker.sar
> > > folders, please refer to bellow file paths:
> > > 
> > > ......\server\web\deploy\http-invoker.sar\invoker.war\WEB-INF\web.xml
> > > ......\server\default\deploy\http-invoker.sar\invoker.war\WEB-INF\web.xml
> > > 
> > > I would like to know which web.xml file should be removed or all of them
> > > should be removed?
> > > 
> > > Thanks
> > 
> > Hi Samson,
> > 
> > It depends on which profile you want to run your server like default or web
> > or all etc.There are various profiles in EAP.For an example you can  run
> > your server as :
> > run.sh -c all or run.sh -c web .
> > 
> > 
> > The profiles are found under:EAP5.2/jboss-eap-5.2/jboss-as/server
> > 
> > 1)all
> > 2)default
> > 3)minimal
> > 4)production
> > 5)standard
> > 6)web
> 
> Hi,
> 
> What if remove web.xml from both paths ? 
> 
> Thanks

Hi Samson,

Is there any purpose behind removing the web.xml.It is a deployment descriptor ,removing it may lead to  errors.

Regards,
Bharti

Comment 14 errata-xmlrpc 2018-05-17 18:17:08 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 5.2 security update

Via RHSA-2018:1608 https://access.redhat.com/errata/RHSA-2018:1608

Comment 15 errata-xmlrpc 2018-05-17 18:22:16 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 5 for RHEL 5
  Red Hat JBoss Enterprise Application Platform 5 for RHEL 6

Via RHSA-2018:1607 https://access.redhat.com/errata/RHSA-2018:1607


Note You need to log in before you can comment on or make changes to this bug.