Uploaded image for project: 'Application Server 3 4 5 and 6'
  1. Application Server 3 4 5 and 6
  2. JBAS-3861

DeploymentFileRepository can be used to write/remove arbitrary files in the filesystem

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • JBossAS-5.0.0.Beta1, JBossAS-4.2.0.CR1
    • JBossAS-3.2.5 Final, JBossAS-4.0.0 Final, JBossAS-3.2.6 Final, JBossAS-3.2.7 Final, JBossAS-4.0.1 Final, JBossAS-4.0.1 SP1, JBossAS-4.0.2 Final, JBossAS-4.0.3 Final, JBossAS-3.2.8 Final, JBossAS-3.2.8.SP1, JBossAS-4.0.4.GA, JBossAS-4.0.5.GA
    • Management services
    • None
    • Workaround Exists
    • Hide

      Secure remote access to jboss

      http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss
      http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole

      Securing JBoss is the best thing to do, however, if you only want to remove the offending service, you could:

      a) undeploy completely the web-console application by removing the directory deploy/management from the 'default' and 'all' configurations
      or
      b) comment out the DeploymentFileRepository service deployed by
      deploy/management/console-mgr.sar in the 'default' and 'all' configurations. If console-mgr.sar is packed, unpack it and edit the META-INF/jboss-service.xml descriptor, commenting out the following entry:
      ...
      <mbean code="org.jboss.console.manager.DeploymentFileRepository"
      name="jboss.admin:service=DeploymentFileRepository">
      <attribute name="BaseDir">./deploy/management</attribute>
      </mbean>
      The web-console will still work, without the ability to create alerts/monitors/snapshots.

      Show
      Secure remote access to jboss http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole Securing JBoss is the best thing to do, however, if you only want to remove the offending service, you could: a) undeploy completely the web-console application by removing the directory deploy/management from the 'default' and 'all' configurations or b) comment out the DeploymentFileRepository service deployed by deploy/management/console-mgr.sar in the 'default' and 'all' configurations. If console-mgr.sar is packed, unpack it and edit the META-INF/jboss-service.xml descriptor, commenting out the following entry: ... <mbean code="org.jboss.console.manager.DeploymentFileRepository" name="jboss.admin:service=DeploymentFileRepository"> <attribute name="BaseDir">./deploy/management</attribute> </mbean> The web-console will still work, without the ability to create alerts/monitors/snapshots.

      Symantec discovered a flaw in the DeploymentFileRepository
      class of the JBoss application server. A remote attacker who
      is able to access the console manager could read or write to
      files with the permissions of the JBoss user. This could
      potentially lead to arbitrary code execution as the JBoss
      user. (CVE-2006-5750)

      Please note that the JBoss console manager should always be
      secured prior to deployment. By default, the JBoss installer
      gives users the ability to password protect the console
      manager, limiting an attack using this vulnerability to
      authorised users. These steps can also be performed manually.
      http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss

      This vulnerability afffects all JBoss releases from v3.2.4 to v.4.0.5

              dandread1@redhat.com Dimitrios Andreadis
              dandread1@redhat.com Dimitrios Andreadis
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: