CVE-2007-1036

Summary

CVE	CVE-2007-1036
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2007-02-21 11:28:00 UTC
Updated	2018-10-16 16:36:00 UTC
Description	The default configuration of JBoss does not restrict access to the (1) console and (2) web management interfaces, which allows remote attackers to bypass authentication and gain administrative access via direct requests.

Risk And Classification

Problem Types: CWE-264

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Jboss	Jboss Application Server	All	All	All	All
Application	Jboss	Jboss Application Server	All	All	All	All

References

Reference	Source	Link	Tags
IBM X-Force Exchange	XF	exchange.xforce.ibmcloud.com
SecurityFocus	BUGTRAQ	www.securityfocus.com
JBoss.com - Wiki - SecureTheJmxConsole	MISC	wiki.jboss.org
JBoss.com - Wiki - SecureJBoss	MISC	wiki.jboss.org
SecurityFocus	BUGTRAQ	www.securityfocus.com
JBoss Default Configuration Lets Remote Users Gain Administrative Access - SecurityTracker	SECTRACK	www.securitytracker.com
SecurityFocus	BUGTRAQ	www.securityfocus.com
US-CERT Vulnerability Note VU#632656	CERT-VN	www.kb.cert.org	US Government Resource
33744	OSVDB	osvdb.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Organization	Published	Contributor	Statement
Red Hat	2007-05-18	Mark J Cox	The JBoss AS console manager should always be secured prior to deployment, as directed in the JBoss Application Server Guide and release notes. By default, the JBoss AS installer gives users the ability to password protect the console manager. If the user did not use the installer, the raw JBoss services will be in a completely unconfigured state and these steps should be performed manually: http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss

There are currently no legacy QID mappings associated with this CVE.