JBoss 5.x/6.x Java Deserialization Vulnerability (CVE-2017-12149) Mitigation

Document ID : KB000098877
Last Modified Date : 31/05/2018
Show Technical Document Details
Issue:
After running a vulnerability scan, you may see a finding for CVE-2017-12149, which is an arbitrary code execution bug found in JBoss versions 5.x and 6.x. As JBoss is installed as part of Process Automation, how can we mitigate this vulnerability?
Resolution:
The following steps are a modification of RedHat's recommended mitigation steps, tailored for a Process Automation installation of JBoss.
  1. Stop the PAM Node.
  2. Go to <PAM_Installation_Folder>\server\c2o\deploy\httpha-invoker.sar\invoker.war\WEB-INF
  3. Update web.xml by adding <url-pattern>/*</url-pattern> to the security-constraints. After updating, the security-constraints in the web.xml should look similar to the section below: 
    <security-constraint> 
    <web-resource-collection> 
    <web-resource-name>HttpInvokers</web-resource-name> 
    <description>An example security config that only allows users with the 
    role HttpInvoker to access the HTTP invoker servlets 
    </description> 
    <url-pattern>/*</url-pattern> 
    <url-pattern>/restricted/*</url-pattern> 
    <url-pattern>/JNDIFactory/*</url-pattern> 
    <url-pattern>/EJBInvokerServlet/*</url-pattern> 
    <url-pattern>/JMXInvokerServlet/*</url-pattern> 
    <http-method>GET</http-method> 
    <http-method>POST</http-method> 
    </web-resource-collection> 
    <auth-constraint> 
    <role-name>HttpInvoker</role-name> 
    </auth-constraint> 
    </security-constraint>
  4. Go to <PAM_Installation_Folder>\server\all\deploy\httpha-invoker.sar\invoker.war\WEB-INF 
  5. Update web.xml by adding <url-pattern>/*</url-pattern> to the security-constraints (similar to step 3) 
  6. Go to <PAM_Installation_Folder>\server\default\deploy\http-invoker.sar\invoker.war\WEB-INF 
  7. Update web.xml by adding <url-pattern>/*</url-pattern> to the security-constraints (similar to step 3) 
  8. Go to <PAM_Installation_Folder>\server\web\deploy\http-invoker.sar\invoker.war\WEB-INF 
  9. Update web.xml by adding <url-pattern>/*</url-pattern> to the security-constraints (similar to step 3) 
  10. Start the PAM node.
  11. If you have installed Process Automation in a cluster configuration, repeat the above steps for your other nodes.
Additional Information:
RedHat's official documentation for this vulnerability can be found at the link below:
https://access.redhat.com/security/cve/cve-2017-12149