Symantec finds vulnerability in JBoss Application Server
Red Hat has warned in a security advisory of a bug in the JBoss Application Server. It appears that Symantec informed Red Hat of a critical bug in the DeploymentFileRepository class of the Java software. Red Hat has now fixed this by releasing a new version. This flaw could be exploited by an attacker to read and write to files with the JBoss user's rights, which could be used to execute non-system programs. Administrators can reduce the risk by password-protecting access to the management console on port 8080, as described in the JBoss documentation, but not set up by default.
Red Hat does not give any further information and so far there has been no direct information from Symantec. As yet, an updated version is not available from the JBoss website. An advisory merely states that all JBoss AS versions from 3.2.4 to 4.0.5 are affected and provides a link to the bug database.
- Critical: JBoss AS security update, security advisory from Red Hat
- JBoss AS Security Vulnerability Notice, entry on the JBoss blog
- DeploymentFileRepository can be used to write/remove arbitrary files in the filesystem, from the JBoss bug database
(trk)