IBM Rational Automation Framework Web UI 安全绕过漏洞
发布日期:2012-12-19
更新日期:2012-12-22
受影响系统:
IBM Rational Automation Framework 3.x
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 57008
CVE(CAN) ID: CVE-2012-4816
IBM Rational Automation Framework 能够自动执行中间件环境构建、中间件管理以及应用程序和相关工件的部署。这种可定制且可扩展的框架支持 IBM WebSphere 中间件、Oracle WebLogic Server 和 JBoss Application Server。
IBM Rational Automation Framework (RAF) 3.0, 3.0.0.1, 3.0.0.2, 3.0.0.3, 3.0.0.4, 3.0.0.5没有正确检查凭证,通过80/TCP端口访问Rational Automation Framework (RAF) Web UI时,其会强制要求用户登录,但用户可以直接访问8080/TCP(默认的应用程序服务器端口)浏览各种根上下文,直到找出向导的位置。
<*来源:IBM ([email protected])
链接:http://secunia.com/advisories/51587/
http://xforce.iss.net/xforce/xfdb/78379
http://www-01.ibm.com/support/docview.wss?uid=swg21620359
*>
建议:
--------------------------------------------------------------------------------
临时解决方法:
Environment Generation Security Patch for Tomcat
1、修改下面的文件,修复Env Gen Wizard默认不用登陆即可访问。
Path: C:\IBM\\Apache\tomcat\conf
File: tomcat-users.xml
在<tomcat-users>标签之间添加用户配置文件
<role rolename="admin"/>
<user username="admin" password="test123" roles="admin"/>
2、在</web-app>标签上添加下列组件
Path: C:\IBM\Apache\tomcat\webapps\rafw\WEB-INF
File: Web.xml
<security-role>
<role-name>admin</role-name>
</security-role>
<security-constraint>
<display-name>Environment Generation</display-name>
<web-resource-collection>
<web-resource-name>Administration</web-resource-name>
<url-pattern>/rafw/*</url-pattern>
</web-resource-collection>
<!-- Only administrators can access this resource -->
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- Use BASIC security -->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Secure Area</realm-name>
</login-config>
3、重启BuildForge。
Environment Generation Security Patch for WebSphere Application Server (WAS 7.0 & 8.0)
更新web.xml文件
1、web.xml文件有两个副本,位于下面的目录中:
/WAS_install_root/installedApps/<cellname>/rweb.ear/rweb.war/WEB-INF/web.xml
/WAS_install_root/config/cells/<cellname>/applications/rweb.ear/deployments/rweb/rweb.war/WEB-INF/web.xml
注:如果是 WebSphere Application Server Network Deployment,必须更新下面的文件:
/IBM/WebSphere/AppServer/profiles/Dmgr01/config/cells/<dellname>/applications/rweb_war.ear/deployments/rweb_war/rweb.war/web.xml
2、插入下文到三个web.xml文件
<security-constraint>
<display-name>Environment Generation</display-name>
<web-resource-collection>
<web-resource-name>Security constraint for Env Gen</web-resource-name>
<url-pattern>/rafw/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
3、启用WebSphere Application Server security
4、将Web.xml内的Security Roles映射到WAS Manage User/Group
尝试使用默认的WAS端口登录:http://<server_url>:9080/rafw/env
厂商补丁:
IBM
---
IBM已经为此发布了一个安全公告(swg21620359)以及相应补丁:
swg21620359:Security Bulletin: Rational Automation Framework Environment Wizard Vulnerability (CVE-2012-4816)
链接:http://www-01.ibm.com/support/docview.wss?uid=swg21620359