JBoss Remoting Vulnerability

Updated -

Red Hat Product Security has identified a potential vulnerability in JBoss Enterprise Application Server (EAP) 5 and supported versions of JBoss BRMS 5.x, JBoss SOA Platform (SOAP) 5.x, and JBoss Portal 5.x.

These products contain JBoss Remoting, which includes a partial implementation of the JMX remoting specification JSR 160. This implementation does not implement security as defined in JSR 160, and thus does not apply any authentication or authorization constraints. A remote attacker could use this to potentially execute malicious code on a vulnerable server. This vulnerability is identified by CVE-2014-3518.

JMX remoting is not enabled by default in these products. Therefore, they will only be vulnerable if JMX remoting is enabled by manually deploying jmx-remoting.sar from the jboss-as/docs/examples directory.

To determine if your system is vulnerable, use the Remote Code Execution Detector offered as part of Red Hat Access Labs, a benefit of your Red Hat subscription.

Administrators of affected systems should undeploy jmx-remoting.sar if JMX remoting is not required by your applications. If it is required, you should secure JMX remoting by following these steps.

If you have further questions or concerns, please contact Red Hat Technical Support.

  • Product
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat JBoss Portal
  • Red Hat JBoss SOA Platform
  • Red Hat Decision Manager
  • Category
  • Secure