JBoss Application Server Security Vulnerability Notice

  • 3024921
  • 09-Feb-2007
  • 17-Sep-2015

Environment

JBoss Application Server versions 5.0
JBoss Application Server versions 4.0.1 SP1
JBoss Application Server versions 4.0.2 SP1
JBoss Application Server versions 4.0.3 SP1
JBoss Application Server versions 4.0.5
Novell Identity Manager UserApplication 3.0
Novell Identity Manager UserApplication 3.0.1 SP1
Novell Identity Manager UserApplication 3.5.1
Novell Identity Manager UserApplication 3.6.0
Novell Identity Manager UserApplication/RBPM 3.6.1
Novell Identity Manager UserApplication/RBPM 3.7
Novell Identity Manager UserApplication/RBPM  4.0.1

Situation

Symantec discovered a flaw in the DeploymentFileRepository class of the JBoss Application Server. A remote attacker who is able to access the console manager could read or write to files with the permissions of the JBoss AS user. This could potentially lead to arbitrary code execution as the JBoss AS user. (CVE-2006-5750)

Please note that the JBoss AS console manager should always be secured prior to deployment, as directed in the JBoss Application Server Guide and noted section 2.2.10 Disabling the JMX Management Console on JBoss of the User Application 4.0.x Administration Guide.   By default, the JBoss AS installer gives users the ability to password protect the console manager, limiting an attack using this vulnerability to authorised users. These steps can also be performed manually.

New Update as of 10/22/2011 Jboss announced a new Statement Regarding Security Threat to JBoss Application Server:
Red Hat has become aware of a worm currently affecting unpatched or unsecured servers running JBoss Application Server and products based on it.

Here is the JBoss Community note:
http://community.jboss.org/blogs/mjc/2011/10/20/statement-regarding-security-threat-to-jboss-application-server

Resolution

The quickest and easiest approach to correct this security vulnerability is to;
  1. Remove the offending service
  2. Secure the JBoss JMX and Web Consoles
However, we strongly feel the best approach is to secure JBoss using the following optional procedures;
- secure jmx-console and web-console authentication via SSL
- secure your Web Application in Jboss Application Server
- use a one-way hash to protect the administrative password property file
- secure the invokers
To remove the offending service use the following steps;
  1. Undeploy completely the web-console application by removing the directory deploy/management from the 'default' and 'all' configurations

    or

  2. comment out the DeploymentFileRepository service deployed by deploy/management/console-mgr.sar in the'default' and 'all' configurations. If console-mgr.sar is packed, unpack it and edit the META-INF/jboss-service.xml descriptor,
commenting out the following entry:
...

name="jboss.admin:service=DeploymentFileRepository">
./deploy/management

The web-console will still work, without the ability to create alerts/monitors/snapshots.

 
Secure the Jmx and Web Console's
  1. Secure the JMX Console using a username/password file
    • Locate the jmx-console.war directory. Normally found in server/default/deploy in your JBOSS_HOME directory.
    • edit the WEB-INF/web.xml, uncomment the security-constraint block
    • edit the WEB-INF/jmx-console-users.properties or server/default/conf/props/jmx-console-users.properties (version>=4.0.2) and WEB-INF/jmx-console- roles.properties or server/default/conf/props/jmx-console-roles.properties (version>=4.0.2) and change the users and passwords to what you desire.  Please note: They will need the JBossAdmin role specified in the web.xml file to run the JMX Console.
    • edit the WEB-INF/jboss-web.xml, uncomment the security-domain block. The security-domain value of jmx-console maps is declared in the login-config.xml JAAS configuration file which defines how authentication and authorization is done.
  2. Secure the JMX Console using your own JAAS domain 
    • edit the WEB-INF/web.xml as above, uncommenting the security-constraint block. Change the role-name value to be the role in your domain that can access the console
    • edit the WEB-INF/jboss-web.xml as in step1, set the security domain to be the name of your security domain. For example, if your login-config.xml has an application-policy whose name is MyDomain then your JAAS domain java:/jaas/MyDomain
    • redeploy the application
  3. Secure the web console
    • In the deploy directory, locate management/web-console.war and make the same changes as above to the WEB-INF/web.xml, WEB-INF/jboss-web.xml and the users/groups properties file.
The default JAAS domain used by the web-console is java:/jaas/web-console and is defined in login-config.xml in the conf directory. You can use a custom JAAS domain or customize the existing domain in the same way as with the JMX console. Typically you would just use the same domain (java:/jaas/jmx-console) as the jmx-console so that you have a single user/role mapping to configure.

 
Update for 4.0.2
The jmx-console-roles.properties and jmx-console-users.properties files have been moved to server\default\conf\props.
The web console,is unpacked already in the default server configuration as deploy/management/console-mgr.sar/web-console.war. Edit the WEB-INF/web.xml and jboss-web.xml files as per securing the JMX console.

 
A quicker method to secure the Web and JMX console is the following:
  1. Navigate to JBOSS_HOME/server/default/deploy/jmx-console.war/WEB-INF/web.xml and uncomment the security-constraint block, add a block after the end of the block. Example:
    BASIC
    JMXConsole
  2. Navigate to JBOSS_HOME/server/default/deploy/jmx-console.war/WEB-INF/jboss-web.xml and uncomment the security-domain block
  3. Navigate to $JBOSS_HOME/server/default/conf/props/jmx-console-users.propertiesand change the password for admin
  4. Navigate to JBOSS_HOME/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml and uncomment the security-constraint block
  5. Navigate to JBOSS_HOME/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/jboss-web.xml and uncomment the security-domain block
  6. Navigate to JBOSS_HOME/server/default/conf/login-config.xml and change the path to the web-console-users.properties and the web-console-roles.properties as follows (add props/ to the front of the path) props/web-console-users.properties props/web-console-roles.properties
  7. Navigate to JBOSS_HOME/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/web-console-*.properties and JBOSS_HOME/server/default/conf/props edit as needed
  8. Navigate to JBOSS_HOME/server/default/conf/props/jmx-console-roles.properties and JBOSS_HOME/server/default/conf/props/web-console-roles.properties and edit as needed
  9. Restart jboss
How to secure the JMX-console and Web-console authentication via SSL
These steps will redirect jboss admin pages to
https://localhost:8443
  1. You must first enable http authenication as outlined in the sections previously outlined above
  2. Navigate to JBOSS_HOME/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml, include the following just before end of tag security-constraint
    ...
    CONFIDENTIAL
  3. Navigate to JBOSS_HOME/server/default/deploy/jmx-console.war/WEB-INF/web.xml,include the following just before end of tag security-constraint
    ...
    CONFIDENTIAL
  4. Create a keystore and supply a secure password. (for information on creating a keystore please see TID#3103136 How to install a signed certificate into Jboss for the IDM3 User Application, https://support.microfocus.com/kb/doc.php?id=3103136&sliceId=SAL_Public&dialogID=24642412&stateId=0%200%2024646267
  5. Enable SSL in JBoss
    • locate jbossweb-tomcat55.sar file under \jboss\server\YourJBossServer\deploy.
    • In it, find server.xml and open that file in a text editor.
    • Enable SSL by uncommenting "SSL/TLS Connector" or adding the following section if it is not there:

      maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
      emptySessionPath="true"
      scheme="https" secure="true" clientAuth="false"
      keystoreFile="${jboss.server.home.dir}/spitfire/conf/jboss.jks"
      keystorePass="changeit" sslProtocol ="TLS" />
      **Note 1: Remember to point "keystoreFile" to the keystore you created. example: ${jboss.server.home.dir}/conf/server.keystore
      **Note 2: Remember to change the keystorePass="changeit" to your keystore password
  6. Restart your JBoss Server and test. When restarting the JBoss Server you should see the server running on 2 ports, your http port and your ssl port https:8443
Securing a Web Application in JBossAS
  • Create a simple security domain for JBoss SX
    • Open the ${jboss.dist}/server/${server.name}/conf/login-config.xml file
      • This file sets up the configuration for the security domains available to applications running in the server. The file contains a few example domains you may want to look at for reference.
      • JBoss SX uses JAAS for the infrastructure of the underlying security
      • JAAS uses a class called a "login module" to interact with a security store for authenticating credentials.
      • This file basically hooks up a security domain to a JAAS login module.
      • JBoss Application Server comes packed with the "UsersRolesLoginModule". The "UsersRolesLoginModule" allows you to specify user names, passwords and roles in a simple property file.
    • Copy the "jmx-console" domain policy
      • The "jmx-console" security domain policy contains the basics for configuring a UsersRolesLoginModule based security domain.
         
        <LOGIN-MODULE
        code="org.jboss.security.auth.spi.UsersRolesLoginModule"
        flag = "required">
        <MODULE-OPTION
        name="usersProperties">
        props/jmx-console-users.properties

        <MODULE-OPTION
        name="rolesProperties">
        props/jmx-console-roles.properties
         
      • copy this section to the bottom of the file
      •  edit the "name" attribute on the application-policy attribute to "my-web"
      • edit the "userProperties" module-option text value to be"props/my-web-users.properties"
      • edit the "roleProperties" module-option text value to be"props/my-web-roles.properties"
      •  save the login-config.xml file.
    •  In the ${jboss.dist}/server/conf/props directory,
      • copy the jmx-console-users.properties into a new file called my-web-users.properties,
      • copy the jmx-console-roles.properties into a new file called my-web-roles.properties.
      • open "my-web-users.properties" file, notice that you will see a single entry like: "admin=admin" (The structure is "username=password"). When a user logs into the security domain, 
        the login module will examine the properties data in this file for users.
      • Add a new user, for example"tester=security", to the file under "admin=admin"
      • Save file
      • open the my-web-roles.properties file, notice an entry similar to the following:"admin=JBossAdmin,HttpInvoker".
        These entries define the roles a user has associated with their account at login. The structure is "username=Role1,Role2,..." the username is the user you wish to assign roles to,and the
        Roles entries are a comma separated list of roles to assign to that user.
      • Add a new entry to this file, for example "tester=WebAppUser" on a new line below the"admin=....".
      • Save file.
  • Configure the web application for security by adding constraints to the web deployment descriptor.
    • modify the web.xml in the WEB-INF directory of the web application you are securing to add in the following:
      All resources
      Protects all resources
      /*


      WebAppUser




      WebAppUser



      BASIC
      Test Realm


           Note:"security-constraint" is used to define what resources in the web application are protected.
"url-pattern" element specifies the URL pattern to protect (example above protects _all_ resources in the web application)
"auth-contraint" element specifies which roles have access to the protected resource (example just specifies one role)
-This role name must match the name of the role you specified in"my-web-roles.properties" file.
"login-config" element specifies how authentication occurs with the web application.
"auth-method" element specifies how the browser gets credentials from the user.
-"BASIC", "DIGEST","FORM", and "CLIENT-CERT" are possible methods to retrieve data from the browser user.
The example above uses"BASIC", but this method should not be used in a production environment unless you are using SSL/TLS
"realm-name" element just specifies the authentication realm name that is given to the browser for authentication.
  • Configure the jboss-web.xml file to point to the "my-web" application.
    • edit the jboss-web.xml in the WEB-INF directory of the web application you are securing
      -add the following in the"jboss-web" element: java:/jaas/my-web
      This instructs JBoss Application Server to connect the web application to the "my-web" security domain we defined in the login-config.xml file earlier.
  • Start the JBoss Application Server
  • In a browser navigate to your application
    -you should be prompted for username and password.
  •  Enter the user and password we created earlier in our example we used "tester" for the username, and "security" for the password.
    If your set-up is correct, you will be allowed access to the web application.

    • To test,
      • close browser open and navigating back to your application. 
      • When prompted, enter no credentials, or "admin" with password: admin,
        you should not have access to the application
Protecting the Administrator password property file
You can also use a one-way hash for protecting the admin password property file.
In the above section on"Securing a Web Application in JBoss AS” we used the following configuration fragment:



props/jmx-console-users.properties
props/jmx-console-roles.properties


To add the hash support, you need to add the following options to it:

MD5
base64
 
Now in the usersProperties file, you no longer do user=pass. Instead, you do user=md5(pass).
The user is responsible for generating the md5() value, either by themselves or using the following program (please notice that it relies on org.jboss.security.Util, which is in jbosssx.jar).
import java.security.MessageDigest;
import org.jboss.security.Util;
class HashPassword
{
public static void main(String[] args)
{
String password = args[0];
MessageDigest md = null;
try
{
md = MessageDigest.getInstance("MD5");
}
catch(Exception e)
{
e.printStackTrace();
}
byte[] passwordBytes = password.getBytes();
byte[] hash = md.digest(passwordBytes);
String passwordHash = Util.encodeBase64(hash);
System.out.println("password hash:"+passwordHash);
}
}

Securing the Invokers
  • Enabling authentication to the RMIAdaptor service
    • in JBossAS 4.0.x, edit jmx-invoker-service.xml
    • in JBossAS 3.2.x, edit jmx-invoker-adaptor-server.sar/META-INF/jboss-service.xml
      and uncomment the descriptors section of the invoke operation:
      • The detached invoker entry point invoke
      • The method invocation context invocation
        org.jboss.invocation.Invocation

        java.lang.Object




        securityDomain="java:/jaas/jmx-console"/>

The value of the securityDomain attribute maps to the security domain name found in the conf/login-config.xml definitions the same way as the jboss.xml, jboss-web.xml security-domain elements.

  • Enabling authorization to the RMIAdaptor service
    -An "AuthorizationInterceptor" is available in JBoss. The place the interceptor after the"AuthenticationInterceptor"
    configuration: * authorizingClass : Fully Qualified Name of a class that does the authorization and contains a method with the following signature
    "public void authorize( Principal caller, Subject subject, String objectname,String opname)" that can throw a java.lang.SecurityException
An example of an authorizing class is the org.jboss.jmx.connector.invoker.RolesAuthorization, which looks for an hardcoded "JBossAdmin?" role in the authenticated subject.
securityDomain="java:/jaas/jmx-console"/>

authorizingClass="org.jboss.jmx.connector.invoker.RolesAuthorization"/>
Starting with 4.0.4.GA, Jboss has an authorization delegate that looks for passwords from a properties file called as "jmxinvoker-roles.properties" in a jar file or can be in the conf directory.
securityDomain="java:/jaas/jmx-console"/>

authorizingClass="org.jboss.jmx.connector.invoker.ExternalizableRolesAuthorization"/>
The format of the"jmxinvoker-roles.properties" file is:
#Specify the roles that are authorized to access the jmx invoker delimited by comma
roles=testRole,testRole1
If you don't succeed in securing the RMIInvoker
  1. try placing the security-service.xml in a SAR
  2. create a folder named security.sar that has a subfolder named META-INF
  3. move your security-service.xml to this folder and rename it to jboss-service.xml
  4. Place the security.sar in the deploy-folder
 New Update as of 10/22/2011 additional information for locking down the Jboss Application Server
Here is the link for locking down the different versions of the JBoss consoles:
http://community.jboss.org/wiki/SecureTheJmxConsole





 

Status

Security Alert
Top Issue

Additional Information

Note:   This may appear as a security vulnerability with 'EBJInvokerServlet' and 'JMXInvokerServlet' servlets hosted on the JBoss web server RBPM is using.

https://community.jboss.org/wiki/SecureJboss/