CA Pam EJBInvokerServlet and JMXInvokerServlet servlets vulnerability

Document ID : KB000028783
Last Modified Date : 14/02/2018
Show Technical Document Details

 

CA PAM 4.0 through 4.1 SP1 contains a high-risk vulnerability that can allow a remote attacker to execute arbitrary code. The vulnerability occurs with the EJBInvokerServlet and JMXInvokerServlet servlets. An attacker can upload and execute a malicious web application archive (WAR) file, which can result in a full compromise of the server.

To test for this vulnerability, replace <HOST> with the hostname of the PAM installation in the following URLs:

http://<HOST>:8080/invoker/EJBInvokerServlet

http://<HOST>:8080/invoker/JMXInvokerServlet 

If the URLs are accessible without authentication, then the installation may be vulnerable.

The Product Vulnerability Response team is tentatively planning on releasing a public security notice for this vulnerability once all affected product teams provide remediation.

 

Affected Products:

 

The following CA products contain this vulnerability:

·         CA Process Automation

o    4.0

o    4.0 SP1

o    4.1

o    4.1 SP1

·         CA Process Management for Workflows

o    4.0

o    4.0 SP1

o    4.1

o    4.1 SP1

·         Potentially any CA product using CA PAM 4.0 – 4.1SP1

 

Note: the vulnerability may also affect CA products using JBoss Application Server depending on the configuration of the software.

 

Non-Affected Products:

 

CA PAM releases prior to 4.0

CA PAM 4.2 and above

 

What to do if a product is affected:

 

Update to CA PAM 4.2.

 

If an immediate upgrade is not possible, use the following instructions in the meantime to manually password-protect the vulnerable servlets.

 

1)    Open <PAM_Home>\server\c2o\deploy\httpha-invoker.sar\invoker.war\WEB-INF\web.xml

 

2)    Find these tags:

 

<security-constraint>

<web-resource-collection>

<web-resource-name>HttpInvokers</web-resource-name>

<description>An example security config that only allows users

with the role HttpInvoker to access the HTTP invoker servlets

</description>

<url-pattern>/restricted/*</url-pattern>

<http-method>GET</http-method>

<http-method>POST</http-method>

</web-resource-collection>

<auth-constraint>

<role-name>HttpInvoker</role-name>

</auth-constraint>

</security-constraint>

 

3)    Add the following url-pattern lines to the below security-constraint configuration and also remove the http-method lines:

 

Add

<url-pattern>/JNDIFactory/*</url-pattern>

<url-pattern>/EJBInvokerServlet/*</url-pattern>

<url-pattern>/JMXInvokerServlet/*</url-pattern>

 

Remove

<http-method>GET</http-method>

<http-method>POST</http-method>

           

Resulting configuration:

 

<security-constraint>

<web-resource-collection>

<web-resource-name>HttpInvokers</web-resource-name>

<description>An example security config that only allows users

with the

role HttpInvoker to access the HTTP invoker servlets

</description>

<url-pattern>/restricted/*</url-pattern>

<url-pattern>/JNDIFactory/*</url-pattern>

<url-pattern>/EJBInvokerServlet/*</url-pattern>

<url-pattern>/JMXInvokerServlet/*</url-pattern>

<http-method>GET</http-method>

<http-method>POST</http-method>

</web-resource-collection>

<auth-constraint>

<role-name>HttpInvoker</role-name>

</auth-constraint>

</security-constraint>

 

4)    Save the file and restart the PAM service.

 

5)    Access the following URLs, and confirm they are password-protected:

 

http://pamserver:8080/invoker/EJBInvokerServlet

http://pamserver:8080/invoker/JMXInvokerServlet 

 

Note: The user should also rescan the PAM server if the problem was detected using a security scanning tool.

 

6)    Repeat these steps on all PAM nodes.