Important DCM4CHEE security fix

Posted Posted by Martin Peacock in DCM4CHEE     Comments No comments
Jul
28
2011

Stephen Wheat of Emory University has pointed out that a JBOSS vulnerability affects DCM4CHEE.  Click through to see details if they are of any interest but effectively the upshot is that while http GET and POST verbs are security restricted – other verbs (such as HEAD) are not.  This means remote users can run arbitrary code under the jboss user very often – root) without user credenti

It has been patched for dcm4chee-2.17.1 but the fix is easy enough to apply to previous versions.  In the file server/default/deploy/jmx-console.war/WEB-INF/web.xml find the following block of code (probably towards the bottom of the file):

<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>

.. and remove the lines:

<http-method>GET</http-method>
<http-method>POST</http-method>

This ensures that all verbs are routed through the security checks by default.

Post comment