[JBoss JIRA] Created: (GPD-278) Security issue allows arbitrary java code to be deployted and executed
2:32 a.m.
Security issue allows arbitrary java code to be deployted and executed
----------------------------------------------------------------------
Key: GPD-278
URL: https://jira.jboss.org/jira/browse/GPD-278
Project: JBoss jBPM GPD
Issue Type: Bug
Components: jpdl
Reporter: Thomas Diesler
Assignee: Koen Aers
The GPD circumvents the JBoss deployer architecture and hence allows arbitrary code to be
executed on the AS
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
2:39 a.m.
New subject: [JBoss JIRA] Commented: (GPD-278) Security issue allows arbitrary java code to be deployted and executed
[
https://jira.jboss.org/jira/browse/GPD-278?page=com.atlassian.jira.plugin...
]
Thomas Diesler commented on GPD-278:
------------------------------------
Please have look at the IntegrationTestHelper. It demonstrates how to obtain a
MBeanServerConnection and deployes a file through the MainDeployer
Security issue allows arbitrary java code to be deployted and
executed
----------------------------------------------------------------------
Key: GPD-278
URL: https://jira.jboss.org/jira/browse/GPD-278
Project: JBoss jBPM GPD
Issue Type: Bug
Components: jpdl
Reporter: Thomas Diesler
Assignee: Koen Aers
The GPD circumvents the JBoss deployer architecture and hence allows arbitrary code to be
executed on the AS
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
2:41 a.m.
New subject: [JBoss JIRA] Updated: (GPD-278) Security issue allows arbitrary java code to be deployed and executed
[
https://jira.jboss.org/jira/browse/GPD-278?page=com.atlassian.jira.plugin...
]
Thomas Diesler updated GPD-278:
-------------------------------
Summary: Security issue allows arbitrary java code to be deployed and executed (was:
Security issue allows arbitrary java code to be deployted and executed)
Security issue allows arbitrary java code to be deployed and
executed
---------------------------------------------------------------------
Key: GPD-278
URL: https://jira.jboss.org/jira/browse/GPD-278
Project: JBoss jBPM GPD
Issue Type: Bug
Components: jpdl
Reporter: Thomas Diesler
Assignee: Koen Aers
The GPD circumvents the JBoss deployer architecture and hence allows arbitrary code to be
executed on the AS
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
7:10 a.m.
New subject: [JBoss JIRA] Commented: (GPD-278) Security issue allows arbitrary java code to be deployed and executed
[
https://jira.jboss.org/jira/browse/GPD-278?page=com.atlassian.jira.plugin...
]
Ronald van Kuijk commented on GPD-278:
--------------------------------------
As I mentioned in SOA-1065, this is for me totallty unrelated (but if someone can prove
otherwise, I'd be happy to change my point of view). Changing the deployer so
drastically shoud (imo) go into GPD 4 and not a micro/patch release.
Security issue allows arbitrary java code to be deployed and
executed
---------------------------------------------------------------------
Key: GPD-278
URL: https://jira.jboss.org/jira/browse/GPD-278
Project: JBoss jBPM GPD
Issue Type: Bug
Components: jpdl
Reporter: Thomas Diesler
Assignee: Koen Aers
The GPD circumvents the JBoss deployer architecture and hence allows arbitrary code to be
executed on the AS
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
7:15 p.m.
New subject: [JBoss JIRA] Commented: (GPD-278) Security issue allows arbitrary java code to be deployed and executed
[
https://jira.jboss.org/jira/browse/GPD-278?page=com.atlassian.jira.plugin...
]
Jervis Liu commented on GPD-278:
--------------------------------
How about the workaround I suggested in SOA-1065. It is not ideal, but it fits for a
"micro/patch release.", it is also consistent with the approach taken by JBOSS
ESB.
"A quick fix can be sth like what has been done in ESB, i.e., having a property
called "supportMessageBasedScripting" in jBPM process configuration file.
Turning this flag on means the owner of this piece of code is fully aware of what his/her
process will be doing and security related implications. By default this flag is turned
off. Please refer to https://jira.jboss.org/jira/browse/JBESB-1561
But I agree that a long term proper fix would have to have SecurityManager involved.
"
Security issue allows arbitrary java code to be deployed and
executed
---------------------------------------------------------------------
Key: GPD-278
URL: https://jira.jboss.org/jira/browse/GPD-278
Project: JBoss jBPM GPD
Issue Type: Bug
Components: jpdl
Reporter: Thomas Diesler
Assignee: Koen Aers
The GPD circumvents the JBoss deployer architecture and hence allows arbitrary code to be
executed on the AS
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
9:17 a.m.
New subject: [JBoss JIRA] Updated: (GPD-278) Security issue allows arbitrary java code to be deployed and executed
[
https://jira.jboss.org/jira/browse/GPD-278?page=com.atlassian.jira.plugin...
]
Thomas Diesler updated GPD-278:
-------------------------------
Fix Version/s: jBPM jPDL Designer 3.1.7
Priority: Critical (was: Major)
This is a critical issue that must get addressed in 3.1.7
Security issue allows arbitrary java code to be deployed and
executed
---------------------------------------------------------------------
Key: GPD-278
URL: https://jira.jboss.org/jira/browse/GPD-278
Project: JBoss jBPM GPD
Issue Type: Bug
Components: jpdl
Reporter: Thomas Diesler
Assignee: Koen Aers
Priority: Critical
Fix For: jBPM jPDL Designer 3.1.7
The GPD circumvents the JBoss deployer architecture and hence allows arbitrary code to be
executed on the AS
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
9:19 p.m.
New subject: [JBoss JIRA] Commented: (GPD-278) Security issue allows arbitrary java code to be deployed and executed
[
https://jira.jboss.org/jira/browse/GPD-278?page=com.atlassian.jira.plugin...
]
Ronald van Kuijk commented on GPD-278:
--------------------------------------
Thomas,
Instead of just changing the issue from major to critical, could you also comment on the
statements being made? Since most of the discussion is *not* about the deployer and
therefore *not* something that should be fixed in the GPD
Security issue allows arbitrary java code to be deployed and
executed
---------------------------------------------------------------------
Key: GPD-278
URL: https://jira.jboss.org/jira/browse/GPD-278
Project: JBoss jBPM GPD
Issue Type: Bug
Components: jpdl
Reporter: Thomas Diesler
Assignee: Koen Aers
Priority: Critical
Fix For: jBPM jPDL Designer 3.1.7
The GPD circumvents the JBoss deployer architecture and hence allows arbitrary code to be
executed on the AS
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
2:44 p.m.
New subject: [JBoss JIRA] Commented: (GPD-278) Security issue allows arbitrary java code to be deployed and executed
[
https://jira.jboss.org/jira/browse/GPD-278?page=com.atlassian.jira.plugin...
]
Koen Aers commented on GPD-278:
-------------------------------
As Len Dimaggio states in his closing comment of SOA-265 (not for everyone) :
Summary:
For standalone server, default configuration exposes /upload servlet
For embedded server, all configuration exposes /upload servlet
For embedded server, production configuration does not expose /up;load servlet
jBPM User guide inlcudes instructions to expose or not expose /upload servlet
Standalone and embedded server .zip files both inlcude /tools/resources dir with these
files:
-rw-r--r-- 1 ldimaggi ldimaggi 723723 Feb 3 16:25 jbpm-console-development.war
-rw-r--r-- 1 ldimaggi ldimaggi 723724 Feb 3 16:25 jbpm-console-production.war
This solution IMO closes the security hole at the expense of two different artefacts. It
has nothing to do with the way processes are deployed to the server (ie servlet vs other
system). It is only a matter of making sure that the deployment happens by a person with
the right credentials. The only way to solve this properly is by making the install script
ask to create a userid/password combo with deployment privileges, by securing the servlet
and by making a preference in the gpd to configure this userid/password combo.
We need to keep in mind that our first goal (of the jBPM project) is to reach out to as
many possible users as possible on as many platforms as possible. Therefore, we need to
hold on to a smooth out-of-the-box experience. I don't agree that this issue is
critical for the next GPD release and I even think it shouldn't be fixed for now given
the existing solution (though not ideal) in the SOA product.
Security issue allows arbitrary java code to be deployed and
executed
---------------------------------------------------------------------
Key: GPD-278
URL: https://jira.jboss.org/jira/browse/GPD-278
Project: JBoss jBPM GPD
Issue Type: Bug
Components: jpdl
Reporter: Thomas Diesler
Assignee: Koen Aers
Priority: Critical
Fix For: jBPM jPDL Designer 3.1.7
The GPD circumvents the JBoss deployer architecture and hence allows arbitrary code to be
executed on the AS
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
8:24 p.m.
New subject: [JBoss JIRA] Updated: (GPD-278) Security issue allows arbitrary java code to be deployed and executed
[
https://jira.jboss.org/jira/browse/GPD-278?page=com.atlassian.jira.plugin...
]
Koen Aers updated GPD-278:
--------------------------
Fix Version/s: (was: jBPM jPDL Designer 3.1.7)
Security issue allows arbitrary java code to be deployed and
executed
---------------------------------------------------------------------
Key: GPD-278
URL: https://jira.jboss.org/jira/browse/GPD-278
Project: JBoss jBPM GPD
Issue Type: Bug
Components: jpdl
Reporter: Thomas Diesler
Assignee: Koen Aers
Priority: Critical
The GPD circumvents the JBoss deployer architecture and hence allows arbitrary code to be
executed on the AS
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
10:34 a.m.
New subject: [JBoss JIRA] Resolved: (GPD-278) Security issue allows arbitrary java code to be deployed and executed
[
https://jira.jboss.org/jira/browse/GPD-278?page=com.atlassian.jira.plugin...
]
Koen Aers resolved GPD-278.
---------------------------
Resolution: Rejected
As can be derived from the comments, this issue has nothing to do with the GPD. A sandbox
system for the runtime is being put in place.
Security issue allows arbitrary java code to be deployed and
executed
---------------------------------------------------------------------
Key: GPD-278
URL: https://jira.jboss.org/jira/browse/GPD-278
Project: JBoss jBPM GPD
Issue Type: Bug
Components: jpdl
Reporter: Thomas Diesler
Assignee: Koen Aers
Priority: Critical
The GPD circumvents the JBoss deployer architecture and hence allows arbitrary code to be
executed on the AS
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
5659
days inactive
5869
days old
9 comments
4 participants
participants (4)
-
Jervis Liu (JIRA) -
Koen Aers (JIRA)
-
Ronald van Kuijk (JIRA)
-
Thomas Diesler (JIRA)