Fwd: JBoss AS Security Vulnerability Notice
From
Jon Scott Stevens
Nov 27, 2006 12:06 PM
This seems important to note in the archives here. =)
Begin forwarded message:
> ------ Forwarded Message
> From: "support@jboss.com" <JBoss@en25.com>
> Reply-To: <support@jboss.com>
> Date: Mon, 27 Nov 2006 10:41:40 -0500
> Conversation: JBoss AS Security Vulnerability Notice
> Subject: JBoss AS Security Vulnerability Notice
>
> Symantec discovered a flaw in the DeploymentFileRepository class of
> the JBoss Application Server. A remote attacker who is able to
> access the console manager could read or write to files with the
> permissions of the JBoss AS user. This could potentially lead to
> arbitrary code execution as the JBoss AS user. (CVE-2006-5750)
>
> Please note that the JBoss AS console manager should always be
> secured prior to deployment, as directed in the JBoss Application
> Server Guide. By default, the JBoss AS installer gives users the
> ability to password protect the console manager, limiting an attack
> using this vulnerability to authorised users. These steps can also
> be performed manually.
> http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss <http://
> wiki.jboss.org/wiki/Wiki.jsp?
> page=SecureJBoss&elq=8049B6BEA3964BB98E281C33E9AF1C6D>
>
> This vulnerability affects all JBoss AS releases from v3.2.4 to v.
> 4.0.5
>
> Please see this link for information on how to fix this vulnerability:
>
> http://jira.jboss.com/jira/browse/JBAS-3861
>
>
> ------ End of Forwarded Message
