0 Replies Latest reply on Apr 28, 2016 2:59 AM by vinson.m.s

    JBoss 5.1.0 AS vulnerability CVE-2012-0874

    vinson.m.s
    vinson.m.s Apr 28, 2016 2:59 AM

      Hi,

       

      We are using JBoss 5.1.0 GA as our Application server . Our security team has flagged the  vulnerability CVE-2012-0874.

       

      Description :

      The JMXInvokerHAServlet and EJBInvokerHAServlet invoker servlets allow unauthenticated access by default in some profiles. Due to the second layer of authentication provided by the security interceptor, there is no way to directly exploit this flaw. If a user misconfigured the security interceptor or inadvertently disabled it, this flaw would be exploitable. A remote attacker could exploit this flaw to invoke MBean methods and run arbitrary code in the context of the user running the JBoss server.

       

      This issue has been fixed in JBoss 5.2.0 Enterprise Application Platform update.

       

      We dont want to upgrade the JBoss version and would like to fix the issue in the existing version.

       

      The bug related to the vulnerability is tracked under

      https://bugzilla.redhat.com/show_bug.cgi?id=795645

       

      One of the comments in the Bug mentions :

       

      The interceptor that blocks exploitation of this flaw by default is declared in jboss-as/server/$PROFILE/deploy/jmx-invoker-service.xml:

      <interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor" securityDomain="java:/jaas/jmx-console"/>

       

      I have checked in 5.1.0 the interceptor is commented while in 5.2.0 it is uncommented.

       

      What i need to know is will the uncommenting of the above interceptor will fix the vulnerability CVE-2012-0874 or there are more changes to be done.

       

       

      Thanks

      Vinson

      • 1964 Views
      • Categories: JBoss AS 5.1
      • Tags: