(Novell Issues Advisory for Identity Manager) JBoss Application Server Error in DeploymentFileRepository Class Lets Remote Users Read and Write Files
|
|
SecurityTracker Alert ID: 1017622 |
|
SecurityTracker URL: http://securitytracker.com/id/1017622
|
|
CVE Reference:
CVE-2006-5750
(Links to External Site)
|
Date: Feb 12 2007
|
Impact:
Disclosure of system information, Disclosure of user information, Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 3.0, 3.0.1 SP1
|
Description:
A vulnerability was reported in JBoss Application Server. A remote user can view or write files on the target system. Novell Identity Manager is affected.
The setBaseDir() method of the DeploymentFileRepository class does not properly validate the basedir setting. A remote user can connect to the console manager to read or write arbitrary files on target system with the privileges of the JBoss user account.
Symantec reported this vulnerability to the vendor.
The original bug report is available at:
http://jira.jboss.com/jira/browse/JBAS-3861
|
Impact:
A remote user can view or write files on the target system.
|
Solution:
Novell has issued an advisory for Novell Identity Manager UserApplication, which includes JBoss and is affected by the JBoss vulnerability.
Novell recommends removing the vulnerable service and securing JBoss using procedures described in their advisory.
The Novell advisory is available at:
https://secure-support.novell.com/KanisaPlatform/Publishing/719/3024921_f.SAL_Public.html
|
Cause:
Input validation error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Mon, 12 Feb 2007 07:55:08 -0500
Subject: Novell Identity Manager UserApplication
|
> JBoss Application Server Security Vulnerability Notice
https://secure-support.novell.com/KanisaPlatform/Publishing/719/3024921_f.SAL_Public.html
CVE-2006-5750
|
|
