https://live.paloaltonetworks.com/t5/general-topics/how-can-palo-alto-protect-against-jboss-vulnerability/m-p/14697#M10786 <HTML><HEAD></HEAD><BODY><P>When you setup your security rule make it as tight as possible.</P><P></P><P><SPAN>In this particular case I guess web-browsing would be the proper appid to use (look at </SPAN><A class="jive-link-external-small" href="http://apps.paloaltonetworks.com/applipedia/">http://apps.paloaltonetworks.com/applipedia/</A><SPAN> for available appid's unless you have access to a PA-device) along with "application-default" as service (or even better set a manual port/ports for this, such as TCP80), like so:</SPAN></P><P></P><P>appid: web-browsing</P><P>service: TCP80</P><P>action: allow</P><P></P><P>The above is plain SPI (stateful packet inspection, regarding the service option) with the addition of applicationfirewalling (regarding the appid option).</P><P></P><P>Now - for added security you should enable vulnerability protection aswell.</P><P></P><P>A common setup for vulnprotection is to use following setup:</P><P></P><P>critical: block</P><P>high: block</P><P>medium: block</P><P>low: default</P><P>informational: default</P><P></P><P>You can set low and informational to block aswell however default is the recommended in order to lower risk of false-positives (default means that default action (either allow or block) will be applied according to the default specificed by PA themselfs).</P><P></P><P><SPAN>In order to find out if the IDP function of PA-device will be able to spot the vuln you linked to you can search in </SPAN><A class="jive-link-external-small" href="http://wwapps.paloaltonetworks.com/ThreatVault/">http://wwapps.paloaltonetworks.com/ThreatVault/</A></P><P></P><P>Since your link doesnt have CVE info I can only guess which of the following detectable threats is the one mentioned in your link:</P><P></P><TABLE id="ListTable"><TBODY><TR><TD><P style="width: 20px; display: block; float: left;"><A href="http://wwapps.paloaltonetworks.com/ThreatVault/Home.aspx/ThreatDetail/34765" target="_blank"><IMG alt="Detail" src="https://ip1.i.lithium.com/abb187f020892196883a055b61293911f970e420/687474703a2f2f7777617070732e70616c6f616c746f6e6574776f726b732e636f6d2f5468726561745661756c742f436f6e74656e742f496d616765732f44657461696c49636f6e2e676966" title="Detail" /></A></P><P>34765</P></TD><TD>JBoss Java Class BeanShellDeployer Directory Traversal Vulnerability</TD><TD style="text-transform:capitalize">high</TD><TD>CVE-2006-5750CVE-2010-0738</TD></TR><TR style="background:none repeat scroll 0% 0% #d6e1e7"><TD><P style="width: 20px; display: block; float: left;"><A href="http://wwapps.paloaltonetworks.com/ThreatVault/Home.aspx/ThreatDetail/34764" target="_blank"><IMG alt="Detail" src="https://ip1.i.lithium.com/abb187f020892196883a055b61293911f970e420/687474703a2f2f7777617070732e70616c6f616c746f6e6574776f726b732e636f6d2f5468726561745661756c742f436f6e74656e742f496d616765732f44657461696c49636f6e2e676966" title="Detail" /></A></P><P>34764</P></TD><TD>JBoss Java Class MainDeployer Directory Traversal Vulnerability</TD><TD style="text-transform:capitalize">high</TD><TD>CVE-2006-5750CVE-2010-0738</TD></TR><TR><TD><P style="width: 20px; display: block; float: left;"><A href="http://wwapps.paloaltonetworks.com/ThreatVault/Home.aspx/ThreatDetail/34763" target="_blank"><IMG alt="Detail" src="https://ip1.i.lithium.com/abb187f020892196883a055b61293911f970e420/687474703a2f2f7777617070732e70616c6f616c746f6e6574776f726b732e636f6d2f5468726561745661756c742f436f6e74656e742f496d616765732f44657461696c49636f6e2e676966" title="Detail" /></A></P><P>34763</P></TD><TD>JBoss Server 7 Web Management Console War File Deployment</TD><TD style="text-transform:capitalize">medium</TD><TD><BR /></TD></TR><TR style="background:none repeat scroll 0% 0% #d6e1e7"><TD><P style="width: 20px; display: block; float: left;"><A href="http://wwapps.paloaltonetworks.com/ThreatVault/Home.aspx/ThreatDetail/34509" target="_blank"><IMG alt="Detail" src="https://ip1.i.lithium.com/abb187f020892196883a055b61293911f970e420/687474703a2f2f7777617070732e70616c6f616c746f6e6574776f726b732e636f6d2f5468726561745661756c742f436f6e74656e742f496d616765732f44657461696c49636f6e2e676966" title="Detail" /></A></P><P>34509</P></TD><TD>JBoss Java Class Security Bypass Vulnerability</TD><TD style="text-transform:capitalize">high</TD><TD>CVE-2010-0738</TD></TR><TR><TD><P style="width: 20px; display: block; float: left;"><A href="http://wwapps.paloaltonetworks.com/ThreatVault/Home.aspx/ThreatDetail/33561" target="_blank"><IMG alt="Detail" src="https://ip1.i.lithium.com/abb187f020892196883a055b61293911f970e420/687474703a2f2f7777617070732e70616c6f616c746f6e6574776f726b732e636f6d2f5468726561745661756c742f436f6e74656e742f496d616765732f44657461696c49636f6e2e676966" title="Detail" /></A></P><P>33561</P></TD><TD>JBoss JMX Java Class DeploymentFileRepository Directory Traversal Vulnerability</TD><TD style="text-transform:capitalize">high</TD><TD>CVE-2010-0738</TD></TR><TR style="background:none repeat scroll 0% 0% #d6e1e7"><TD><P style="width: 20px; display: block; float: left;"><A href="http://wwapps.paloaltonetworks.com/ThreatVault/Home.aspx/ThreatDetail/33547" target="_blank"><IMG alt="Detail" src="https://ip1.i.lithium.com/abb187f020892196883a055b61293911f970e420/687474703a2f2f7777617070732e70616c6f616c746f6e6574776f726b732e636f6d2f5468726561745661756c742f436f6e74656e742f496d616765732f44657461696c49636f6e2e676966" title="Detail" /></A></P><P>33547</P></TD><TD>JBoss JMX Console DeploymentFileRepository Directory Traversal Vulnerability</TD><TD style="text-transform:capitalize">high</TD><TD>CVE-2010-0738</TD></TR><TR><TD><P style="width: 20px; display: block; float: left;"><A href="http://wwapps.paloaltonetworks.com/ThreatVault/Home.aspx/ThreatDetail/33268" target="_blank"><IMG alt="Detail" src="https://ip1.i.lithium.com/abb187f020892196883a055b61293911f970e420/687474703a2f2f7777617070732e70616c6f616c746f6e6574776f726b732e636f6d2f5468726561745661756c742f436f6e74656e742f496d616765732f44657461696c49636f6e2e676966" title="Detail" /></A></P><P>33268</P></TD><TD>JBoss Java Class DeploymentFileRepository Directory Traversal Vulnerability</TD><TD style="text-transform:capitalize">high</TD><TD>CVE-2006-5750CVE-2010-0738</TD></TR></TBODY></TABLE><P></P><P></P><P>You can click on each id to see a more detailed explanation of what the current vuln is about along with references etc.</P><P></P><P>Then you can take this a few steps further (depending on needs etc).</P><P></P><P>For example only allow identified users to be let through your PA-device (using userid function) or you can allow a particular sourceip (and if connected to internet you can also allow based on country or for that matter block specific countries (note however that geoip isnt foolproof but can be helpful to get rid of most of the bad hosts who tries to connect to your resources).</P></BODY></HTML> Wed, 23 May 2012 19:18:10 GMT mikand 2012-05-23T19:18:10Z https://live.paloaltonetworks.com/t5/general-topics/how-can-palo-alto-protect-against-jboss-vulnerability/m-p/14696#M10785 <HTML><HEAD></HEAD><BODY><P>Dear all, </P><P></P><P>we are trying to protect a JBOSS web server against a server default configuration vulnerability. This is described at. </P><P></P><P><A class="active_link" href="http://www.articlesbase.com/security-articles/exploitation-and-remediation-of-jboss-application-server-default-configuration-vulnerability-1889469.html">http://www.articlesbase.com/security-articles/exploitation-and-remediation-of-jboss-application-server-default-configuration-vulnerability-1889469.html</A></P><P></P><P>How can Palo Alto protect servers against this kind of vulnerability?</P><P></P><P></P><P>Best regards, </P><P></P><P>Juan Pablo</P></BODY></HTML> Wed, 23 May 2012 10:42:22 GMT https://live.paloaltonetworks.com/t5/general-topics/how-can-palo-alto-protect-against-jboss-vulnerability/m-p/14696#M10785 COMIP 2012-05-23T10:42:22Z https://live.paloaltonetworks.com/t5/general-topics/how-can-palo-alto-protect-against-jboss-vulnerability/m-p/14697#M10786 <HTML><HEAD></HEAD><BODY><P>When you setup your security rule make it as tight as possible.</P><P></P><P><SPAN>In this particular case I guess web-browsing would be the proper appid to use (look at </SPAN><A class="jive-link-external-small" href="http://apps.paloaltonetworks.com/applipedia/">http://apps.paloaltonetworks.com/applipedia/</A><SPAN> for available appid's unless you have access to a PA-device) along with "application-default" as service (or even better set a manual port/ports for this, such as TCP80), like so:</SPAN></P><P></P><P>appid: web-browsing</P><P>service: TCP80</P><P>action: allow</P><P></P><P>The above is plain SPI (stateful packet inspection, regarding the service option) with the addition of applicationfirewalling (regarding the appid option).</P><P></P><P>Now - for added security you should enable vulnerability protection aswell.</P><P></P><P>A common setup for vulnprotection is to use following setup:</P><P></P><P>critical: block</P><P>high: block</P><P>medium: block</P><P>low: default</P><P>informational: default</P><P></P><P>You can set low and informational to block aswell however default is the recommended in order to lower risk of false-positives (default means that default action (either allow or block) will be applied according to the default specificed by PA themselfs).</P><P></P><P><SPAN>In order to find out if the IDP function of PA-device will be able to spot the vuln you linked to you can search in </SPAN><A class="jive-link-external-small" href="http://wwapps.paloaltonetworks.com/ThreatVault/">http://wwapps.paloaltonetworks.com/ThreatVault/</A></P><P></P><P>Since your link doesnt have CVE info I can only guess which of the following detectable threats is the one mentioned in your link:</P><P></P><TABLE id="ListTable"><TBODY><TR><TD><P style="width: 20px; display: block; float: left;"><A href="http://wwapps.paloaltonetworks.com/ThreatVault/Home.aspx/ThreatDetail/34765" target="_blank"><IMG alt="Detail" src="https://ip1.i.lithium.com/abb187f020892196883a055b61293911f970e420/687474703a2f2f7777617070732e70616c6f616c746f6e6574776f726b732e636f6d2f5468726561745661756c742f436f6e74656e742f496d616765732f44657461696c49636f6e2e676966" title="Detail" /></A></P><P>34765</P></TD><TD>JBoss Java Class BeanShellDeployer Directory Traversal Vulnerability</TD><TD style="text-transform:capitalize">high</TD><TD>CVE-2006-5750CVE-2010-0738</TD></TR><TR style="background:none repeat scroll 0% 0% #d6e1e7"><TD><P style="width: 20px; display: block; float: left;"><A href="http://wwapps.paloaltonetworks.com/ThreatVault/Home.aspx/ThreatDetail/34764" target="_blank"><IMG alt="Detail" src="https://ip1.i.lithium.com/abb187f020892196883a055b61293911f970e420/687474703a2f2f7777617070732e70616c6f616c746f6e6574776f726b732e636f6d2f5468726561745661756c742f436f6e74656e742f496d616765732f44657461696c49636f6e2e676966" title="Detail" /></A></P><P>34764</P></TD><TD>JBoss Java Class MainDeployer Directory Traversal Vulnerability</TD><TD style="text-transform:capitalize">high</TD><TD>CVE-2006-5750CVE-2010-0738</TD></TR><TR><TD><P style="width: 20px; display: block; float: left;"><A href="http://wwapps.paloaltonetworks.com/ThreatVault/Home.aspx/ThreatDetail/34763" target="_blank"><IMG alt="Detail" src="https://ip1.i.lithium.com/abb187f020892196883a055b61293911f970e420/687474703a2f2f7777617070732e70616c6f616c746f6e6574776f726b732e636f6d2f5468726561745661756c742f436f6e74656e742f496d616765732f44657461696c49636f6e2e676966" title="Detail" /></A></P><P>34763</P></TD><TD>JBoss Server 7 Web Management Console War File Deployment</TD><TD style="text-transform:capitalize">medium</TD><TD><BR /></TD></TR><TR style="background:none repeat scroll 0% 0% #d6e1e7"><TD><P style="width: 20px; display: block; float: left;"><A href="http://wwapps.paloaltonetworks.com/ThreatVault/Home.aspx/ThreatDetail/34509" target="_blank"><IMG alt="Detail" src="https://ip1.i.lithium.com/abb187f020892196883a055b61293911f970e420/687474703a2f2f7777617070732e70616c6f616c746f6e6574776f726b732e636f6d2f5468726561745661756c742f436f6e74656e742f496d616765732f44657461696c49636f6e2e676966" title="Detail" /></A></P><P>34509</P></TD><TD>JBoss Java Class Security Bypass Vulnerability</TD><TD style="text-transform:capitalize">high</TD><TD>CVE-2010-0738</TD></TR><TR><TD><P style="width: 20px; display: block; float: left;"><A href="http://wwapps.paloaltonetworks.com/ThreatVault/Home.aspx/ThreatDetail/33561" target="_blank"><IMG alt="Detail" src="https://ip1.i.lithium.com/abb187f020892196883a055b61293911f970e420/687474703a2f2f7777617070732e70616c6f616c746f6e6574776f726b732e636f6d2f5468726561745661756c742f436f6e74656e742f496d616765732f44657461696c49636f6e2e676966" title="Detail" /></A></P><P>33561</P></TD><TD>JBoss JMX Java Class DeploymentFileRepository Directory Traversal Vulnerability</TD><TD style="text-transform:capitalize">high</TD><TD>CVE-2010-0738</TD></TR><TR style="background:none repeat scroll 0% 0% #d6e1e7"><TD><P style="width: 20px; display: block; float: left;"><A href="http://wwapps.paloaltonetworks.com/ThreatVault/Home.aspx/ThreatDetail/33547" target="_blank"><IMG alt="Detail" src="https://ip1.i.lithium.com/abb187f020892196883a055b61293911f970e420/687474703a2f2f7777617070732e70616c6f616c746f6e6574776f726b732e636f6d2f5468726561745661756c742f436f6e74656e742f496d616765732f44657461696c49636f6e2e676966" title="Detail" /></A></P><P>33547</P></TD><TD>JBoss JMX Console DeploymentFileRepository Directory Traversal Vulnerability</TD><TD style="text-transform:capitalize">high</TD><TD>CVE-2010-0738</TD></TR><TR><TD><P style="width: 20px; display: block; float: left;"><A href="http://wwapps.paloaltonetworks.com/ThreatVault/Home.aspx/ThreatDetail/33268" target="_blank"><IMG alt="Detail" src="https://ip1.i.lithium.com/abb187f020892196883a055b61293911f970e420/687474703a2f2f7777617070732e70616c6f616c746f6e6574776f726b732e636f6d2f5468726561745661756c742f436f6e74656e742f496d616765732f44657461696c49636f6e2e676966" title="Detail" /></A></P><P>33268</P></TD><TD>JBoss Java Class DeploymentFileRepository Directory Traversal Vulnerability</TD><TD style="text-transform:capitalize">high</TD><TD>CVE-2006-5750CVE-2010-0738</TD></TR></TBODY></TABLE><P></P><P></P><P>You can click on each id to see a more detailed explanation of what the current vuln is about along with references etc.</P><P></P><P>Then you can take this a few steps further (depending on needs etc).</P><P></P><P>For example only allow identified users to be let through your PA-device (using userid function) or you can allow a particular sourceip (and if connected to internet you can also allow based on country or for that matter block specific countries (note however that geoip isnt foolproof but can be helpful to get rid of most of the bad hosts who tries to connect to your resources).</P></BODY></HTML> Wed, 23 May 2012 19:18:10 GMT https://live.paloaltonetworks.com/t5/general-topics/how-can-palo-alto-protect-against-jboss-vulnerability/m-p/14697#M10786 mikand 2012-05-23T19:18:10Z https://live.paloaltonetworks.com/t5/general-topics/how-can-palo-alto-protect-against-jboss-vulnerability/m-p/14698#M10787 <HTML><HEAD></HEAD><BODY><P>Hi Mikand, </P><P></P><P>good point!!!! thank you very much!!!!</P><P></P><P></P><P>Best regards, </P><P></P><P>Juan Pabo</P></BODY></HTML> Thu, 24 May 2012 13:24:42 GMT https://live.paloaltonetworks.com/t5/general-topics/how-can-palo-alto-protect-against-jboss-vulnerability/m-p/14698#M10787 COMIP 2012-05-24T13:24:42Z