dcm4chee

JBoss vulnerability

Details

  • Type: Improvement Improvement
  • Status: Resolved Resolved
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: None
  • Fix Version/s: dcm4chee-2.17.1
  • Component/s: JBoss
  • Tracking Status:
    Config affected - Yes, Docs - No, Risk Analysis - Done, Test Spec - No, Test State - Not  testable
  • Description:
    Hide

    Emory University has begun using DCM4CHEE as a core part of its Enterprise Service Bus infrastructure. Basically, we are using DCM4CHEE to trigger the production of ESB messages (XML representations of DICOM objects) to implement integrations between research systems and between our clinical PACS (GE Centricity) and research systems.

    Unfortunately, our security team has serious concerns about JBoss 4. We're working with them to take some steps to manage the vulnerability that concerns them, but it would be optimal if DCM4CHEE would work with a more contemporary version of JBoss. Also, Emory University is moving to IBM WebSphere over the next two years to be on the same middleware platform as Emory Healthcare. Will it be possible to deploy DCM4CHEE in other standard app servers? Our security team's concerns are below. We would appreciate your comments and thoughts.

    -----------------------------
    JBoss 4 suffers from a vulnerability in its JMX-Console web application
    which allows unauthorized users to bypass controls and access the
    application. Part of the functionality of that application is the
    ability to deploy new applications, leading to code execution by an
    attacker. This vulnerability (CVE-2010-0738, 4/26/2010) postdates the
    latest release of JBoss 4 (4.2.3, 7/18/2008), so it is not possible to
    correct it by updating JBoss 4.
    -----------------------------

    Show
    Emory University has begun using DCM4CHEE as a core part of its Enterprise Service Bus infrastructure. Basically, we are using DCM4CHEE to trigger the production of ESB messages (XML representations of DICOM objects) to implement integrations between research systems and between our clinical PACS (GE Centricity) and research systems. Unfortunately, our security team has serious concerns about JBoss 4. We're working with them to take some steps to manage the vulnerability that concerns them, but it would be optimal if DCM4CHEE would work with a more contemporary version of JBoss. Also, Emory University is moving to IBM WebSphere over the next two years to be on the same middleware platform as Emory Healthcare. Will it be possible to deploy DCM4CHEE in other standard app servers? Our security team's concerns are below. We would appreciate your comments and thoughts. ----------------------------- JBoss 4 suffers from a vulnerability in its JMX-Console web application which allows unauthorized users to bypass controls and access the application. Part of the functionality of that application is the ability to deploy new applications, leading to code execution by an attacker. This vulnerability (CVE-2010-0738, 4/26/2010) postdates the latest release of JBoss 4 (4.2.3, 7/18/2008), so it is not possible to correct it by updating JBoss 4. -----------------------------
  • Environment:
    RHEL 5, VMware ESX

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Gunter Zeilinger added a comment - 27/Jul/11 11:40 AM

Just removed

<http-method>GET</http-method>
<http-method>POST</http-method>

from DCM4CHEE_HOME/server/default/deploy/jmx-console.war/WEB-INF/web.xml as described at https://access.redhat.com/kb/docs/DOC-30741 .

Show
Gunter Zeilinger added a comment - 27/Jul/11 11:40 AM Just removed 
<http-method>GET</http-method>
<http-method>POST</http-method>
from DCM4CHEE_HOME/server/default/deploy/jmx-console.war/WEB-INF/web.xml as described at https://access.redhat.com/kb/docs/DOC-30741 .
Hide
Permalink
Gunter Zeilinger added a comment - 27/Jul/11 11:57 AM

I am currently working on dcm4chee-arc-4.x running on JBoss 6. Estimated release date Dec 2011. It will use JBoss Microcontainer instead of (legacy) JBoss JMX Kernel to plumb application components together. In theory, you can run JBoss Microcontainer in WebSphere.

Show
Gunter Zeilinger added a comment - 27/Jul/11 11:57 AM I am currently working on dcm4chee-arc-4.x running on JBoss 6. Estimated release date Dec 2011. It will use JBoss Microcontainer instead of (legacy) JBoss JMX Kernel to plumb application components together. In theory, you can run JBoss Microcontainer in WebSphere.

People

Dates

  • Created:
    26/Jul/11 9:14 PM
    Updated:
    05/Oct/11 12:13 PM
    Resolved:
    27/Jul/11 11:40 AM
Atlassian JIRA (v4.1.2#531) | Report a problem | Request a feature | Contact administrators
Powered by a free Atlassian JIRA open source license for dcm4che. Try JIRA - bug tracking software for your team.