2. Fixed Security-Related Issues
The following CVEs and security issues have been addressed in JBoss Operations Network 3.0.1.
2.1. Improper System Permissions for the JBoss ON CLI Directory: CVE-2012-0032
After extracting the
rhq-remoting-cli-version.zip package, the JBoss ON CLI root directory had global read, write, and execute permissions. Any child directories and scripts old be accessed and modified by any local user. A local attacker could use these permissions to steal JBoss ON user credentials or to run arbitrary code.
2.2. Improper Handling of LDAP Authentication Failures: Bugzilla 750521/CVE-2012-1100
If a user authenticating to JBoss ON through LDAP gave invalid credentials, they could still be logged into the JBoss ON UI as long as the user account had successfully logged in using LDAP credentials before.
A remote attacker could use this flaw to gain access to the JBoss ON server using an LDAP account without supplying a password.
2.3. CPU Usage Spikes in Tomcat as Part of DoS Attack: Bugzilla 750521/CVE-2011-4858
In some circumstances, Tomcat could allow a denial of service attack if an attacker triggered predictable collisions in the hashing algorithms used by Java, Python, PHP, and other languages in POST statements. The collisions would cause CPU usage to spike to 100% and effectively cause a denial of service.
The version of JBossWeb used by the JBoss ON server has been upgraded to include fixes for CVE-2011-4858.
