Process Automation - JBoss 5.x/6.x Java Deserialization Vulnerability (CVE-2017-12149) Mitigation
search cancel

Process Automation - JBoss 5.x/6.x Java Deserialization Vulnerability (CVE-2017-12149) Mitigation

book

Article ID: 98877

calendar_today

Updated On:

Products

CA Process Automation Base

Issue/Introduction

After running a vulnerability scan, you may see a finding for CVE-2017-12149, which is an arbitrary code execution bug found in JBoss versions 5.x and 6.x. As JBoss is installed as part of Process Automation, how can we mitigate this vulnerability?

Environment

Process Automation

Resolution

The following steps are a modification of RedHat's recommended mitigation steps, tailored for a Process Automation installation of JBoss.
  1. Stop the PAM Node.
  2. Go to <PAM_Installation_Folder>\server\c2o\deploy\httpha-invoker.sar\invoker.war\WEB-INF
  3. Update web.xml by adding <url-pattern>/*</url-pattern> to the security-constraints. After updating, the security-constraints in the web.xml should look similar to the section below: 

    <security-constraint> 
    <web-resource-collection> 
    <web-resource-name>HttpInvokers</web-resource-name> 
    <description>An example security config that only allows users with the 
    role HttpInvoker to access the HTTP invoker servlets 
    </description> 
    <url-pattern>/*</url-pattern> 
    <url-pattern>/restricted/*</url-pattern> 
    <url-pattern>/JNDIFactory/*</url-pattern> 
    <url-pattern>/EJBInvokerServlet/*</url-pattern> 
    <url-pattern>/JMXInvokerServlet/*</url-pattern> 
    <http-method>GET</http-method> 
    <http-method>POST</http-method> 
    </web-resource-collection> 
    <auth-constraint> 
    <role-name>HttpInvoker</role-name> 
    </auth-constraint> 
    </security-constraint>

  4. Go to <PAM_Installation_Folder>\server\all\deploy\httpha-invoker.sar\invoker.war\WEB-INF 
  5. Update web.xml by adding <url-pattern>/*</url-pattern> to the security-constraints (similar to step 3) 
  6. Go to <PAM_Installation_Folder>\server\default\deploy\http-invoker.sar\invoker.war\WEB-INF 
  7. Update web.xml by adding <url-pattern>/*</url-pattern> to the security-constraints (similar to step 3) 
  8. Go to <PAM_Installation_Folder>\server\web\deploy\http-invoker.sar\invoker.war\WEB-INF 
  9. Update web.xml by adding <url-pattern>/*</url-pattern> to the security-constraints (similar to step 3) 
  10. Start the PAM node.
  11. If you have installed Process Automation in a cluster configuration, repeat the above steps for your other nodes.

Additional Information

RedHat's official documentation for this vulnerability can be found at the link below:
https://access.redhat.com/security/cve/cve-2017-12149
Powered by Wolken Software