-
1. Re: CVE-2014-3518 vulnerability and JBoss 6.1?
mayerw01 Sep 4, 2015 5:21 AM (in response to fassisrosa)I understand you are referring to the implementation of JSR 160 (access.redhat.com | CVE-2014-3518)
A new implementation of the JSR-160 spec has been added to JBossAS 6 M3 Remoting
-
2. Re: CVE-2014-3518 vulnerability and JBoss 6.1?
fassisrosa Sep 4, 2015 8:53 AM (in response to mayerw01)Hi Wolfgang, thanks for the quick reply.
Yes, I'm referring to JSR 160. From your answer I seem to confirm that from JBossAS 6 M3 onwards, this vulnerability is no longer an issue (please correct if wrong).
I used the CVE-2014-3518 vulnerability detection tool against JBossAS 6.1 and it flagged the vulnerability as present (see redhat.com, this provides jar for testing
CVE-2014-3518-SAFE.jar -- sorry requires login)
. Looking at tool implementation however, it looks like tool just checks to see if JMX remoting is enabled on the server. It does not check against version of JBoss... It *looks* like tool is really there to be used to check if JBoss 5.x is vulnerable to this not other versions. So the vulnerability alert from the tool looks like a false positive when running against JBossAS 6.1.... is this correct?Again, thanks for your help on this,
Francisco.
-
3. Re: CVE-2014-3518 vulnerability and JBoss 6.1?
mayerw01 Sep 5, 2015 6:53 AM (in response to fassisrosa)It looks like the testing tool does not catch on exceptions when accessing the mail server.
In JBoss 6.0 I get an entry in the log "19:35:54,676 ERROR [org.jboss.resource.adapter.mail.inflow.MailActivation] Failed to execute folder check, spec=MailActivationSpec(mailServer=COMMENTED mail.messagingengine.com, ...".
This does not appear in version 5.
Btw. the directory structure and port changed from 6.1 onwards. When just calling the tool with
java -jar CVE-20-3518-SAFE.jar -H hostname
I get a message: [CVE-2014-3518] Could not make an RMI connection, skipping. Reason: Cannot connect to host at given port
When providing the port like:
java -jar CVE-2014-3518-SAFE.jar -H hostname -r 8080
the tool gets a timeout and shows '[CVE-2014-3518] Cache poisoning failed. Reason: addr is of illegal length.
I don't think it may be useful for JBoss 6 and higher.
What did you enter to get the "[CVE-2014-3518] MailService returned as expected, VULNERABLE" message?