=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D webMethods Security Advisory=20 Glue console directory traversal vulnerability=20 =20 =20 Announced: 2007-04-17 Revised: 2007-05-07 Affects: webMethods Glue 4.x, 5.x, 6.x Severity: High =20 I. Description=20 =20 On April 11 2007, Patrick Webster reported a vulnerability in Glue on this list. The vulnerability allows a user to remotely read any file on the server where the Glue server is running. The full text of Patrick's advisory is at http://www.aushack.com/advisories/200704-webmethods.txt. This vulnerability has been assigned identifier CVE-2007-2048 in the=20 Common Vulnerabilities and Exposures dictionary (http://cve.mitre.org). =20 =20 II. Impact=20 =20 If an unauthorized attacker can connect to the vulnerable product,=20 they can read any file on the target system by submitting a URL such as http://glueconsole:8080/console?resource=3Dc:\boot.ini or http://glueconsole:8080/console?resource=3D/etc/passwd. No=20 authentication is required. =20 =20 III. Workaround=20 =20 There are several optional workarounds: (1) Disable the Glue console by editing the configuration files as=20 follows. This will prevent the attack, but limit the usability of the system. CAUTION: Changing these configuration files may render your system=20 unreliable. Back up all configuration files before making any changes.=20 Make the following changes to the web.xml file found in glue/WEB-INF:=20 =20 * Remove the glue-console servlet definition=20 <servlet>=20 <servlet-name>glue-console</servlet-name>=20 <servlet-class>electric.console.ConsoleServlet</servlet-class>=20 ...=20 </servlet>=20 =20 * Remove the glue-console servlet mapping=20 <servlet-mapping>=20 <servlet-name>glue-console</servlet-name>=20 <url-pattern>/console/*</url-pattern>=20 </servlet-mapping>=20 Make the following changes to the glue-config.xml file found in glue/WEB-INF:=20 =20 * Change glue console enablement from "yes" to "no"=20 <console>=20 <!--enable the console by default?-->=20 <enabled>no</enabled>=20 ...=20 =20 (2) Block access to the /console URL by unauthorized users. This=20 blocking must be implemented using a third party product such as a=20 firewall, and does not exist in webMethods products. This workaround does=20 not prevent authorized users from reading any file on the system. (3) If the Glue server is running on a UNIX system, run it within a "chroot" environment to limit those files which can be read. =20 IV. Fix=20 Fix Glue_5-0-2_Fix3 for Glue 5.0 is available for download from=20 http://www.webmethods.com/dnld/Glue_5-0-2_Fix3.zip. After downloading, follow the instructions in the ZIP file to install the fix. Glue 6.x is a licensed software product. Fixes are available to customers from the Advantage web site (registered customers only). Questions about these fixes or earlier product versions should be directed to glue-security@webMethods.com. =20 V. Versions Affected=20 =20 webMethods Glue 4.x, 5.x, 6.x =20 =20 VI. Mitigating Factors=20 =20 None=20 =20 =20 VII. Solution=20 =20 See section IV above. =20 =20 VIII. Common Criteria=20 =20 This alert does not apply to the Common Criteria evaluated=20 configuration.=20 IX. Acknowledgements This problem was reported by Patrick Webster at www.aushack.com. =20 webMethods appreciates Patrick's cooperation in reporting this problem=20 and in verifying the vulnerability. =20 =20 X. Security Alerts=20 =20 To subscribe to webMethods security alerts, send an email to=20 security-alerts-request@webmethods.com with the word 'SUBSCRIBE'=20 in the body of the message. Alternately, subscribe to the "Security=20 Alerts" forum on webMethods Advantage.=20 =20 =20 XI. Copyright=20 =20 Copyright 2007 by webMethods, Inc. Permission is granted for copying=20 and circulating this bulletin to webMethods customers for the purpose=20 of alerting them to those topics covered by this bulletin, if and only=20 if, this bulletin is not edited or changed in any way, is attributed=20 to webMethods, and provided such reproduction and/or distribution is=20 performed for non-commercial purposes. Any other use of this information is prohibited.=20 =20 =20 XI. Revision History=20 =20 2007-04-17 Initial release=20 2007-05-07 Added information about how to get the fix, CVE identifier =20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D