|
|
|
|
| |
| JBoss, Java server for running J2EE enterprise applications. Multiple vulnerabilities have been found in the JBoss server including: Denial-Of-Service, Log Manipulation, Manipulation of Process variables, and Arbitrary Command Injection. |
| |
Credit:
The information has been provided by Marc Schoenefeld.
|
| |
Vulnerable systems:
* JBoss version 3.0.8
* JBoss version 3.2.1
Illegalaccess.org has discovered a critical security vulnerability in the latest production version of JBoss J2EE application server. The vulnerability affects default installations of JBoss running on JDK 1.4.x. We were able to design proof of concept code for this issue, which allows remote attack resulting in several compromises, ranging from information disclosure over log manipulation and manipulating Java process properties to execution of any commands on the (windows) system with the privileges of the JBoss process. Illegalaccess.org does not rule out the possibility of remotely controlled code execution on JBoss servers running on top of other operating systems (such as Linux, Solaris, Mac, OS/390).
The existence of the vulnerability has been confirmed by Marc Fleury and Scott Stark of the JBoss Group. This report is part of the coordinated release of information about this new threat. The appropriate security bulletin for the JBoss system as well as a configuration fix for the affected versions 3.X are available for download from the JBoss web site (see URL below).
It should be stated, that the reaction time of the JBoss group was exemplary in providing an immediate correction of the default configuration that was causing the problem.
Description:
This is a command injection vulnerability that exists in an integral component of the JBoss server, HSQLDB, an SQL database managing JMS connections. In a combined result of programming errors in the sun.* classes and logic errors in the org.apache.* classes of the JDK and settings in the default configuration of JBoss, remote attackers can obtain remote access to vulnerable JBoss systems. Our tests confirmed that this vulnerability affects all default installations of JBoss 3.2.1 and potentially every other system using TCP/IP based connections to HSQLDB.
Impact:
The impact of this vulnerability should be considered as critical. Throughout its exploitation, any user can gain complete control over a vulnerable system by the means of a remote attack. By sending specially crafted sequence of SQL statements to the TCP port 1701 of the vulnerable JBoss system, an attacker can exploit the vulnerabilities and in worst case execute any code with the privileges of the Java process executing JBoss.
Solution:
It should be emphasized that this vulnerability poses a critical threat and appropriate patches provided by JBoss (see below) should be immediately applied. The patch available at present is available at: http://sourceforge.net/docman/display_doc.php?docid=19314&group_id=22866, and describes the fix which is to limit the HSQLDB to in-memory mode.
=======start of snippet from updated jboss documentation=========
The default configuration of the hsqldb service allows for interaction with the database over TCP/IP and can enable arbitary code to be executed if the default username/password has not be changed. JBoss does not need the socket based access mode so one can disable this through two changes to the deploy/hsqldb-ds.xml configuration.
I) First, change:
<!-- for tcp connection, other processes may use hsqldb -->
<connection-url>
jdbc:hsqldb:hsql://localhost:1701
</connection-url>
To:
<!-- for in-process db with file store, saved when jboss stops. The org.jboss.jdbc.HypersonicDatabase is unnecessary -->
<connection-url>
jdbc:hsqldb:localDB
</connection-url>
II) Next, comment out or remove this section:
<!-- this mbean should be used only when using tcp connections -->
<mbean code="org.jboss.jdbc.HypersonicDatabase"
name="jboss:service=Hypersonic">
<attribute name="Port">1701</attribute>
<attribute name="Silent">true</attribute>
<attribute name="Database">default</attribute>
<attribute name="Trace">false</attribute>
<attribute name="No_system_exit">true</attribute>
</mbean>
=======end of snippet from updated jboss documentation=========
|
|
|
|
|
|
|
|
|
|
