Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: JBossAS-5.0.0.Beta1, JBossAS-4.2.0.CR1
Affects Version/s: JBossAS-3.2.5 Final, JBossAS-4.0.0 Final, JBossAS-3.2.6 Final, JBossAS-3.2.7 Final, JBossAS-4.0.1 Final, JBossAS-4.0.1 SP1, JBossAS-4.0.2 Final, JBossAS-4.0.3 Final, JBossAS-3.2.8 Final, JBossAS-3.2.8.SP1, JBossAS-4.0.4.GA, JBossAS-4.0.5.GA
Component/s: Management services
Labels:
None

Workaround:

Workaround Exists
Workaround Description:

Hide

Secure remote access to jboss

http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss
http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole

Securing JBoss is the best thing to do, however, if you only want to remove the offending service, you could:

a) undeploy completely the web-console application by removing the directory deploy/management from the 'default' and 'all' configurations
or
b) comment out the DeploymentFileRepository service deployed by
deploy/management/console-mgr.sar in the 'default' and 'all' configurations. If console-mgr.sar is packed, unpack it and edit the META-INF/jboss-service.xml descriptor, commenting out the following entry:
...
<mbean code="org.jboss.console.manager.DeploymentFileRepository"
name="jboss.admin:service=DeploymentFileRepository">
<attribute name="BaseDir">./deploy/management</attribute>
</mbean>
The web-console will still work, without the ability to create alerts/monitors/snapshots.

Show
Secure remote access to jboss http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole Securing JBoss is the best thing to do, however, if you only want to remove the offending service, you could: a) undeploy completely the web-console application by removing the directory deploy/management from the 'default' and 'all' configurations or b) comment out the DeploymentFileRepository service deployed by deploy/management/console-mgr.sar in the 'default' and 'all' configurations. If console-mgr.sar is packed, unpack it and edit the META-INF/jboss-service.xml descriptor, commenting out the following entry: ... <mbean code="org.jboss.console.manager.DeploymentFileRepository" name="jboss.admin:service=DeploymentFileRepository"> <attribute name="BaseDir">./deploy/management</attribute> </mbean> The web-console will still work, without the ability to create alerts/monitors/snapshots.

SFDC Cases Counter:
SFDC Cases Links:

Description

Symantec discovered a flaw in the DeploymentFileRepository
class of the JBoss application server. A remote attacker who
is able to access the console manager could read or write to
files with the permissions of the JBoss user. This could
potentially lead to arbitrary code execution as the JBoss
user. (CVE-2006-5750)

Please note that the JBoss console manager should always be
secured prior to deployment. By default, the JBoss installer
gives users the ability to password protect the console
manager, limiting an attack using this vulnerability to
authorised users. These steps can also be performed manually.
http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss

This vulnerability afffects all JBoss releases from v3.2.4 to v.4.0.5

Attachments

Issue Links

relates to

JBAS-4621 error deploying admin-consoles in deploy is a link

Closed

Activity

People

Assignee:: Dimitrios Andreadis

Reporter:: Dimitrios Andreadis

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2006/11/16 1:01 PM

Updated:: 2020/09/14 5:42 AM

Resolved:: 2006/11/27 10:55 AM