CVE-2017-12149, Security Scan in BSM 9.25.361

  • KM03150423
  • 23-Apr-2018
  • 23-Apr-2018

This document has not been formally reviewed for accuracy and is provided "as is" for your convenience.

Summary

The web.xml file is located under the following path: C:\\HPBSM\\EJBContainer\\server\\mercury\\deploy\\http-invoker.sar\\invoker.war\\WEB-INF You have to modify this file by adding /* under the security-constraint sector in the web.xml file. Secure the access to the entire http-invoker contexts by adding /* to the security-constraints in the web.xml file of the http-invoker.sar.The users who do not wish to use the http-invoker.sar can remove it.

Question


An analysis of critical points has been taken against our BSM 9.25.361(Build 648) and
the CVE-2017-12149 has been found:
"JBoss 5.x/6.x Deserialization Vulnerability Detected on 8080 over TCP.
It was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP
Invoker does not restrict classes for which it performs deserialization and thus allowing
an attacker to execute arbitrary code via crafted serialized data."
The offered solution - by Dr. Google - is:
"Secure the access to the entire http-invoker contexts by adding <url-pattern>/*</url-pattern>
to the security-constraints in the web.xml file of the http-invoker.sar.The users who do not
wish to use the http-invoker.sar can remove it."
Here are my question:
1. searching for web.xml I have found about 50 files with the name web.xml
Which of them are to change?
2. I have to known the section of the file and the excact string, which to include into the place
3. Looking for the file http-invoker.sar if have found only the directory(!)
"F:\\HPBSM\\EJBContainer\\server\\mercury\\deploy\\http-invoker.sar"
Does that mean, that there is no http-invoker.sar file an the analysis does not match?
Or do I have to delete that directory

 

Answer

The web.xml file is located under the following path: C:\\HPBSM\\EJBContainer\\server\\mercury\\deploy\\http-invoker.sar\\invoker.war\\WEB-INF
You have to modify this file by adding <url-pattern>/*</url-pattern> under the security-constraint sector in the web.xml file. Perform this procedure on all BSM servers (GW and DPS) and restart them after that.
Another option provided is to delete the http-invoker.sar folder if you do not want to use it.
We recommend you first to try the first option by modifying the web.xml file.