IT Process Automation

Notification: Possible CA Pam EJBInvokerServlet and JMXInvokerServlet servlets vulnerability 4.0-4.1SP1

  • 1.  Notification: Possible CA Pam EJBInvokerServlet and JMXInvokerServlet servlets vulnerability 4.0-4.1SP1

    Posted 11-04-2014 01:47 PM

    Summary:

     

    CA PAM 4.0 through 4.1 SP1 contains a high-risk vulnerability that can allow a remote attacker to execute arbitrary code. The vulnerability occurs with the EJBInvokerServlet and JMXInvokerServlet servlets. An attacker can upload and execute a malicious web application archive (WAR) file, which can result in a full compromise of the server.

     

    To test for this vulnerability, replace <HOST> with the hostname of the PAM installation in the following URLs:

     

    http://<HOST>:8080/invoker/EJBInvokerServlet

    http://<HOST>:8080/invoker/JMXInvokerServlet 

     

    If the URLs are accessible without authentication, then the installation may be vulnerable.

     

    The Product Vulnerability Response team is tentatively planning on releasing a public security notice for this vulnerability once all affected product teams provide remediation.

     

    Affected Products:

     

    The following CA products contain this vulnerability:

    • CA Process Automation

    o    4.0

    o    4.0 SP1

    o    4.1

    o    4.1 SP1

    • CA Process Management for Workflows

    o    4.0

    o    4.0 SP1

    o    4.1

    o    4.1 SP1

    • Potentially any CA product using CA PAM 4.0 – 4.1SP1

     

    Note: the vulnerability may also affect CA products using JBoss Application Server depending on the configuration of the software.

     

    Non-Affected Products:

     

    CA PAM releases prior to 4.0

    CA PAM 4.2 and above

     

    What to do if a product is affected:

     

    Update to CA PAM 4.2.

     

    If an immediate upgrade is not possible, use the following instructions in the meantime to manually password-protect the vulnerable servlets.

     

    1)    Open <PAM_Home>\server\c2o\deploy\httpha-invoker.sar\invoker.war\WEB-INF\web.xml

     

    2)    Find these tags:

     

    <security-constraint>

    <web-resource-collection>

    <web-resource-name>HttpInvokers</web-resource-name>

    <description>An example security config that only allows users

    with the role HttpInvoker to access the HTTP invoker servlets

    </description>

    <url-pattern>/restricted/*</url-pattern>

    <http-method>GET</http-method>

    <http-method>POST</http-method>

    </web-resource-collection>

    <auth-constraint>

    <role-name>HttpInvoker</role-name>

    </auth-constraint>

    </security-constraint>

     

    3)    Add the following url-pattern lines to the below security-constraint configuration and also remove the http-method lines:

     

    Add

    <url-pattern>/JNDIFactory/*</url-pattern>

    <url-pattern>/EJBInvokerServlet/*</url-pattern>

    <url-pattern>/JMXInvokerServlet/*</url-pattern>

     

    Remove

    <http-method>GET</http-method>

    <http-method>POST</http-method>

               

    Resulting configuration:

     

    <security-constraint>

    <web-resource-collection>

    <web-resource-name>HttpInvokers</web-resource-name>

    <description>An example security config that only allows users

    with the

    role HttpInvoker to access the HTTP invoker servlets

    </description>

    <url-pattern>/restricted/*</url-pattern>

    <url-pattern>/JNDIFactory/*</url-pattern>

    <url-pattern>/EJBInvokerServlet/*</url-pattern>

    <url-pattern>/JMXInvokerServlet/*</url-pattern>

    <http-method>GET</http-method>

    <http-method>POST</http-method>

    </web-resource-collection>

    <auth-constraint>

    <role-name>HttpInvoker</role-name>

    </auth-constraint>

    </security-constraint>

     

    4)    Save the file and restart the PAM service.

     

    5)    Access the following URLs, and confirm they are password-protected:

     

    http://pamserver:8080/invoker/EJBInvokerServlet

    http://pamserver:8080/invoker/JMXInvokerServlet 

     

    Note: The user should also rescan the PAM server if the problem was detected using a security scanning tool.

     

    6)    Repeat these steps on all PAM nodes.