Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.1174 Important: JBoss Remoting security update 17 July 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: JBoss Remoting Publisher: Red Hat Operating System: Red Hat Windows Solaris Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-3518 Original Bulletin: https://rhn.redhat.com/errata/RHSA-2014-0887.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Remoting security update Advisory ID: RHSA-2014:0887-02 Product: Red Hat JBoss Middleware Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0887.html Issue date: 2014-07-16 CVE Names: CVE-2014-3518 ===================================================================== 1. Summary: This advisory contains instructions on how to resolve one security issue found in the JBoss Remoting component, which is included in Red Hat JBoss Enterprise Application Platform 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1. The Red Hat Security Response Team has rated this security issue as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: JBoss Remoting is a stand-alone project that provides an API for making remote invocations using pluggable transports and data marshallers. JBoss Application Server 5 and supported Red Hat JBoss 5.x products contain JBoss Remoting, which includes a partial implementation of the JMX remoting specification JSR 160. This implementation is provided in jmx-remoting.sar, which is deployed by default in unsupported community releases of JBoss Application Server 5.x. This implementation does not implement security as defined in JSR 160, and therefore does not apply any authentication or authorization constraints. A remote attacker could use this flaw to potentially execute arbitrary code on a vulnerable server. All of the supported Red Hat JBoss 5.x products are not affected by this issue in their default configuration. These products are only vulnerable if JMX remoting is enabled by manually deploying jmx-remoting.sar from the jboss-as/docs/examples directory. Unsupported community releases of JBoss Application Server 5.x are affected. All users of the standalone JBoss Remoting project are also affected. (CVE-2014-3518) Red Hat would like to thank Harun ESUR of Sceptive for reporting this issue. All users of Red Hat JBoss Enterprise Application Platform 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1 as provided from the Red Hat Customer Portal who have jmx-remoting.sar deployed are advised to follow the instructions provided in the Solution section of this advisory. 3. Solution: In case your server is affected, undeploy jmx-remoting.sar if JMX remoting is not required by your applications. If your applications do require it, secure JMX remoting by following the instructions at https://access.redhat.com/solutions/238943 For more information, see https://access.redhat.com/solutions/1120423 4. Bugs fixed (https://bugzilla.redhat.com/): 1112545 - CVE-2014-3518 JBoss EAP/AS 5: Remote code execution via unauthenticated JMX/RMI connector 5. References: https://www.redhat.com/security/data/cve/CVE-2014-3518.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/solutions/238943 https://access.redhat.com/solutions/1120423 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTxgt5XlSAg2UNWIIRAjczAJ9F6uSgwR0JTGCNVMIDeNh/k5NFLwCfeUIh dltY2MVzLihWQlMsE8u7jbA= =f1Ak - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU8cLkRLndAQH1ShLAQITFxAAoRw9x2SqFWmrCeTkkeT7AzE/YRmIevkn kRRvecDLva98yyJndvsVxRiz0I1CCAXsyoH+/OKY3eKsOT3K2bhbqUjUkZjXbuw1 xCw1xUMeJQW8JglRFbPB92mkJ8VabHtHBpoW3Asqd9JAphYByiEwlg2GuQPCbEC/ kUTJA5CFhs1g0MEf2ThIhqR4XkpUps4nVHn7NJcVo3/hYRnCUqJcBDwc8MdvwMHE IAbeN0zlFm9SEKGJ7lekeFhNE9X5jOTLEC4TDl8hhQVc2SWjvb1hpNcPzFeT8/lw GkP9kmndufuwSpvW542lGPHrNZMCgZFrG3jj1vw4f8UYhi+AdXkh/9xfsC83PS7S p+5w4XIQ4q2AedRjVdTmHACz7xa9WDFcBpMBUHRObQxC/o2BfrrTnLcq7ciHj3PN WVcrg71+oXInpw31P/5Qaam3ZEwgDhXsaRZVQNHs6M4ilpgHKOlUma4t0ZjmlXEP q2cnEEWo+iRUr11gIsNdYCrBcmx0C3igG5/o6ulNzu3+VxojmuxgBipAFvKLOMpp kQQcr6RdNyvv9gy8V1zj28sJBt4a4et9LzTyIzTrTKIiTQM5+GPifqgXUNuk6vF3 qivV33FQzHXWeC/DNZR4xA1P0yyy04EuELMtC+w9xia7mMCd+1MAiByLu3fOfTLW E23jh0k6aQE= =KXVO -----END PGP SIGNATURE-----