Applies To:

HP ALM, JBoss, HP QC 11.0


Issue:

The http-invoker component of JBoss Application Server which is present in the default ALM / QC deployment might provide an additional access point to the system in some circumstances.

The remote web server is affected by a remote code execution vulnerability. 

The "EBJInvokerServlet" and "JMXInvokerServlet" servlets hosted on the web server on the remote host are accessible to unauthenticated users and can be used to deploy arbitrary web application archive (WAR) files to the remote host.  This could allow a remote, unauthenticated attacker to execute arbitrary Java code on the host by sending a specially crafted marshalled object.  Note that this issue is known to affect McAfee Web Reporter versions prior to or equal to version 5.2.1 as well as Symantec Workspace Streaming version 7.5.0.493 and possibly earlier. 

 

Solution:

In addition ALM server doesn’t require this http-invoker.sar component for its operation, and it can be removed completely.
 
The following solution can be applied on any OS supported for ALM / QC.
Remove the http-invoker.sar component completely
For cluster deployment, do the following steps on each node.
1.       Go to <deployment_path>/jboss/server/default/deploy
(Where <deployment_path> is the path where the ALM is installed)
2.       Delete the http-invoker.sar directory
3.       Restart the ALM server.
Secure configuration of http-invoker.sar component
If you choose not to remove the http-invoker.sar component, follow JBoss documentation on configuration for securing the component.
For cluster deployment, do the following steps on each node.
http://docs.jboss.org/jbossas/docs/Server_Configuration_Guide/4/html/How_to_Secure_the_JBoss_Server-The_HTTP_Invokers.html