-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: Security Advisory 2011-0025 Title: JBoss Application Server Administrative Console Cross-Site Scripting Version History: 05/12/2011 Initial Publication. Summary ======= JBoss Application Server console is prone to a cross-site scripting vulnerability while handling DOM objects [1]; fixes are available. CVE-2011-3606(Candidate) Severity Level [3] CVSS2 Base 5.8 Remote Yes Local No Credibility Vendor Confirmed Ease Exploit Available Authentication Not Required Potential Impact ================ An attacker could leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. 1. An attacker locates a site hosting the vulnerable software. 2. The attacker crafts a URI link that includes malicious script code designed to leverage this issue. 3. The attacker distributes the malicious link (by hosting it in a remotely accessible location sending it via email or using some other means) and entices an unsuspecting user to follow it. 4. When the unsuspecting user follows the link the attacker-specified script code runs in their browser in the context of the affected site. Vulenrable systems ================== Red Hat JBoss Application Server 7.0 What can you do ? ================= Solutions: Updates are available. Please see the references for more details. Work-arounds: Block external access at the network boundary unless external parties require service. If possible block external access to the server hosting the vulnerable software. Permit access for trusted or internal networks and computers only. Run all software as a nonprivileged user with minimal access rights. Attackers may successfully exploit client flaws in the browser through cross-site scripting vulnerabilities. When possible run client software as regular user accounts with limited access to system resources. This may limit the immediate consequences of client-side vulnerabilities. Deploy network intrusion detection systems to monitor network traffic for malicious activity. Deploy NIDS to detect and block attacks and anomalous activity such as requests containing suspicious URI sequences. Since the webserver may log such requests review its logs regularly. Do not follow links provided by unknown or untrusted sources. Web users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users. Set web browser security to disable the execution of script code or active content. Since a successful exploit of cross-site scripting issues often requires executing malicious script code in web clients consider disabling support for script code and active content within a client browser. Note that this mitigation tactic might adversely affect legitimate websites that rely on the execution of browser-based script code. What to tell your web administrators ? ==================================== Normal security best practices apply. Especially, inform your Web administrators to be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Users are to be aware not to click on the link in suspicious emails; to immediately forward the suspicious email to the respective IT security officer / contact in your institution. More information ================ [1] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3606 [2] http://www.jboss.org/ [3] CVSS Details CVSS Version 2 Scores CVSS2 Base 5.8 CVSS2 Temporal 4.8 CVSS2 Base Vector AV:N/AC:M/Au:N/C:P/I:P/A:N CVSS2 Temporal VectorE:F/RL:OF/RC:C More information about CVSS is available at http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP; KeyID; 0; x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 -----BEGIN PGP SIGNATURE----- Version: BCPG v1.39 iQJXBAEBAgBBBQJO3JBzOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4OuEA/+PGK19A03 3J1/j3kRuKooZDSE/Ry79zYx6d+Y3W+8Y493z1l1oJ5VBMPKzoW6a0TQmqAnL2vL ErXw38OxlCBXkPPe2dmEUHks+1JyK3TW3rj5V+iA3WXjOxxRuIY5GSEMIA0UJctt WPUWmpu/e4ueqPgO2cCUBCuICtWMi/sqB0Tu/WSFEhMWKX65A/rD8GAvCPloZZ+0 z3wdnHWlm2y9DEwdGK1z+4b9VC1f42WcAv0BXAvmNqPtHWh6t9krPvBsVYAT39mX 4TXvHZ+f3VpjV2w9xjgwrGScHTkGsf5knYlC6N4xErHZrwOmvBAzyC4l6EtqDOzX WwSg63w4JcEkoETXmnWhXnXg/NjPTQCbgBD1Zw76CPtJBxVgkN8KnpfFOqVlinCu QGZAP4J0Y1IIMvvkDIS3QQHsP66nRE8Vf2hxqZCT5mx4ecrxGBRU3szyOc9AXSv1 vPodGtAk2pV4wh6nauCDPUdXFMD74Ik7Eac88/8Ec8K72nR4buXR1BChyTAil6ij kjefAhHt1HfizK3km8K3X8o9layhFlbrySV+ClH5NxlBVnZjFLNLrTWlj50BmnoV oglYCFcF6jPFSDmMuNsR1qtB5BEDthL4KPalG6Uj0Uc7YZ6TgLKXJIH0yNhBNgeI C62rzvHI5uVOooiSavcQMZLB9e21XT1V1fY= =MTiP -----END PGP SIGNATURE-----