Does CVE-2013-4810 affect Red Hat JBoss products?

Updated -

Issue

The HP ProCurve Manager (PCM) was found to expose unauthenticated JMXInvokerServlet and EJBInvokerServlet interfaces. A remote attacker could exploit this flaw to invoke MBean methods and run arbitrary code in the context of the user running the PCM server.

The CVE ID for this flaw - CVE-2013-4810 - only refers to exposure of unauthenticated JMXInvokerServlet and EJBInvokerServlet interfaces on HP ProCurve Manager. These servlets are also, however, exposed without authentication on older, unsupported community releases of JBoss AS (WildFly) 4.x and 5.x.

An exploit for this flaw has been publicly released, and there have been multiple reports of this exploit being used to compromise vulnerable systems in the wild.

Environment

All supported Red Hat JBoss products that include the JMXInvokerServlet and EJBInvokerServlet interfaces apply authentication by default and are not affected by this issue.

Community releases of JBoss AS (Wildfly) 7.x are also not affected by this issue.

Users of older, unsupported community releases of JBoss AS (Wildfly) may be affected.

Resolution

Users of the unsupported JBoss AS (Wildfly) 4.x and 5.x community releases are advised to follow the instructions available here to apply authentication to the invoker servlet interfaces:

https://community.jboss.org/wiki/SecureJboss/

Red Hat has been aware of this issue since early 2012, as identified in CVE-2012-0874, and addressed the issue for supported Red Hat JBoss products based on JBoss AS 4.x and 5.x

Comments