[jboss-dev] JBoss AS Security Vulnerability
Ryan Campbell
ryan.campbell at jboss.com
Mon Nov 27 11:49:37 EST 2006
Symantec discovered a flaw in the DeploymentFileRepository class of the
JBoss Application Server. A remote attacker who is able to access the
console manager could read or write to files with the permissions of the
JBoss AS user. This could potentially lead to arbitrary code execution
as the JBoss AS user. (CVE-2006-5750)
Please note that the JBoss AS console manager should always be secured
prior to deployment, as directed in the JBoss Application Server Guide.
By default, the JBoss AS installer gives users the ability to password
protect the console manager, limiting an attack using this vulnerability
to authorised users. These steps can also be performed manually.
http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss
This vulnerability affects all JBoss AS releases from v3.2.4 to v.4.0.5
Please see this link for information on how to fix this vulnerability:
http://jira.jboss.com/jira/browse/JBAS-3861
More information about the jboss-development
mailing list