Scott_Owens

Notification: Possible CA Pam EJBInvokerServlet and JMXInvokerServlet servlets vulnerability 4.0-4.1SP1

Discussion created by Scott_Owens Employee on Nov 4, 2014

Summary:

 

CA PAM 4.0 through 4.1 SP1 contains a high-risk vulnerability that can allow a remote attacker to execute arbitrary code. The vulnerability occurs with the EJBInvokerServlet and JMXInvokerServlet servlets. An attacker can upload and execute a malicious web application archive (WAR) file, which can result in a full compromise of the server.

 

To test for this vulnerability, replace <HOST> with the hostname of the PAM installation in the following URLs:

 

http://<HOST>:8080/invoker/EJBInvokerServlet

http://<HOST>:8080/invoker/JMXInvokerServlet 

 

If the URLs are accessible without authentication, then the installation may be vulnerable.

 

The Product Vulnerability Response team is tentatively planning on releasing a public security notice for this vulnerability once all affected product teams provide remediation.

 

Affected Products:

 

The following CA products contain this vulnerability:

  • CA Process Automation

o    4.0

o    4.0 SP1

o    4.1

o    4.1 SP1

  • CA Process Management for Workflows

o    4.0

o    4.0 SP1

o    4.1

o    4.1 SP1

  • Potentially any CA product using CA PAM 4.0 – 4.1SP1

 

Note: the vulnerability may also affect CA products using JBoss Application Server depending on the configuration of the software.

 

Non-Affected Products:

 

CA PAM releases prior to 4.0

CA PAM 4.2 and above

 

What to do if a product is affected:

 

Update to CA PAM 4.2.

 

If an immediate upgrade is not possible, use the following instructions in the meantime to manually password-protect the vulnerable servlets.

 

1)    Open <PAM_Home>\server\c2o\deploy\httpha-invoker.sar\invoker.war\WEB-INF\web.xml

 

2)    Find these tags:

 

<security-constraint>

<web-resource-collection>

<web-resource-name>HttpInvokers</web-resource-name>

<description>An example security config that only allows users

with the role HttpInvoker to access the HTTP invoker servlets

</description>

<url-pattern>/restricted/*</url-pattern>

<http-method>GET</http-method>

<http-method>POST</http-method>

</web-resource-collection>

<auth-constraint>

<role-name>HttpInvoker</role-name>

</auth-constraint>

</security-constraint>

 

3)    Add the following url-pattern lines to the below security-constraint configuration and also remove the http-method lines:

 

Add

<url-pattern>/JNDIFactory/*</url-pattern>

<url-pattern>/EJBInvokerServlet/*</url-pattern>

<url-pattern>/JMXInvokerServlet/*</url-pattern>

 

Remove

<http-method>GET</http-method>

<http-method>POST</http-method>

           

Resulting configuration:

 

<security-constraint>

<web-resource-collection>

<web-resource-name>HttpInvokers</web-resource-name>

<description>An example security config that only allows users

with the

role HttpInvoker to access the HTTP invoker servlets

</description>

<url-pattern>/restricted/*</url-pattern>

<url-pattern>/JNDIFactory/*</url-pattern>

<url-pattern>/EJBInvokerServlet/*</url-pattern>

<url-pattern>/JMXInvokerServlet/*</url-pattern>

<http-method>GET</http-method>

<http-method>POST</http-method>

</web-resource-collection>

<auth-constraint>

<role-name>HttpInvoker</role-name>

</auth-constraint>

</security-constraint>

 

4)    Save the file and restart the PAM service.

 

5)    Access the following URLs, and confirm they are password-protected:

 

http://pamserver:8080/invoker/EJBInvokerServlet

http://pamserver:8080/invoker/JMXInvokerServlet 

 

Note: The user should also rescan the PAM server if the problem was detected using a security scanning tool.

 

6)    Repeat these steps on all PAM nodes.

Outcomes