Vigil@nce: JBoss EAP, class downloading
September 2008 by Vigil@nce
An attacker can download classes in the default JBoss EAP
configuration.
– Gravity: 2/4
– Consequences: data reading
– Provenance: internet client
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 22/09/2008
IMPACTED PRODUCTS
– JBoss Enterprise Application Platform
– Red Hat Enterprise Linux
DESCRIPTION
The default JBoss EAP configuration contains :
...
The DownloadServerClasses property is enabled.
An attacker allowed to connect to the port 8083 can therefore read
non-EJB classes (.class extension) available on the server.
An attacker can therefore obtain sensitive information.
CHARACTERISTICS
– Identifiers: 458823, BID-31300, CVE-2008-3519, RHSA-2008:0831-01,
RHSA-2008:0832-01, RHSA-2008:0833-01, RHSA-2008:0834-01,
VIGILANCE-VUL-8124
– Url: http://vigilance.aql.fr/vulnerability/8124