IT Process Automation

  • 1.  how to disable jboss PAM 4.3

    Posted Apr 19, 2018 07:36 AM

    I found this tecdoc:

    https://comm.support.ca.com/kb/how-to-disable-jboss-seam-framework-to-address-vulnerability-cve20101871-in-ca-process-automation/kb000020576

     

    but it didn't work with CA PAM 4.3.1 version.

    Is there a new and updated tecdoc or procedure for this issue?

     

    Regards,

    Pedro Figueiredo



  • 2.  Re: how to disable jboss PAM 4.3

    Broadcom Employee
    Posted Apr 19, 2018 08:25 AM

    Development addressed this issue within the code itself and this vulnerability is not present or exploitable in the 4.3+ releases



  • 3.  Re: how to disable jboss PAM 4.3

    Posted Apr 19, 2018 10:24 AM

    Well, in my case I'm able to access this url and read it's contents wich sould not be accessible whatsoever...

    http://10.0.82.85:8180/status?full=true

    This possibility can be considered as a vulnerability, correct?

     

    Regards,

    Pedro Figueiredo



  • 4.  Re: how to disable jboss PAM 4.3

    Broadcom Employee
    Posted Apr 19, 2018 11:12 AM

    I just tested that URL in several lab systems and I cannot reach that page in any of my 4.3 SP2 environments, nor can i access that page at :8080/status?full=true or 8443/status?full=true, which are the ports my various LAB servers are installed on.  I am looking for a sp1 to try this on, but I do not expect this to to have changed between sp1 and sp2.

     

     

    What URL is Process Automation on,?  Normally we do not use 8180.  

    Could that URL be returning another application? 

    Maybe a load balancer?

     

    What do you get when you just go to http://10.0.82.85:8180 ?



  • 5.  Re: how to disable jboss PAM 4.3

    Broadcom Employee
    Posted Apr 19, 2018 12:10 PM

    Pedro,

     

    I have tested this in 4.3 SP01 base install and I have found that the exposure does exist.

    Let me run through the steps outlined in knowledge document to see if this is still exposed, and if so we can discuss from there further. 



  • 6.  Re: how to disable jboss PAM 4.3
    Best Answer

    Broadcom Employee
    Posted Apr 19, 2018 01:47 PM

    Pedro,

     

    After further testing, what is exposed is not part of the SEAM framework, but a different vulnerability/exposure. 

    It seems to be part of the jboss_maindeployer, but I haven't been able to completely narrow this down. There is an earlier CVE that outlines this vulnerability exactly, however the JBoss versions listed are earlier versions than what is used for CA Process Automation - CVE-2008-3273 - So I am right now unable to determine exactly where the problem is coming from.

    I do know, however, that this is no longer exposed in CA Process Automation version 4.3 SP02.

     

    I would suggest first that you upgrade to 4.3 SP02.

    If you require this to be resolved at the 4.3 SP01 level, then we will need to get an case opened, and follow this through with the engineering team. I cannot provide any information as to an ETA for a fix, so your best option is to upgrade the product where this is no longer an issue. 

    If you do open an issue for this rather than upgrading, please add to the issue to get the issue to the attention of the CA Process Automation team as we are aware of this. 

     

    Let us know what you decide.

     

    ~Jennifer