Skip Ribbon Commands
Skip to main content
Computer Security Incident Response Team of Mauritius (CERT-MU)

VN-2017-89


Red Hat JBoss Path Traversal Flaw in Log File Viewer Lets Remote Authenticated Users View Arbitrary Files on the Target System
Severity Rating: Medium
Systems Affected:
  • JBoss Enterprise Application Platform 6.4 for RHEL 6 x86_64
  • JBoss Enterprise Application Platform 6.4 for RHEL 6 ppc64
  • JBoss Enterprise Application Platform 6.4 for RHEL 6 i386
  • JBoss Enterprise Application Platform 6 for RHEL 6 x86_64
  • JBoss Enterprise Application Platform 6 for RHEL 6 ppc64
  • JBoss Enterprise Application Platform 6 for RHEL 6 i386
Description
Multiple vulnerabilities have been identified in Red Hat JBoss and they can be exploited by remote attackers to obtain files on the vulnerable system. The vulnerabilities reported are as follows:
·         It was found that the log file viewer in Red Hat JBoss Enterprise Application 6 and 7 allows arbitrary file read to authenticated user via path traversal.
 
·         It was discovered that a malicious web application could bypass a configured Security Manager via a Tomcat utility method that was accessible to web applications.
 
·         It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.
 
Solution
Users are advised to apply updates.
More information is available on:
 
CVE Information
 
Vendor Information
RedHat
 
References
Security Tracker
 
Red Hat
 
 
 
 
 
Contact Information
 
Postal address
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street
Port Louis