3 Replies Latest reply on Sep 5, 2015 6:53 AM by mayerw01

    CVE-2014-3518 vulnerability and JBoss 6.1?

    fassisrosa
    fassisrosa Sep 3, 2015 4:20 PM

      Hi there,

       

      I am looking online to verify if the CVE-2014-3518 vulnerability that was found in JBoss 5.X still exists in JBoss 6.1... I have not been able to find any information on this. Does anybody know if this vulnerability has been squashed in JBoss 6.1?

       

      Thanks in advance,

       

      Francisco.

        • 1. Re: CVE-2014-3518 vulnerability and JBoss 6.1?
          mayerw01
          mayerw01 Sep 4, 2015 5:21 AM (in response to fassisrosa)

          I understand you are referring to the implementation of JSR 160 (access.redhat.com | CVE-2014-3518)

          A new implementation of the JSR-160 spec has been added to JBossAS 6 M3 Remoting

            • Actions
          • 2. Re: CVE-2014-3518 vulnerability and JBoss 6.1?
            fassisrosa
            fassisrosa Sep 4, 2015 8:53 AM (in response to mayerw01)

            Hi Wolfgang, thanks for the quick reply.

             

            Yes, I'm referring to JSR 160. From your answer I seem to confirm that from JBossAS 6 M3 onwards, this vulnerability is no longer an issue (please correct if wrong).

             

            I used the CVE-2014-3518 vulnerability detection tool against JBossAS 6.1 and it flagged the vulnerability as present (see redhat.com, this provides jar for testing CVE-2014-3518-SAFE.jar -- sorry requires login) . Looking at tool implementation however, it looks like tool just checks to see if JMX remoting is enabled on the server. It does not check against version of JBoss... It *looks* like tool is really there to be used to check if JBoss  5.x is vulnerable to this not other versions. So the vulnerability alert from the tool looks like a false positive when running against JBossAS 6.1.... is this correct?

             

            Again, thanks for your help on this,

             

            Francisco.

              • Actions
            • 3. Re: CVE-2014-3518 vulnerability and JBoss 6.1?
              mayerw01
              mayerw01 Sep 5, 2015 6:53 AM (in response to fassisrosa)

              It looks like the testing tool does not catch on exceptions when accessing the mail server.

              In JBoss 6.0 I get an entry in the log "19:35:54,676 ERROR [org.jboss.resource.adapter.mail.inflow.MailActivation] Failed to execute folder check, spec=MailActivationSpec(mailServer=COMMENTED mail.messagingengine.com, ...".

              This does not appear in version 5.

               

              Btw. the directory structure and port changed from 6.1 onwards. When just calling the tool with

              java -jar CVE-20-3518-SAFE.jar -H hostname

              I get a message: [CVE-2014-3518] Could not make an RMI connection, skipping. Reason: Cannot connect to host at given port

              When providing the port like:

              java -jar CVE-2014-3518-SAFE.jar -H hostname -r 8080

              the tool gets a timeout and shows '[CVE-2014-3518] Cache poisoning failed. Reason: addr is of illegal length.

               

              I don't think it may be useful for JBoss 6 and higher.

              What did you enter to get the "[CVE-2014-3518] MailService returned as expected, VULNERABLE" message?

                • Actions