We are getting the following jboss vulnerabilities reported on teh HP-Synchronizer Server. Is there a fix/upgrade to resolve these issues?

  • Questions
  • We are getting the following jboss vulnerabilities reported on teh HP-Synchronizer Server. Is there a fix/upgrade to resolve these issues?
Question ID: 106790
0
0

we are getting the following jboss vulnerabilities. Is there a fix/upgrade to resolve these issues?

The ‘EBJInvokerServlet’ and ‘JMXInvokerServlet’ servlets hosted on the web server on the remote host are accessible to unauthenticated users. The remote host is, therefore, affected by the following vulnerabilities:

– A security bypass vulnerability exists due to improper restriction of access to the console and web management interfaces. An unauthenticated, remote attacker can exploit this, via direct requests, to bypass authentication and gain administrative access.
(CVE-2007-1036)

– A remote code execution vulnerability exists due to the JMXInvokerHAServlet and EJBInvokerHAServlet invoker servlets not properly restricting access to profiles. An unauthenticated, remote attacker can exploit this to bypass authentication and invoke MBean methods, resulting in the execution of arbitrary code.
(CVE-2012-0874)

– A remote code execution vulnerability exists in the EJBInvokerServlet and JMXInvokerServlet servlets due to the ability to post a marshalled object. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to install arbitrary applications. Note that this issue is known to affect McAfee Web Reporter versions prior to or equal to version 5.2.1 as well as Symantec Workspace Streaming version 7.5.0.493 and possibly earlier.
(CVE-2013-4810)

Marked as spam
Posted by (Questions: 188, Answers: 13)
Asked on April 25, 2016 3:10 pm
98 views
Answers (1)
0
Private answer

Starting with ALMQC11.52, HP changed from JBOSS (which has the vunerability) to JETTY (which does not).
Unfortuantely, they did NOT change HP-synchronizer at all -- it still uses JBOSS - even on the latest version Synchronizer 12.5 Sync Pack 2.

There may be some generic JBOSS-related solution on internet, but there is nothing official from HP.
Also, if you apply a generic solution to your ''captive'' (installed with HP-synchronizer) JBOSS, it would be in an ''unsupported'' state and HP may not help us if your server becomes unstable.

Disabling the servlets should correct the issue:

DISBABLED SERVLETS:
--- C:Program FilesHPHP ALM Synchronizerjbossserverdefaultdeployhttp-invoker.sarinvoker.warWEB-INFweb.xml
--- In 'web.xml' ---> DISABLED Servlets 'EJBInvokerServlet' and 'MXInvokerServlet'

Marked as spam
Posted by (Questions: 3, Answers: 476)
Answered on April 25, 2016 3:12 pm