How do I resolve CVE-2017-12149 on EAP 5?

Solution Unverified - Updated -

Environment

  • Red Hat Application Platform (EAP)
    • 5.x
  • Red Hat JBoss SOA Platform (SOA-P)
    • 5.3.0

Issue

How do I resolve CVE-2017-12149 on EAP 5?

Resolution

According to CVE-2017-12149:

Secure the access to the entire http-invoker contexts by adding <url-pattern>/*</url-pattern> to the security-constraints in the web.xml file of the http-invoker.sar. The users who do not wish to use the http-invoker.sar can remove it.

Based on CVE-2017-12149, there are two options:

  1. Remove server/$PROFILE/deploy/http-invoker.sar;

  2. Protect all of the http-invoker web application by adding the /* url pattern to the security-constraint in server/$PROFILE/deploy/http-invoker.sar/invoker.war/WEB-INF/web.xml (see FIXME comment below)

      <security-constraint>
          <web-resource-collection>
             <web-resource-name>HttpInvokers</web-resource-name>
             <description>An example security config that only allows users with the
                role HttpInvoker to access the HTTP invoker servlets
             </description>
             <url-pattern>/*</url-pattern>  <!-- FIXME:  add this line -->
             <url-pattern>/restricted/*</url-pattern>
             <url-pattern>/JNDIFactory/*</url-pattern>
             <url-pattern>/EJBInvokerServlet/*</url-pattern>
             <url-pattern>/JMXInvokerServlet/*</url-pattern>
          </web-resource-collection>
          <auth-constraint>
             <role-name>HttpInvoker</role-name>
          </auth-constraint>
       </security-constraint>
    

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments