[jboss-jira] [JBoss JIRA] Commented: (GPD-278) Security issue allows arbitrary java code to be deployed and executed

Koen Aers (JIRA) jira-events at lists.jboss.org
Thu Jan 8 15:44:05 EST 2009 

    [ https://jira.jboss.org/jira/browse/GPD-278?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12446246#action_12446246 ] 

Koen Aers commented on GPD-278:
-------------------------------

As Len Dimaggio states in his closing comment of SOA-265 (not for everyone) : 

Summary:
   For standalone server, default configuration exposes /upload servlet
   For embedded server, all configuration exposes /upload servlet
   For embedded server, production configuration does not expose /up;load servlet

jBPM User guide inlcudes instructions to expose or not expose /upload servlet

Standalone and embedded server .zip files both inlcude /tools/resources dir with these files:

-rw-r--r-- 1 ldimaggi ldimaggi 723723 Feb 3 16:25 jbpm-console-development.war
-rw-r--r-- 1 ldimaggi ldimaggi 723724 Feb 3 16:25 jbpm-console-production.war

This solution IMO closes the security hole at the expense of two different artefacts. It has nothing to do with the way processes are deployed to the server (ie servlet vs other system). It is only a matter of making sure that the deployment happens by a person with the right credentials. The only way to solve this properly is by making the install script ask to create a userid/password combo with deployment privileges, by securing the servlet and by making a preference in the gpd to configure this userid/password combo.  

We need to keep in mind that our first goal (of the jBPM project) is to reach out to as many possible users as possible on as many platforms as possible. Therefore, we need to hold on to a smooth out-of-the-box experience. I don't agree that this issue is critical for the next GPD release and I even think it shouldn't be fixed for now given the existing solution (though not ideal) in the SOA product.

> Security issue allows arbitrary java code to be deployed and executed
> ---------------------------------------------------------------------
>
>                 Key: GPD-278
>                 URL: https://jira.jboss.org/jira/browse/GPD-278
>             Project: JBoss jBPM GPD
>          Issue Type: Bug
>          Components: jpdl
>            Reporter: Thomas Diesler
>            Assignee: Koen Aers
>            Priority: Critical
>             Fix For: jBPM jPDL Designer 3.1.7
>
>
> The GPD circumvents the JBoss deployer architecture and hence allows arbitrary code to be executed on the AS

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list