Resolving "JBoss Web Console is Accessible to Unauthenticated Remote Users" vulnerability

Posted by IAmJeff on Super User See other posts from Super User or by IAmJeff
Published on 2014-08-22T21:45:03Z Indexed on 2014/08/22 22:24 UTC
Read the original article Hit count: 525

Filed under:

security

|

jboss

Our security team has determined there is a vulnerability in one of our systems. We are using version JBoss 5.1.0GA on RHEL 5.10.

Vulnerability description:

JBoss Web Console is Accessible to Unauthenticated Remote Users

Yes, this looks familiar. Refer to Question 501417. I do not find the answer there complete. Can someone (or multiple someones) answer

Does a newer version of JBoss fix this vulnerability?
Are there links describing, in more detail, manual modification of JBoss configuration files to resolve the issue?
Are there others options to remediate this vulnerability?

Why don't I find the other answer complete? I'm not at all familiar with JBoss, so this answer seems a bit too simple.

The web-console.war contains commented-out templates for basic security in its WEB-INF/web.xml as well as commented-out setup for a security domain in WEB-INF/jboss-web.xml.

Just uncomment those basic security blocks and restart? Is there anything else I need to include?

This seems generic. Do I need to include anything about my environment, such as absolute paths, etc.? Am I making this too complicated?

© Super User or respective owner

Related posts about security

sudo apt-get update errors

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
Here is what I get on my terminal when running sudo apt-get update errors. I dont know if the issue is from my sources.list or my proxy setup(have not made any changes to proxies). Thank you for any help in advanced. Ign http://security.ubuntu.com oneiric-security Release.gpg Ign http://security… >>> More
The Security-Developer Gap: Why IT Security Can't Fix Your Security Problems Alone

as seen on Devx - Search for 'Devx'
Two well-known white hats explain how hackers take advantage of security holes left by enterprise application developers. >>> More
The Security-Developer Gap: Why IT Security Can't Fix Your Security Problems Alone

as seen on Internet.com - Search for 'Internet.com'
Two well-known white hats explain how hackers take advantage of security holes left by enterprise application developers. >>> More
StackOverFlowError while creating Mac object on AS400/Java

as seen on Stack Overflow - Search for 'Stack Overflow'
Hello all, I am a newbie to AS400-Java programming. I am trying to create my first program to test the implementation of Message Authentication Code (MAC). I am trying to use the HMACSHA1 hash function. My (Java 1.4) program runs fine on a dev box (V5R4).But fails terribly on the QA box (V5R3). My… >>> More
Google App Engine - Spring Security Issue (java.security.AccessControlException)

as seen on Stack Overflow - Search for 'Stack Overflow'
I'm currently getting the AccessControlException below when I deploy to app engine (I don't see it when I run in my local environment). I'm using GAE 1.3.1, Spring 3.0.1, and Spring Security 3.0.2. Any ideas how to get around this issue? It appears to be an issue with Spring Security trying to get… >>> More

Related posts about jboss

Migration and deployement problems JBoss 4.2.2.GA to JBoss 6.0.0.M2

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi, I'm trying to migrate an application running on JBoss 4.2.2.GA to JBoss 6.0.0.M2 I give you some log to explain my problem : boot.log : 2010-03-16 09:59:29,406 ERROR [org.jboss.system.server.profileservice.ProfileServiceBootstrap] (Thread-2) Failed to load profile: Summary of incomplete deployments… >>> More
Error deploying Spring application to Jboss due to ClassCastException

as seen on Server Fault - Search for 'Server Fault'
When I try to deploy a spring application in Jboss, I get this error: 11:32:34,045 ERROR [AbstractKernelController] Error installing to Start: name=persistence.unit:unitName=#ehr-punit state=Create java.lang.RuntimeException: Specification violation [EJB3 JPA 6.2.1.2] - You have not defined a jta-data-source… >>> More
How do you install/configure JBoss on Linux/Unix?

as seen on Server Fault - Search for 'Server Fault'
I'm currently working on how install and configure multiple (30+) JBoss EAP 5 configurations (both standalone and clusters) for development, test and production at a client's site (running SuSE). I'm not to fancy about the jboss way of storing application/configuration together with system files… >>> More
Problem in creation MDB Queue connection at Jboss StartUp

as seen on Stack Overflow - Search for 'Stack Overflow'
I am not able to create a Queue connection in JBOSS4.2.3GA Version & Java1.5, as I am using MDB as per the below details. I am putting this MDB in a jar file(named utsJar.jar) and copied it in deploy folder of JBOSS, In the test env. this MDB works well but in another env. [ env settings and… >>> More
Error starting jboss server

as seen on Stack Overflow - Search for 'Stack Overflow'
I've just finished re-installing my OS, and as always install and test standard tools which I use, and now I get this error like never before when I tried to start Jboss 5 from eclipse, its quite big exeption : 3:53:10,693 ERROR [AbstractKernelController] Error installing to Instantiated: name=AttachmentStore… >>> More