JBoss AS Administration Cross Site Request Forgery Vulnerability

Bugtraq ID:	50888
Class:	Input Validation Error
CVE:	CVE-2011-3609
Remote:	Yes
Local:	No
Published:	Dec 02 2011 12:00AM
Updated:	Dec 02 2011 12:00AM
Credit:	David Black
Vulnerable:	Red Hat JBoss Application Server 7.02 Red Hat JBoss Application Server 7.0
Not Vulnerable:

JBoss AS Administration Cross Site Request Forgery Vulnerability

JBoss AS is prone to a cross-site request-forgery vulnerability.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

JBoss AS 7.02 is vulnerable; other versions may also be affected.

JBoss AS Administration Cross Site Request Forgery Vulnerability

To exploit these issues, an attacker must entice an unsuspecting victim to follow a malicious URI or visit a malicious website.

JBoss AS Administration Cross Site Request Forgery Vulnerability

Solution:
Updates are available. Please see the references for more details.

JBoss AS Administration Cross Site Request Forgery Vulnerability

References:

• JBoss Community Homepage (JBoss Group)
  
• Bug 743006 - (CVE-2011-3609) CVE-2011-3609 JBoss AS: CSRF in the administration (Red Hat)
  
• Prevention of CSRF reqeusts being accepted and disabling cross-origin resource s (JBoss)