Resolution

Red Hat JBoss Enterprise products releases later than or including the versions listed below are not affected. Please ensure you're on one of these versions, or a later version:

Red Hat JBoss Enterprise Application Platform (EAP) 5.1.2

Red Hat JBoss Enterprise Application Platform (EAP) 4.3 CP08

Red Hat JBoss Enterprise Application Platform (EAP) 4.2 CP09

Red Hat JBoss SOA-Platform (SOA-P) 5.0.2

Red Hat JBoss SOA-Platform (SOA-P) 4.3 CP03

Reverse Proxy

Using a reverse proxy, such as httpd, and not exposing console functions to unprotected networks helps mitigate this attack.

Default Passwords

Please be aware that use of the suggested password in conf/props/jmx-console-users.properties is NOT recommended. Please ensure you use a password which is unique, easy for you to remember, but hard for others to guess.

This exploit attacks the following administration features of JBoss EAP 4.x, and 5.x

web-console.war

http-invoker.sar

jmx-console.war

jmx-invoker-adaptor-server.sar

admin-console.war

While these features are secured by default in versions listed above, it's recommended to prevent access to these features from the internet. Use reverse proxy such as HTTPD, and not exposing those features. If you're not using any of those features, it's best to remove them.

EAP, or SOA-P 4.3, or 4.2

Customers using EAP, or SOA-P versions 4.3, or 4.2 are advised to upgrade to at least the versions above, and in addition apply the following configuration change:

Edit this file:

jboss-as/server/<profile>/deploy/httpha-invoker.sar/invoker.war/WEB-INF/web.xml

Remove these lines:

<http-method>GET</http-method> <http-method>POST</http-method>

EAP 5.1.1 and 5.1.0, and SOA-P 5.0.1

Upgrade to EAP 5.2.0

Upgrade to SOA-P 5.3.1

If you cannot upgrade you should apply the following configuration change:

Edit this file:

jboss-as/server/<profile>/deploy/http(ha)-invoker.sar/invoker.war/WEB-INF/web.xml

Remove these lines:

<http-method>GET</http-method> <http-method>POST</http-method>

EAP 5.0.1

Users of EAP 5.0.1 are advised to upgrade to version 5.2.0. However, if you cannot upgrade you should apply the above configuration change for EAP 5.1.0, and 5.1.1 in addition to this one:

Edit the following file:

jboss-as/server/<profile>/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml

Remove these lines:

<http-method>GET</http-method> <http-method>POST</http-method>

EAP 5.0.0 and SOA-P 5.0.0

Upgrade to 5.2.0.

Upgrade to SOA-5.3.1

However if you cannot upgrade, please apply the configuration changes suggested for EAP 5.0.1, and 5.1.1 as well as the following configuration change:

Edit this file:

jboss-as/server/<profile>/deploy/jmx-console.war/WEB-INF/web.xml

Remove these lines:

<http-method>GET</http-method> <http-method>POST</http-method>

JBoss Application Server (AS) or Wildfly

JBoss Community Edition, (or after 2014 know as WildFly) releases of the JBoss Application Server prior to version 6.0.0.M3 are potentially vulnerable to this flaw if the default authentication settings are applied. Users of the community JBoss Application Server can secure their JMX Console on vulnerable versions by following the instructions here:

https://community.jboss.org/wiki/SecureTheJmxConsole

According to the latest FBI report distributed by Reuters on Monday 28th March 2016 the attack utilizes JexBoss to find vulnerable JBoss systems. These attacks have leveraged out-of-date, and unsecured systems to pivot attacks to other systems on the network.

Red Hat always recommends that system administrators apply the latest patches appropriate for their environments to remediate flaws such as these and others.