CIS Logo
tagline: Confidence in the Connected World

A Vulnerability in Red Hat JBoss Enterprise Application Platform Could Allow for Arbitrary Code Execution

MS-ISAC ADVISORY NUMBER:

2017-077

DATE(S) ISSUED:

09/05/2017

OVERVIEW:

A vulnerability has been discovered in Red Hat JBoss Enterprise Application Platform (JBoss EAP), which could allow for arbitrary code execution. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code in the context of the application. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

THREAT INTELLIGENCE:

There are currently no reports of this vulnerability being exploited in the wild.

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
LOW

TECHNICAL SUMMARY:

A vulnerability has been discovered in Red Hat JBoss EAP, which could allow for arbitrary code execution. This vulnerability exists in the ReadOnlyAccessFilter of the HTTP Invoker, which fails to restrict classes during the deserialization process. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the application. This vulnerability may be exploited by an attacker sending specially crafted serialized data to execute arbitrary code. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

RECOMENDATIONS:

  • Apply the workaround identified in the Red Hat advisory, which recommends securing access to the entire http-invoker contexts by adding /</url-pattern> to the security-constraints in the web.xml file of the http-invoker.sar. The users who do not wish to use the http-invoker.sar can remove it.
  • In addition to updating internal systems, ensure that any third-party systems connected to the network, or that users connect to, are updated.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services.*

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Protect Your Systems from Cyber Threats Like This

CIS Controls That Help Avoid This Issue Arrow CIS Control 3: Continuous Vulnerability Assessment and Remediation Arrow CIS Control 7: Email and Web Browser Protections