CVE-2010-0738 and JBoss Products

Solution Verified - Updated -

Environment

  • JBoss Application Server (AS) 4.0.x
  • JBoss Communications Platform 1.2
  • Red Hat JBoss Enterprise Application Platform (EAP)
    • 4.2
    • 4.3
    • 5.0
  • JBoss Enterprise Portal Platform (EPP) 4.3
  • JBoss Enterprise Web Platform (EWP) 5.0
  • JBoss SOA-Platform (SOA-P)
    • 4.2
    • 4.3
    • 5.0

Issue

  • CVE-2010-0738 concerns the default setup of the JMX console as shipped with many JBoss products (see the Environment section), which enforces incomplete security constraints to ensure authenticated access to the administration user id, defined within these products. A remote attacker, without having access to usernames and passwords, could misuse this setting to trigger arbitrary actions in the context of the operating system user running the java process and potentially harm confidentiality integrity and availability.
  • I received the following email about a security vulnerability from Red Hat:
    • Statement Regarding Security Threat to JBoss Application Server
      Red Hat has become aware of a worm currently affecting unpatched or unsecured servers running JBoss Application Server and products based on it. This worm propagates by connecting to unprotected JMX consoles, then uses the ability of the JMX console to execute arbitrary code in the context of the JBoss user.
      The worm affects users of JBoss Application Server who have not correctly secured their JMX consoles as well as users of older, unpatched versions of JBoss enterprise products. An update to JBoss enterprise products was produced in April 2010 to correct the flaw, CVE-2010-0738.
      Instructions for securing the JMX console are available here:
      http://community.jboss.org/wiki/SecureTheJmxConsole
      Mark Cox
      The Red Hat Security Response Team

How do we protect ourselves from this worm?

  • Security Alert: https://threatpost.com/en_us/blogs/jboss-worm-exploiting-old-bug-infect-unpatched-servers-102111

Resolution

Red Hat is aware of the issue and is tracking it via Bugzilla 574105 and JIRA JBPAPP-3952.

The default setup of the JMX console as shipped with these products defines the following security constraints in deploy/jmx-console.war/WEB-INF/web.xml:

<security-constraint>
  <web-resource-collection>
    <web-resource-name>HtmlAdaptor</web-resource-name>
    <description>
       An example security config that only allows users with the role
       JBossAdmin to access the HTML JMX console web application
    </description>
    <url-pattern>/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
    <role-name>JBossAdmin</role-name>
  </auth-constraint>
</security-constraint>

This means that any GET or POST requests without proper authentication to the JBossAdmin realm are blocked and get a 401 error.

The HTTP protocol lists other verbs besides GET and POST, for instance HEAD, PUT and DELETE. As those are not listed in the security constraint, requests with these verbs are still allowed to be directed to the server without a security check and are executed by the default GET handler if no verb specific handler is specified.  The worm takes advantage of this by making requests to the JMX console using the HEAD HTTP verb.  If successful, the worm installs an IRC-based command and control component to attach compromised servers to a botnet, then runs a scanner that searches random blocks of IP address space for other vulnerable servers. Any vulnerable servers found by the scanner will be similarly infected, having both the command and control and propagation components installed on them.

The following JBoss product releases correct this problem:

  • JBoss Communications Platform 1.2.5
  • Red Hat JBoss Enterprise Application Platform (EAP) 4.2 CP09
  • Red Hat JBoss Enterprise Application Platform (EAP) 4.3 CP08
  • Red Hat JBoss Enterprise Application Platform (EAP) 5.0.1
  • JBoss Enterprise Portal Platform (EPP) 4.3 CP04
  • JBoss Enterprise Web Platform (EWP) 5.0.0-SEC-01
  • JBoss SOA-Platform (SOA-P) 4.2 CP05
  • JBoss SOA-Platform (SOA-P) 4.3 CP03
  • JBoss SOA-Platform (SOA-P) 5.0.1

To manually prevent the remaining allowed verbs to trigger the GET handler the security constraint needs to be adjusted by removing the explicit denial of GET and POST which blocks all verbs by default:

<security-constraint>
  <web-resource-collection>
    <web-resource-name>HtmlAdaptor</web-resource-name>
    <description>
       An example security config that only allows users with the role
       JBossAdmin to access the HTML JMX console web application
    </description>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
    <role-name>JBossAdmin</role-name>
  </auth-constraint>
</security-constraint>

Note: JBoss AS 4.0.x has reached end of life so there is no binary patch release for it. It contains commented versions of the entire security constraint outlined above in the same deployment descriptor.  It is highly recommended that you uncomment this security constraint and manually remove the <http-method> tags as instructed above to ensure that your JBoss instance is protected.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments