[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE for JBOSS EAP 5.0(twiddle and jmx invocations) ?
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2012-07-23 7:13:44
Message-ID: 500CF9A8.4050601 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/22/2012 11:35 PM, David Jorm wrote:
> On 07/21/2012 02:12 AM, yersinia wrote:
>> Following this apparently RFE on JBOSS 
>> https://issues.jboss.org/browse/JBPAPP-3391?_sscc=t i have found
>> a nice description, and an  proposed patch, about it here 
>> http://objectopia.com/2009/10/01/securing-jmx-invoker-layer-in-jboss/.
>>
>>
>> 
But the last link describe - apparently - a serious bug in the JBoss JMX
>> Invoker Layer, a missing authentication that can produce a
>> serious problem. Reading the other response i don't think there 
>> is today the possibility to enforce a true mitigation in JBOSS,
>> apart putting in place some form a network control (aka a 
>> firewall). This is for JBOSS 5.0, i know that twiddle is no
>> longer in JBoss EAP 6.0 which provides a totally new, much
>> improved, secure and scriptable management interface.
>> 
>> Do you think this can require a CVE for JBOSS EAP 5?
>> 
>> Thanks in advance
>> 
> 
> Thanks for bringing this up. As I see it, there's two issues here:
> 
> 1) twiddle.sh accepting credentials as command-line arguments,
> meaning they could be exposed to another local user via a process
> listing (JBPAPP-3391)
> 
> This issue affects JBoss AS 5 and EAP 5, but as you noted not AS 7
> or EAP 6. It is my opinion that this is indeed a low impact
> security flaw, and a candidate for a CVE ID. I would give it the
> following CVSSv2 score: 2.1/AV:L/AC:L/Au:N/C:P/I:N/A:N. Kurt, can
> you please assign a CVE ID for this flaw?

Please use CVE-2009-5066 for this issue.

> 2) AuthenticationInterceptor in jmx-invoker-service.xml is
> commented out by default, allowing unauthenticated access to the
> JMX Invoker
> 
> This issue only affects JBoss AS community releases, not EAP or
> other supported JBoss products. The JBoss AS community releases
> prior to AS 7 opted for open by default configuration rather than
> secure by default configuration. AS 7 and all supported JBoss
> products have secure defaults applied. It is my opinion that this
> is a configuration and documentation issue rather than a security
> issue. Documentation for securing the invokers on JBoss AS
> community releases is available here:
> 
> https://community.jboss.org/wiki/SecureTheInvokers

Agreed, configuration issue.

> Thanks -- David Jorm / Red Hat Security Response Team


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQDPmoAAoJEBYNRVNeJnmTxyEQANq7tUSCZgIgnVte30YAAj+n
RI0IPImWIVrsTh+/bEubpl21XtZ50PuXLB3LOO6ATK9IeOcEaloh0oHi5uS2T4Ro
ZdKYDVQJme6BBle3nxzYefi+Dy5JM3QsRtTpU1CxnJyl+hIBPq+CNLTdqrmFHm1i
oPneeOkL5UJjuyl8MxjQeFwwcLp1G/d1BvkfZNXcxdwb5i2jqP//9BH88yBSzTuZ
9lpJzJzlRJFhuCixjVgm2nui7wgAR4Wlr0QwclS0BkArEhXDjMDc667Ptg5srILb
DUOGs0/uRsRHe5fcy+RYWi5u5ILEaxAVn4bkgd+06vR1kV3V9cfcxTUVe0ndCj/x
wN1jlOT2umPNF78u0LjDhUQgX8I4DAafbyn2bXzagR4Kbwb8CmOslAzfTX/FYw0C
cTbpSmJlCw8NbULvUM8MzHfC8GCvTJxnqjvXwtNtFLsuDWWMJh4klEeEZ8gLAhmB
89p2JiZRw8sC/z3P0o3XP9FGLL9a9C2vfcUyN05ndmRKJQa9Z6Ry8xJOFVhZdpyV
6U1/VMmWzaIlxVYn50ypEXQuawVTB2I0hlC/QabYpe+00IZFMzsG7DA2aHD/aWwH
TcoualpRWbiNzIhby7uXWL45yoMZ5Q+/wmk5y1ODavm/9ZaJ3sUjgReAGl//czCv
nfYABN4h/P8MoUMZbHk6
=zBZB
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]