How do I resolve CVE-2017-12149 on EAP 5?
Environment
- Red Hat Application Platform (EAP)
- 5.x
- Red Hat JBoss SOA Platform (SOA-P)
- 5.3.0
Issue
How do I resolve CVE-2017-12149 on EAP 5?
Resolution
According to CVE-2017-12149:
Secure the access to the entire http-invoker contexts by adding <url-pattern>/*</url-pattern>
to the security-constraints in the web.xml
file of the http-invoker.sar
. The users who do not wish to use the http-invoker.sar
can remove it.
Based on CVE-2017-12149, there are two options:
-
Remove
server/$PROFILE/deploy/http-invoker.sar
; -
Protect all of the http-invoker web application by adding the
/*
url pattern to the security-constraint inserver/$PROFILE/deploy/http-invoker.sar/invoker.war/WEB-INF/web.xml
(see FIXME comment below)<security-constraint> <web-resource-collection> <web-resource-name>HttpInvokers</web-resource-name> <description>An example security config that only allows users with the role HttpInvoker to access the HTTP invoker servlets </description> <url-pattern>/*</url-pattern> <!-- FIXME: add this line --> <url-pattern>/restricted/*</url-pattern> <url-pattern>/JNDIFactory/*</url-pattern> <url-pattern>/EJBInvokerServlet/*</url-pattern> <url-pattern>/JMXInvokerServlet/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>HttpInvoker</role-name> </auth-constraint> </security-constraint>
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments