Important DCM4CHEE security fix

Posted Posted by Martin Peacock in DCM4CHEE     Comments No comments

Stephen Wheat of Emory University has pointed out that a JBOSS vulnerability affects DCM4CHEE.  Click through to see details if they are of any interest but effectively the upshot is that while http GET and POST verbs are security restricted – other verbs (such as HEAD) are not.  This means remote users can run arbitrary code under the jboss user very often – root) without user credenti

It has been patched for dcm4chee-2.17.1 but the fix is easy enough to apply to previous versions.  In the file server/default/deploy/jmx-console.war/WEB-INF/web.xml find the following block of code (probably towards the bottom of the file):

<description>An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application

.. and remove the lines:


This ensures that all verbs are routed through the security checks by default.

Post comment