SA49 : Multiple JBoss vulnerabilities in IntelligenceCenter
SUMMARY
IntelligenceCenter uses a version of JBoss that has several publicly documented vulnerabilities. The most severe vulnerability allows a highly skilled attacker to gain complete control over the JBoss installation and possibly complete control over the IntelligenceCenter installation.
AFFECTED PRODUCTS
All versions of IntelligenceCenter prior to version 3.1.1.1 are vulnerable.
IntelligenceCenter 3.2 - a partial fix for the CVEs listed as having been addressed is available in 3.2.2.1. A full fix will not be provided. NetDialog NetX is a replacement product for IntelligenceCenter. Please switch to a version of NetX with the fixes.
IntelligenceCenter 3.1 - a partial fix for the CVEs listed as having been addressed is available in 3.1.1.1 and 3.1.2.1. A full fix will not be provided. NetDialog NetX is a replacement product for IntelligenceCenter. Please switch to a version of NetX with the fixes.
IntelligenceCenter 2.1 and earlier - please upgrade to a later version.
ISSUES
IntelligenceCenter's data collector agents prior to version 3.1.1.1 install and use JBoss version 4.0.3. This version of JBoss has several publicly documented vulnerabilities.
The most severe vulnerability allows a highly skilled attacker to gain complete control of the JBoss installation. All data stored by IntelligenceCenter, including configuration data, may be accessible to the attacker. The attacker can also mount a denial of service attack against JBoss rendering IntelligenceCenter completely unresponsive for administrative control as well as data transmission.
When IntelligenceCenter is deployed behind a firewall, as is recommended, an attacker must gain access from the internal network in order to mount an attack. The CVSS base scores included in this advisory are based on this deployment scenario.
If IntelligenceCenter is deployed outside of the firewall. the CVSS base score for all CVEs listed would be higher. The CVSS base score for this security advisory would be a 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C).
IntelligenceCenter 3.1.1.1 contains an upgrade to JBoss 4.2.2 fixing the CVEs documented in this security advisory.
IMPORTANT NOTE: CVE-2010-1428 and CVE-2010-0738 were mistakenly reported as having been addressed by this upgrade. IntelligenceCenter is still vulnerable to these two CVEs at this time.
MITIGATION
Blue Coat recommends that IntelligenceCenter be deployed behind a firewall. Additional constraints on what IP addresses can be used to connect to IntelligenceCenter will greatly limit the ability to attack an IntelligenceCenter installation.
REFERENCES
CVE-2010-1429 - https://nvd.nist.gov/vuln/detail/CVE-2010-1429
CVE-2010-1428 - https://nvd.nist.gov/vuln/detail/CVE-2010-1428
CVE-2010-0738 - https://nvd.nist.gov/vuln/detail/CVE-2010-0738
CVE-2009-3554 - https://nvd.nist.gov/vuln/detail/CVE-2009-3554
CVE-2009-2405 - https://nvd.nist.gov/vuln/detail/CVE-2009-2405
CVE-2009-1380 - https://nvd.nist.gov/vuln/detail/CVE-2009-1380
CVE-2009-0027 - https://nvd.nist.gov/vuln/detail/CVE-2009-0027
CVE-2008-3273 - https://nvd.nist.gov/vuln/detail/CVE-2008-3273
CVE-2007-1354 - https://nvd.nist.gov/vuln/detail/CVE-2007-1354
CVE-2007-1157 - https://nvd.nist.gov/vuln/detail/CVE-2007-1157
CVE-2007-1036 - https://nvd.nist.gov/vuln/detail/CVE-2007-1036
CVE-2006-5750 - https://nvd.nist.gov/vuln/detail/CVE-2006-5750
REVISION
2019-08-16 Full fixes for IntelligenceCenter will not be provided. NetDialog NetX is a replacement product for IntelligenceCenter. Please switch to a version of NetX with the fixes. SA status moved to Closed.
2012-08-09 Notification that CVE-2010-1428 and CVE-2010-0738 were not fixed by the JBoss upgrade. The status was reset to Interim until a fix is obtained.
2012-01-16 Fixed inconsistent version numbers to indicate that the first fix is in 3.1.1.1.
2012-01-10 Initial public release