Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 23 Jul 2012 01:13:44 -0600
From: Kurt Seifried <>
CC: David Jorm <>
Subject: Re: CVE for JBOSS EAP 5.0(twiddle and jmx invocations)

Hash: SHA1

On 07/22/2012 11:35 PM, David Jorm wrote:
> On 07/21/2012 02:12 AM, yersinia wrote:
>> Following this apparently RFE on JBOSS 
>> i have found
>> a nice description, and an  proposed patch, about it here 
But the last link describe - apparently - a serious bug in the JBoss JMX
>> Invoker Layer, a missing authentication that can produce a
>> serious problem. Reading the other response i don't think there 
>> is today the possibility to enforce a true mitigation in JBOSS,
>> apart putting in place some form a network control (aka a 
>> firewall). This is for JBOSS 5.0, i know that twiddle is no
>> longer in JBoss EAP 6.0 which provides a totally new, much
>> improved, secure and scriptable management interface.
>> Do you think this can require a CVE for JBOSS EAP 5?
>> Thanks in advance
> Thanks for bringing this up. As I see it, there's two issues here:
> 1) accepting credentials as command-line arguments,
> meaning they could be exposed to another local user via a process
> listing (JBPAPP-3391)
> This issue affects JBoss AS 5 and EAP 5, but as you noted not AS 7
> or EAP 6. It is my opinion that this is indeed a low impact
> security flaw, and a candidate for a CVE ID. I would give it the
> following CVSSv2 score: 2.1/AV:L/AC:L/Au:N/C:P/I:N/A:N. Kurt, can
> you please assign a CVE ID for this flaw?

Please use CVE-2009-5066 for this issue.

> 2) AuthenticationInterceptor in jmx-invoker-service.xml is
> commented out by default, allowing unauthenticated access to the
> JMX Invoker
> This issue only affects JBoss AS community releases, not EAP or
> other supported JBoss products. The JBoss AS community releases
> prior to AS 7 opted for open by default configuration rather than
> secure by default configuration. AS 7 and all supported JBoss
> products have secure defaults applied. It is my opinion that this
> is a configuration and documentation issue rather than a security
> issue. Documentation for securing the invokers on JBoss AS
> community releases is available here:

Agreed, configuration issue.

> Thanks -- David Jorm / Red Hat Security Response Team

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla -


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ