CERTVU:632656JBoss Application Server may not properly restrict access to the administrative interface
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.969 High
EPSS
Percentile
99.7%
Overview
The JBoss Application Server may allow unauthenticated, remote access to the administrative console.
Description
JBoss is an open source application server implemented in Java. Because it is Java-based, JBoss can be used on any operating system that supports Java. JBoss servers can be remotely managed through a web-based administrative interface.
If JBoss is installed without using the advanced installer options, the JBoss security features will need to be configured manually. If a JBoss server is configured to allow unauthenticated access to the administrative interface, and is accessible from a remote network, then an attacker may be able to access and modify data on the server.
Note that it may be possible to enumerate vulnerable servers by using search engines.
Impact
A remote, unauthenticated attacker may be able to gain administrative access to a JBoss Application Server. Once an attacker has access, they may be able to access and modify data on that server.
Solution
Use the installer
Using the advanced installer options will configure JBoss to only allow authenticated administrative access.
Enable role based security
Enabling role based security may mitigate this vulnerability. See the SecureTheJmxConsole page on the JBoss wiki for more information.
Restrict access
Restricting access to the administrative interface to trusted hosts may mitigate this vulnerability. See the LimitAccessToCertainClients page on the JBoss wiki for more information.
Vendor Information
632656
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Red Hat, Inc. __ Affected
Updated: February 21, 2007
Status
Affected
Vendor Statement
The JBoss AS console manager should always be secured prior to deployment, as directed in the JBoss Application Server Guide and release notes. By default, the JBoss AS installer gives users the ability to password protect the console manager. If the user did not use the installer, the raw JBoss services will be in a completely unconfigured state and these steps should be performed manually:
<http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss>
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- <http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole>
- <http://wiki.jboss.org/wiki/Wiki.jsp?page=LimitAccessToCertainClients>
- <http://www.jboss.com/>
- <http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss>
- <http://archives.neohapsis.com/archives/bugtraq/2007-02/0347.html>
Acknowledgements
This vulnerability was reported by Ben Dexter.
This document was written by Ryan Giobbi.
Other Information
| CVE IDs: | CVE-2007-1036 |
|---|---|
| Severity Metric: | 2.25 Date Public: |
Related
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.969 High
EPSS
Percentile
99.7%