Uploaded image for project: 'Application Server 3  4  5 and 6'
  1. Application Server 3 4 5 and 6
  2. JBAS-3861

DeploymentFileRepository can be used to write/remove arbitrary files in the filesystem

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Critical
    • Resolution: Done
    • Affects Version/s: JBossAS-3.2.5 Final, JBossAS-4.0.0 Final, JBossAS-3.2.6 Final, JBossAS-3.2.7 Final, JBossAS-4.0.1 Final, JBossAS-4.0.1 SP1, JBossAS-4.0.2 Final, JBossAS-4.0.3 Final, JBossAS-3.2.8 Final, JBossAS-3.2.8.SP1, JBossAS-4.0.4.GA, JBossAS-4.0.5.GA
    • Component/s: Management services
    • Labels:
      None
    • Workaround:
      Workaround Exists
    • Workaround Description:
      Hide

      Secure remote access to jboss

      http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss
      http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole

      Securing JBoss is the best thing to do, however, if you only want to remove the offending service, you could:

      a) undeploy completely the web-console application by removing the directory deploy/management from the 'default' and 'all' configurations
      or
      b) comment out the DeploymentFileRepository service deployed by
      deploy/management/console-mgr.sar in the 'default' and 'all' configurations. If console-mgr.sar is packed, unpack it and edit the META-INF/jboss-service.xml descriptor, commenting out the following entry:
      ...
      <mbean code="org.jboss.console.manager.DeploymentFileRepository"
      name="jboss.admin:service=DeploymentFileRepository">
      <attribute name="BaseDir">./deploy/management</attribute>
      </mbean>
      The web-console will still work, without the ability to create alerts/monitors/snapshots.

      Show
      Secure remote access to jboss http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole Securing JBoss is the best thing to do, however, if you only want to remove the offending service, you could: a) undeploy completely the web-console application by removing the directory deploy/management from the 'default' and 'all' configurations or b) comment out the DeploymentFileRepository service deployed by deploy/management/console-mgr.sar in the 'default' and 'all' configurations. If console-mgr.sar is packed, unpack it and edit the META-INF/jboss-service.xml descriptor, commenting out the following entry: ... <mbean code="org.jboss.console.manager.DeploymentFileRepository" name="jboss.admin:service=DeploymentFileRepository"> <attribute name="BaseDir">./deploy/management</attribute> </mbean> The web-console will still work, without the ability to create alerts/monitors/snapshots.

      Description

      Symantec discovered a flaw in the DeploymentFileRepository
      class of the JBoss application server. A remote attacker who
      is able to access the console manager could read or write to
      files with the permissions of the JBoss user. This could
      potentially lead to arbitrary code execution as the JBoss
      user. (CVE-2006-5750)

      Please note that the JBoss console manager should always be
      secured prior to deployment. By default, the JBoss installer
      gives users the ability to password protect the console
      manager, limiting an attack using this vulnerability to
      authorised users. These steps can also be performed manually.
      http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss

      This vulnerability afffects all JBoss releases from v3.2.4 to v.4.0.5

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  dimitris Dimitris Andreadis
                  Reporter:
                  dimitris Dimitris Andreadis
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: