Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 20 Jul 2012 18:12:53 +0200
From: yersinia <yersinia.spiros@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE for JBOSS EAP 5.0(twiddle and jmx invocations) ?

Following this apparently RFE on JBOSS
https://issues.jboss.org/browse/JBPAPP-3391?_sscc=t
i have found a nice description, and an  proposed patch, about it here
http://objectopia.com/2009/10/01/securing-jmx-invoker-layer-in-jboss/.

But the last link describe - apparently - a serious bug in the JBoss JMX
Invoker Layer, a missing authentication that can
produce a serious problem. Reading the other response i don't think there
is today the possibility to enforce a true mitigation
in JBOSS, apart putting in place some form a network control (aka a
firewall). This is for JBOSS 5.0, i know that twiddle is no longer
in JBoss EAP 6.0 which provides a totally new, much improved, secure and
scriptable management interface.

Do you think this can require a CVE for JBOSS EAP 5?

Thanks in advance

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ