oss-sec mailing list archives
CVE for JBOSS EAP 5.0(twiddle and jmx invocations) ?
From: yersinia <yersinia.spiros () gmail com>
Date: Fri, 20 Jul 2012 18:12:53 +0200
Following this apparently RFE on JBOSS https://issues.jboss.org/browse/JBPAPP-3391?_sscc=t i have found a nice description, and an proposed patch, about it here http://objectopia.com/2009/10/01/securing-jmx-invoker-layer-in-jboss/. But the last link describe - apparently - a serious bug in the JBoss JMX Invoker Layer, a missing authentication that can produce a serious problem. Reading the other response i don't think there is today the possibility to enforce a true mitigation in JBOSS, apart putting in place some form a network control (aka a firewall). This is for JBOSS 5.0, i know that twiddle is no longer in JBoss EAP 6.0 which provides a totally new, much improved, secure and scriptable management interface. Do you think this can require a CVE for JBOSS EAP 5? Thanks in advance
Current thread:
- CVE for JBOSS EAP 5.0(twiddle and jmx invocations) ? yersinia (Jul 20)
- Re: CVE for JBOSS EAP 5.0(twiddle and jmx invocations) ? David Jorm (Jul 22)
- Re: CVE for JBOSS EAP 5.0(twiddle and jmx invocations) ? Kurt Seifried (Jul 23)
- Re: CVE for JBOSS EAP 5.0(twiddle and jmx invocations) ? David Jorm (Jul 22)