-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Reference: Security Advisory 2011-0025


Title: JBoss Application Server Administrative Console Cross-Site Scripting

Version History:
05/12/2011 Initial Publication.

Summary
=======
JBoss Application Server console is prone to a cross-site scripting vulnerability while handling DOM objects [1]; fixes are available.

CVE-2011-3606(Candidate)

Severity Level [3] CVSS2 Base 5.8

Remote              Yes
Local               No
Credibility         Vendor Confirmed
Ease                Exploit Available
Authentication      Not Required


Potential Impact
================

An attacker could leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

1. An attacker locates a site hosting the vulnerable software.
2. The attacker crafts a URI link that includes malicious script code designed to leverage this issue.
3. The attacker distributes the malicious link (by hosting it in a remotely accessible location sending it via email or using some other means) and entices an unsuspecting user to follow it.
4. When the unsuspecting user follows the link the attacker-specified script code runs in their browser in the context of the affected site.

Vulenrable systems
==================

Red Hat JBoss Application Server 7.0

What can you do ?
=================

Solutions:

Updates are available. Please see the references for more details.

Work-arounds:

Block external access at the network boundary unless external parties require service. If possible block external access to the server hosting the vulnerable software. Permit access for trusted or internal networks and computers only.
Run all software as a nonprivileged user with minimal access rights. Attackers may successfully exploit client flaws in the browser through cross-site scripting vulnerabilities. When possible run client software as regular user accounts with limited access to system resources. This may limit the immediate consequences of client-side vulnerabilities.
Deploy network intrusion detection systems to monitor network traffic for malicious activity. Deploy NIDS to detect and block attacks and anomalous activity such as requests containing suspicious URI sequences. Since the webserver may log such requests review its logs regularly.
Do not follow links provided by unknown or untrusted sources. Web users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.
Set web browser security to disable the execution of script code or active content. Since a successful exploit of cross-site scripting issues often requires executing malicious script code in web clients consider disabling support for script code and active content within a client browser. Note that this mitigation tactic might adversely affect legitimate websites that rely on the execution of browser-based script code.



What to tell your web administrators ?
====================================

Normal security best practices apply. Especially, inform your Web administrators to be cautious about following links to 
sites that are provided by unfamiliar or suspicious sources.  Users are to be aware not to click on the link in 
suspicious emails; to immediately forward the suspicious email to the respective IT security officer / contact in your institution.

More information
================

[1] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3606
[2] http://www.jboss.org/
[3] CVSS Details 

CVSS Version 2 Scores
CVSS2 Base          5.8
CVSS2 Temporal      4.8
CVSS2 Base Vector   AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS2 Temporal VectorE:F/RL:OF/RC:C

More information about CVSS is available at http://www.first.org/cvss/cvss-guide.html

Best regards,

CERT-EU Pre-configuration Team (http://cert.europa.eu)
Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu
PGP; KeyID; 0; x46AC4383
FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383
-----BEGIN PGP SIGNATURE-----
Version: BCPG v1.39

iQJXBAEBAgBBBQJO3JBzOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp
b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4OuEA/+PGK19A03
3J1/j3kRuKooZDSE/Ry79zYx6d+Y3W+8Y493z1l1oJ5VBMPKzoW6a0TQmqAnL2vL
ErXw38OxlCBXkPPe2dmEUHks+1JyK3TW3rj5V+iA3WXjOxxRuIY5GSEMIA0UJctt
WPUWmpu/e4ueqPgO2cCUBCuICtWMi/sqB0Tu/WSFEhMWKX65A/rD8GAvCPloZZ+0
z3wdnHWlm2y9DEwdGK1z+4b9VC1f42WcAv0BXAvmNqPtHWh6t9krPvBsVYAT39mX
4TXvHZ+f3VpjV2w9xjgwrGScHTkGsf5knYlC6N4xErHZrwOmvBAzyC4l6EtqDOzX
WwSg63w4JcEkoETXmnWhXnXg/NjPTQCbgBD1Zw76CPtJBxVgkN8KnpfFOqVlinCu
QGZAP4J0Y1IIMvvkDIS3QQHsP66nRE8Vf2hxqZCT5mx4ecrxGBRU3szyOc9AXSv1
vPodGtAk2pV4wh6nauCDPUdXFMD74Ik7Eac88/8Ec8K72nR4buXR1BChyTAil6ij
kjefAhHt1HfizK3km8K3X8o9layhFlbrySV+ClH5NxlBVnZjFLNLrTWlj50BmnoV
oglYCFcF6jPFSDmMuNsR1qtB5BEDthL4KPalG6Uj0Uc7YZ6TgLKXJIH0yNhBNgeI
C62rzvHI5uVOooiSavcQMZLB9e21XT1V1fY=
=MTiP
-----END PGP SIGNATURE-----