Summary:
CA PAM 4.0 through 4.1 SP1 contains a high-risk vulnerability that can allow a remote attacker to execute arbitrary code. The vulnerability occurs with the EJBInvokerServlet and JMXInvokerServlet servlets. An attacker can upload and execute a malicious web application archive (WAR) file, which can result in a full compromise of the server.
To test for this vulnerability, replace <HOST> with the hostname of the PAM installation in the following URLs:
http://<HOST>:8080/invoker/EJBInvokerServlet
http://<HOST>:8080/invoker/JMXInvokerServlet
If the URLs are accessible without authentication, then the installation may be vulnerable.
The Product Vulnerability Response team is tentatively planning on releasing a public security notice for this vulnerability once all affected product teams provide remediation.
Affected Products:
The following CA products contain this vulnerability:
o 4.0
o 4.0 SP1
o 4.1
o 4.1 SP1
- CA Process Management for Workflows
o 4.0
o 4.0 SP1
o 4.1
o 4.1 SP1
- Potentially any CA product using CA PAM 4.0 – 4.1SP1
Note: the vulnerability may also affect CA products using JBoss Application Server depending on the configuration of the software.
Non-Affected Products:
CA PAM releases prior to 4.0
CA PAM 4.2 and above
What to do if a product is affected:
Update to CA PAM 4.2.
If an immediate upgrade is not possible, use the following instructions in the meantime to manually password-protect the vulnerable servlets.
1) Open <PAM_Home>\server\c2o\deploy\httpha-invoker.sar\invoker.war\WEB-INF\web.xml
2) Find these tags:
<security-constraint>
<web-resource-collection>
<web-resource-name>HttpInvokers</web-resource-name>
<description>An example security config that only allows users
with the role HttpInvoker to access the HTTP invoker servlets
</description>
<url-pattern>/restricted/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>HttpInvoker</role-name>
</auth-constraint>
</security-constraint>
3) Add the following url-pattern lines to the below security-constraint configuration and also remove the http-method lines:
Add
<url-pattern>/JNDIFactory/*</url-pattern>
<url-pattern>/EJBInvokerServlet/*</url-pattern>
<url-pattern>/JMXInvokerServlet/*</url-pattern>
Remove
<http-method>GET</http-method>
<http-method>POST</http-method>
Resulting configuration:
<security-constraint>
<web-resource-collection>
<web-resource-name>HttpInvokers</web-resource-name>
<description>An example security config that only allows users
with the
role HttpInvoker to access the HTTP invoker servlets
</description>
<url-pattern>/restricted/*</url-pattern>
<url-pattern>/JNDIFactory/*</url-pattern>
<url-pattern>/EJBInvokerServlet/*</url-pattern>
<url-pattern>/JMXInvokerServlet/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>HttpInvoker</role-name>
</auth-constraint>
</security-constraint>
4) Save the file and restart the PAM service.
5) Access the following URLs, and confirm they are password-protected:
http://pamserver:8080/invoker/EJBInvokerServlet
http://pamserver:8080/invoker/JMXInvokerServlet
Note: The user should also rescan the PAM server if the problem was detected using a security scanning tool.
6) Repeat these steps on all PAM nodes.