I have a need to upgrade JBOSS to latest available version.
If anyone has experience doing this before or any recomendations will help greatly.
we are running on percussion 7.3 version.
Hi,
The embedded JBOSS shipped with the product cannot be upgraded independently as it is customized for CM System. Is there a specific security constraint or other concern that is driving the need to upgrade the JBOSS version?
-n
[QUOTE=rmungara;21165]I have a need to upgrade JBOSS to latest available version.
If anyone has experience doing this before or any recomendations will help greatly.
we are running on percussion 7.3 version.[/QUOTE]
[QUOTE=natechadwick;21166]Hi,
The embedded JBOSS shipped with the product cannot be upgraded independently as it is customized for CM System. Is there a specific security constraint or other concern that is driving the need to upgrade the JBOSS version?
-n[/QUOTE]
Yes its for resolving a security issue:
“JBoss Enterprise Application Platform (EAP) contains a vulnerability in its status servlet when handling a “full=true” query string. This could be exploited by attackers to gain sensitive information on deployed web contexts (e.g. Application lists) and subsequently leveraged to research further attacks.”
any sugesstion how to over come this if upgrade is not a possibility.
Thanks for your response.
Sure.
There are instructions and example configuration files for securing the various JBOSS components here. http://help.percussion.com/cmsystem/howto/how-to-secure-the-jboss-server . JBOSS also covers more advanced configurations (including encryption) in their documentation here: http://docs.jboss.org/jbossas/jboss4guide/r1/html/ch8.chapter.html
Once the configuration is hardened, the security flag on any application scans should show as being mitigated.
-n
[QUOTE=rmungara;21167]Yes its for resolving a security issue:
“JBoss Enterprise Application Platform (EAP) contains a vulnerability in its status servlet when handling a “full=true” query string. This could be exploited by attackers to gain sensitive information on deployed web contexts (e.g. Application lists) and subsequently leveraged to research further attacks.”
any sugesstion how to over come this if upgrade is not a possibility.
Thanks for your response.[/QUOTE]
I am also trying to harden JBoss and not a web developer. The configuration information includes information for a clear text username = password in the rx-services-users.properties file. That will cause another security flag for us. I am trying to determine how to use the hashAlgorithm=sha256 option but determining how to generate the password isn’t straight forward (for a non-developer). I am trying to work with openssl now to generate a password. Any assistance would be greatly appreciated.
Hi,
To generate a SHA-256 password the following command executed on a Linux or Mac with OpenSSL installed in a command line terminal, (or in a Cygwin shell on Windows) should output the encrypted value for “MyPassword”. You can then copy and paste that output as the password into the properties file.
echo -n MyPassword | openssl dgst -sha256 -binary | openssl base64
NOTE on the JBOSS configuration side, the algorithm is specified slightly differently, the syntax is:
<module-option name=“hashAlgorithm”>SHA-256</module-option>
-nate