Highlighted
Absent Member.
Absent Member.
538 views

Heads up - Possible Security Issue


We've had one client affected by this 'Mark Cox's Blog: Statement
Regarding Security Threat to JBoss Application Server | JBoss Community'
(http://community.jboss.org/blogs/mjc/2011/10/20/statement-regarding-security-threat-to-jboss-application-server)


I haven't tried to recreate in a clean environment, but they were on a
3.7 install with jmx-console security enabled. The issue says it is
related to JBoss 4, but the JBoss shipped with the User App has the
incorrect security constraint.

https://access.redhat.com/kb/docs/DOC-30741

To summarize - when securing the jmx-console/web console:

Make sure to remove the http-method lines.

If someone could verify whether or not this is in the 4 variant, that
would be great. If not, I'll likely update in a week.


--
42sd
------------------------------------------------------------------------
42sd's Profile: http://forums.novell.com/member.php?userid=17383
View this thread: http://forums.novell.com/showthread.php?t=448118

Labels (1)
0 Likes
2 Replies
Highlighted
Absent Member.
Absent Member.

Re: Heads up - Possible Security Issue

On 11/11/2011 11:56 AM, 42sd wrote:
>
> We've had one client affected by this 'Mark Cox's Blog: Statement
> Regarding Security Threat to JBoss Application Server | JBoss Community'
> (http://community.jboss.org/blogs/mjc/2011/10/20/statement-regarding-security-threat-to-jboss-application-server)
>
>
> I haven't tried to recreate in a clean environment, but they were on a
> 3.7 install with jmx-console security enabled. The issue says it is
> related to JBoss 4, but the JBoss shipped with the User App has the
> incorrect security constraint.
>
> https://access.redhat.com/kb/docs/DOC-30741
>
> To summarize - when securing the jmx-console/web console:
>
> Make sure to remove the http-method lines.
>
> If someone could verify whether or not this is in the 4 variant, that
> would be great. If not, I'll likely update in a week.
>
>

Greetings,
I posted on 22-October-2011 warning about this. The thread title
was: "Make sure to lock down the JBoss Admin Consoles"



--
Sincerely,
Steven Williams
Lead Software Engineer
NetIQ
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Heads up - Possible Security Issue


Yeah. There it is. I could have sworn it only said it affect 4.x
versions when I first saw it from slashdot.


--
42sd
------------------------------------------------------------------------
42sd's Profile: http://forums.novell.com/member.php?userid=17383
View this thread: http://forums.novell.com/showthread.php?t=448118

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.