Important DCM4CHEE security fix
Posted by Martin Peacock in 
Stephen Wheat of Emory University has pointed out that a JBOSS vulnerability affects DCM4CHEE. Click through to see details if they are of any interest but effectively the upshot is that while http GET and POST verbs are security restricted – other verbs (such as HEAD) are not. This means remote users can run arbitrary code under the jboss user very often – root) without user credenti
It has been patched for dcm4chee-2.17.1 but the fix is easy enough to apply to previous versions. In the file server/default/deploy/jmx-console.war/WEB-INF/web.xml find the following block of code (probably towards the bottom of the file):
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
.. and remove the lines:
<http-method>GET</http-method>
<http-method>POST</http-method>
This ensures that all verbs are routed through the security checks by default.
Latest from the Blog:
Categories
- DCM4CHEE
- Development
- High Availability
- IHE
- Infrastructure
- Lessons learned
- News
- Open Source
- PACS General
- Project matters
Recent Comments:
- Martin P on Window/Levelling in a browser – CANVAS or server-trips?
- Martin P on 3D can be a dangerous game
- Juan Jose Cermeno on 3D can be a dangerous game
- A.J on Window/Levelling in a browser – CANVAS or server-trips?
- Suresh on Window/Levelling in a browser – CANVAS or server-trips?