Full Disclosure mailing list archives
Vulnerabilities in JBoss Application Server
From: "MustLive" <mustlive () websecurity com ua>
Date: Thu, 15 Sep 2011 23:43:26 +0300
Hello list! I want to warn you about Information Leakage and Brute Force vulnerabilities in JBoss Application Server. ------------------------- Affected products: ------------------------- Vulnerable are all versions of JBoss Application Server, including JBoss 3.2.7, JBoss 4.0.5.GA, JBoss 5.0 and previous versions. ---------- Details: ---------- Information Leakage (WASC-13): http://site/status http://site/status?full=true Status page is publicly accessible. Which leads to leakage of logs of last connections and (in second case) leakage of all services (with their paths) on the server. Brute Force (WASC-11): There is not protection against Brute Force attacks at these resources: http://site/jmx-console/ http://site/web-console/ http://site/admin-console/ (starting from version 5.1.0) http://site/jbossws/ (the servers occur, where password isn't set on this resource) And other private resources with BF vulnerability (which are hidden behind Basic Authentication, as above-mentioned resources, except Admin Console). The list of all resources of concrete server can be found at page status?full=true. ------------ Timeline: ------------ 2010.03.06 - found multiple holes at another vulnerable Ukrtelecom's web site, few of them were holes in JBoss. 2010.08.23 - gave them time to fix other multiple holes at their sites, Internet services and telecommunication services, which I've informed them during 2007-2010, but with no results. 2010.08.24 - announced at my site about multiple holes at Ukrtelecom's web site, few of them were holes in JBoss. 2010.08.25 - informed Ukrtelecom (and they by themselves could inform developers of JBoss). 2011.06.03 - gave them time to fix these holes (and all other holes, including holes in Iskra ADSL routers, which they supply to their clients), but with no results (except fixing above-mentioned Information Leakage in JBoss at their site). 2011.06.04 - announced at my site about holes in JBoss. 2011.06.05 - informed developers of JBoss. 2011.09.09 - disclosed at my site. I mentioned about these vulnerabilities in JBoss at my site: http://websecurity.com.ua/5196/ Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Vulnerabilities in JBoss Application Server MustLive (Sep 15)