Date: Fri, 20 Jul 2012 18:12:53 +0200 From: yersinia <yersinia.spiros@...il.com> To: oss-security@...ts.openwall.com Subject: CVE for JBOSS EAP 5.0(twiddle and jmx invocations) ? Following this apparently RFE on JBOSS https://issues.jboss.org/browse/JBPAPP-3391?_sscc=t i have found a nice description, and an proposed patch, about it here http://objectopia.com/2009/10/01/securing-jmx-invoker-layer-in-jboss/. But the last link describe - apparently - a serious bug in the JBoss JMX Invoker Layer, a missing authentication that can produce a serious problem. Reading the other response i don't think there is today the possibility to enforce a true mitigation in JBOSS, apart putting in place some form a network control (aka a firewall). This is for JBOSS 5.0, i know that twiddle is no longer in JBoss EAP 6.0 which provides a totally new, much improved, secure and scriptable management interface. Do you think this can require a CVE for JBOSS EAP 5? Thanks in advance
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ