-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Reference: Security Advisory 2011-0024


Title: JBoss AS Administration Cross Site Request Forgery Vulnerability 

Version History:
05/12/2011 Initial Publication.

Summary
=======
JBoss AS is prone to a cross-site request-forgery vulnerability [1]; fixes are available.

CVE-2011-3609(Candidate)

Severity Level [3] CVSS2 Base 7.5

Remote              Yes
Local               No
Credibility         Vendor Confirmed
Ease                Exploit Available
Authentication      Not Required


Potential Impact
================

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

1. An attacker crafts a malicious URI or webpage to exploit this issue and perform some action on their behalf.
2. The attacker entices an unsuspecting victim to visit the malicious page.
3. When the page is viewed the attacker-supplied code will then perform actions on the vulnerable computer in the context of the victim.

Vulenrable systems
==================

Red Hat JBoss Application Server 7.02
Red Hat JBoss Application Server 7.0

What can you do ?
=================

Solutions:

Updates are available. Please see the references for more details.

Work-arounds:

Block external access at the network boundary unless external parties require service. Filter access to the affected device at the network boundary if global access isn't required. Restricting access to only trusted devices and networks might greatly reduce the likelihood of a successful exploit.
Deploy network intrusion detection systems to monitor network traffic for malicious activity. Deploy NIDS to detect and block attacks and anomalous activity such as requests containing suspicious URI sequences. Since the webserver may log such requests review its logs regularly.
Run all software as a nonprivileged user with minimal access rights. To limit the consequences of a successful exploit run server processes within a restricted environment using facilities such as chroot or jail.
Do not follow links provided by unknown or untrusted sources. Web users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.
Set web browser security to disable the execution of JavaScript. Since a successful exploit of this issue allows malicious code to execute in web clients consider disabling support for script code and active content within the client browser. Note that this mitigation tactic might adversely affect legitimate websites that rely on the execution of browser-based script code.

What to tell your web administrators ?
=====================================

Normal security best practices apply. Especially, inform your web administrators to be cautious about following links to 
sites that are provided by unfamiliar or suspicious sources.  Users are to be aware not to click on the link in 
suspicious emails; to immediately forward the suspicious email to the respective IT security officer / contact in your institution.


More information
================

[1] https://bugzilla.redhat.com/show_bug.cgi?id=743006
[2] https://issues.jboss.org/browse/AS7-2400
[3] CVSS Details 

CVSS Version 2 Scores
CVSS2 Base          7.5
CVSS2 Temporal      6.2
CVSS2 Base Vector   AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS2 Temporal VectorE:F/RL:OF/RC:C

More information about CVSS is available at http://www.first.org/cvss/cvss-guide.html

Best regards,

CERT-EU Pre-configuration Team (http://cert.europa.eu)
Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu
PGP; KeyID; 0; x46AC4383
FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383
-----BEGIN PGP SIGNATURE-----
Version: BCPG v1.39

iQJXBAEBAgBBBQJO3I1UOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp
b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4OUVw/+KAqGCW6q
0MQ3pAV8iXsqhKHdsIvXz3RvrAsZPt83I1UqpLZ9S7cJnhyZroc4IzaQ2ef4ZYMi
QNeQUfuyTcd6EVm/vjblf3eEgWwCoRwt8VVBfAhBvdINbGESWOm8qPMBN6KXY/CS
ZMlRK9s3C0o2H4H9d/HVJHd3OPkuwCgxuFKzl299d9Ry8KgTRwMBClzjdyrHqG75
hbO6wHXEXBdzM/e932uWI/4VhGxd0VxCMLVQrzSXeto4AtffXSSCUQwx4ygpWS0l
3mpIOnbRP+v5RWx4wVCukTz5BlyUurqoHz8tYOgUofoikfqI+dUNEeMle5k02ANo
GfEssHbIigj01FapuR8XdynJEusar92/AnMg3iRKCwOWqE6C46hxP2LjihZm+vkK
D1vwsmGGv3sgzqqKZaaSEcyKW6sqYCwyOtzR1Wu3q9zsOA28LsOKwz11P7ojiTvk
/vzk51ADT8U0zxUIz0H4ZgaQe3+ISSg08gg5VZw1BYQOoWd9IREjlunrh2FD6FER
JrRfztNsf9XRZJmp1B0LYLmA2SuFUMR6xKXNZOdchSf4uxMZfKVYOyaAJNdf+K6c
Hr1m7J3R596HrUjQuNVuiz6EwAa5WK0dWfUbjQsHcVbyz/cDkwcE930XUYLHFmAW
Hae1aDK9LaJDN+qdwJURCV4U8tqK15HP9dY=
=kHRP
-----END PGP SIGNATURE-----