SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#632656

JBoss Application Server may not properly restrict access to the administrative interface

Overview

The JBoss Application Server may allow unauthenticated, remote access to the administrative console.

I. Description

JBoss is an open source application server implemented in Java. Because it is Java-based, JBoss can be used on any operating system that supports Java. JBoss servers can be remotely managed through a web-based administrative interface.

If JBoss is installed without using the advanced installer options, the JBoss security features will need to be configured manually. If a JBoss server is configured to allow unauthenticated access to the administrative interface, and is accessible from a remote network, then an attacker may be able to access and modify data on the server.

Note that it may be possible to enumerate vulnerable servers by using search engines.

II. Impact

A remote, unauthenticated attacker may be able to gain administrative access to a JBoss Application Server. Once an attacker has access, they may be able to access and modify data on that server.

III. Solution

Use the installer

Using the advanced installer options will configure JBoss to only allow authenticated administrative access.

Enable role based security

Enabling role based security may mitigate this vulnerability. See the SecureTheJmxConsole page on the JBoss wiki for more information.

Restrict access

Restricting access to the administrative interface to trusted hosts may mitigate this vulnerability. See the LimitAccessToCertainClients page on the JBoss wiki for more information.

Systems Affected

VendorStatusDate Updated
Red Hat, Inc.Vulnerable21-Feb-2007

References


http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole
http://wiki.jboss.org/wiki/Wiki.jsp?page=LimitAccessToCertainClients
http://www.jboss.com/
http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss
http://archives.neohapsis.com/archives/bugtraq/2007-02/0347.html

Credit

This vulnerability was reported by Ben Dexter.

This document was written by Ryan Giobbi.

Other Information

Date Public02/20/2007
Date First Published02/20/2007 04:05:43 PM
Date Last Updated02/21/2007
CERT Advisory 
CVE-ID(s)CVE-2007-1036
NVD-ID(s)CVE-2007-1036
US-CERT Technical Alerts 
Metric2.25
Document Revision32

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2007 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader