How can Palo Alto protect against JBOSS vulnerability

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How can Palo Alto protect against JBOSS vulnerability

L2 Linker

Dear all,

we are trying to protect a JBOSS web server against a server default configuration vulnerability. This is described at.

http://www.articlesbase.com/security-articles/exploitation-and-remediation-of-jboss-application-serv...

How can Palo Alto protect servers against this kind of vulnerability?

Best regards,

Juan Pablo

1 accepted solution

Accepted Solutions

L6 Presenter

When you setup your security rule make it as tight as possible.

In this particular case I guess web-browsing would be the proper appid to use (look at http://apps.paloaltonetworks.com/applipedia/ for available appid's unless you have access to a PA-device) along with "application-default" as service (or even better set a manual port/ports for this, such as TCP80), like so:

appid: web-browsing

service: TCP80

action: allow

The above is plain SPI (stateful packet inspection, regarding the service option) with the addition of applicationfirewalling (regarding the appid option).

Now - for added security you should enable vulnerability protection aswell.

A common setup for vulnprotection is to use following setup:

critical: block

high: block

medium: block

low: default

informational: default

You can set low and informational to block aswell however default is the recommended in order to lower risk of false-positives (default means that default action (either allow or block) will be applied according to the default specificed by PA themselfs).

In order to find out if the IDP function of PA-device will be able to spot the vuln you linked to you can search in http://wwapps.paloaltonetworks.com/ThreatVault/

Since your link doesnt have CVE info I can only guess which of the following detectable threats is the one mentioned in your link:

Detail

34765

JBoss Java Class BeanShellDeployer Directory Traversal VulnerabilityhighCVE-2006-5750CVE-2010-0738

Detail

34764

JBoss Java Class MainDeployer Directory Traversal VulnerabilityhighCVE-2006-5750CVE-2010-0738

Detail

34763

JBoss Server 7 Web Management Console War File Deploymentmedium

Detail

34509

JBoss Java Class Security Bypass VulnerabilityhighCVE-2010-0738

Detail

33561

JBoss JMX Java Class DeploymentFileRepository Directory Traversal VulnerabilityhighCVE-2010-0738

Detail

33547

JBoss JMX Console DeploymentFileRepository Directory Traversal VulnerabilityhighCVE-2010-0738

Detail

33268

JBoss Java Class DeploymentFileRepository Directory Traversal VulnerabilityhighCVE-2006-5750CVE-2010-0738

You can click on each id to see a more detailed explanation of what the current vuln is about along with references etc.

Then you can take this a few steps further (depending on needs etc).

For example only allow identified users to be let through your PA-device (using userid function) or you can allow a particular sourceip (and if connected to internet you can also allow based on country or for that matter block specific countries (note however that geoip isnt foolproof but can be helpful to get rid of most of the bad hosts who tries to connect to your resources).

View solution in original post

2 REPLIES 2

L6 Presenter

When you setup your security rule make it as tight as possible.

In this particular case I guess web-browsing would be the proper appid to use (look at http://apps.paloaltonetworks.com/applipedia/ for available appid's unless you have access to a PA-device) along with "application-default" as service (or even better set a manual port/ports for this, such as TCP80), like so:

appid: web-browsing

service: TCP80

action: allow

The above is plain SPI (stateful packet inspection, regarding the service option) with the addition of applicationfirewalling (regarding the appid option).

Now - for added security you should enable vulnerability protection aswell.

A common setup for vulnprotection is to use following setup:

critical: block

high: block

medium: block

low: default

informational: default

You can set low and informational to block aswell however default is the recommended in order to lower risk of false-positives (default means that default action (either allow or block) will be applied according to the default specificed by PA themselfs).

In order to find out if the IDP function of PA-device will be able to spot the vuln you linked to you can search in http://wwapps.paloaltonetworks.com/ThreatVault/

Since your link doesnt have CVE info I can only guess which of the following detectable threats is the one mentioned in your link:

Detail

34765

JBoss Java Class BeanShellDeployer Directory Traversal VulnerabilityhighCVE-2006-5750CVE-2010-0738

Detail

34764

JBoss Java Class MainDeployer Directory Traversal VulnerabilityhighCVE-2006-5750CVE-2010-0738

Detail

34763

JBoss Server 7 Web Management Console War File Deploymentmedium

Detail

34509

JBoss Java Class Security Bypass VulnerabilityhighCVE-2010-0738

Detail

33561

JBoss JMX Java Class DeploymentFileRepository Directory Traversal VulnerabilityhighCVE-2010-0738

Detail

33547

JBoss JMX Console DeploymentFileRepository Directory Traversal VulnerabilityhighCVE-2010-0738

Detail

33268

JBoss Java Class DeploymentFileRepository Directory Traversal VulnerabilityhighCVE-2006-5750CVE-2010-0738

You can click on each id to see a more detailed explanation of what the current vuln is about along with references etc.

Then you can take this a few steps further (depending on needs etc).

For example only allow identified users to be let through your PA-device (using userid function) or you can allow a particular sourceip (and if connected to internet you can also allow based on country or for that matter block specific countries (note however that geoip isnt foolproof but can be helpful to get rid of most of the bad hosts who tries to connect to your resources).

Hi Mikand,

good point!!!! thank you very much!!!!

Best regards,

Juan Pabo

  • 1 accepted solution
  • 3904 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!