Symantec Privileged Access Management

Expand all | Collapse all

How to fix JBoss vulnerabilities?

Jump to Best Answer
  • 1.  How to fix JBoss vulnerabilities?

    Posted 05-22-2017 09:49 PM
    We setup PIM 12.8 SP1 Endpoint Management to manage remote endpoints.  Nessus scan on the embedded JBoss showed these vulnerabilities:  1.  The 'EBJInvokerServlet' and 'JMXInvokerServlet' servlets hosted on the web server on the remote host are accessible to unauthenticated users. The remote host is, therefore, affected by known vulnerabilities, namely CVE-2007-1036, CVE-2012-0874 and CVE-2013-4810.
    2.  unauthenticated access to a status servlet, which is used to monitor sessions and requests sent to the server. This vulnerability (CVE-2008-3273) was fixed in versions 4.2.0.CP03 and 4.3.0.CP01, but was later re-introduced (CVE-2010-1429) by an unrelated bug fix.  3.  unauthenticated access to certain documents under the '/web-console' directory.  This is due to a misconfiguration in 'web.xml' that only requires authentication for GET and POST requests.  Specifying a different command such as HEAD, DELETE or PUT causes the default GET handler to be used without authentication.

    I just received confirmation from CA support that there is no patch to fix these vulnerabilities currently and upgrading to a later version of JBoss is not an option.

    Question:
    1. Has anyone in field managed to fix these vulnerabilities as old as ten years old? Please share your valuable experience.


  • 2.  Re: How to fix JBoss vulnerabilities?
    Best Answer

    Posted 05-23-2017 08:58 AM

    Good day, I hope all is well. I searched our tech docs regarding JBoss vulnerabilities and I came across the following, which will instruct you how to harden JBoss. Please review the doc and let me know if it was helpful in addressing some of the vulnerabilities.

     

    JBoss Hardening -Password Protection for JMX Console and Web Console. 



  • 3.  Re: How to fix JBoss vulnerabilities?

    Posted 05-23-2017 08:16 PM

    Appreciate your help.

     

    For Endpoint Management application, which user(s) must be authorized in the properties files, would you know?



  • 4.  Re: How to fix JBoss vulnerabilities?

    Posted 05-24-2017 10:30 AM

    The users you want to authorize in the properties file are the application owners/administrators who would be managing the Endpoint Manager.