JBoss Security Update for Bedework 3.7
As you may be already aware from messages on the Bedwork lists and/or the JBoss list, a vulnerability has been identified with respect to the JBoss JMX console. Although this vulnerability is in JBoss, not Bedework itself, Bedework installations may be affected.
The Bedework 3.7 quickstart has been modified to make the JMX console more secure. All future Bedework releases will inherit these changes.
Simply performing a subversion update to your existing installation will not address the vulnerability. To secure your JBoss installation, you need to to "manually" follow the procedure described below:
1. Locate the <security-constraint> element (around line 101) in the file
and remove the two <http-method> elements, so that it now appears as below
3. Lastly, change the JMX console password. In the Bedework quickstart configuration the userid and password are found in the file jboss-5.1.0.GA/server/default/conf/props/jmx-console-users.properties
If you followed the instructions to secure Bedework during your initial installation (see https://wiki.jasig.org/display/BWK37/BW+3.7+Securing+Bedework ), you may have already changed the JMX console password.
4. Note that it is not good practice to run any web service as a privileged user (e.g. "root"). Therefore, to minimizie your risk overall, you should run JBoss under an unprivileged account.
If you are using a different version, please click on "Click for all versions" on the left side of the page and select the relevant version.