https://communities.sas.com/t5/Administration-and-Deployment/Bug-in-der-commons-collection-library-effects-for-JBOSS-in-SAS/m-p/243504#M3906 <P>Hi Gunnar,</P> <P>&nbsp;</P> <P>I highly recommend reading through this note if it applies to your version of JBoss:</P> <P>&nbsp;</P> <P><A href="https://access.redhat.com/solutions/30744" target="_blank">https://access.redhat.com/solutions/30744</A></P> <P>&nbsp;</P> <P>It's an older vulnerability with a poorly secured JMX console. Although you should be ok if you're running on an internal network and/or non-standard port, you should exercise extreme caution if you're running a publically accessible SAS server without a reverse proxy. I've had to chase a couple of trojans down, it's not fun. The fix in that link is relatively straightforward.</P> <P>&nbsp;</P> <P>Hope this helps.</P> <P>&nbsp;</P> <P>Nik</P> Thu, 14 Jan 2016 16:20:21 GMT boemskats 2016-01-14T16:20:21Z https://communities.sas.com/t5/Administration-and-Deployment/Bug-in-der-commons-collection-library-effects-for-JBOSS-in-SAS/m-p/243138#M3882 <P>Hi Guys!</P><P>&nbsp;</P><P>This is a rather general question. There is a security bug which affects the JBOSS-Servers (check: <A href="https://bugzilla.redhat.com/show_bug.cgi?id=1279330)." target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=1279330).</A> A lot of SAS-Webapplications are using&nbsp;JBOSS, i wonder what effect this may have on these applications.</P><P>Thanks.</P><P>&nbsp;</P><P>Gunnar</P> Wed, 13 Jan 2016 08:52:46 GMT https://communities.sas.com/t5/Administration-and-Deployment/Bug-in-der-commons-collection-library-effects-for-JBOSS-in-SAS/m-p/243138#M3882 Gkrause 2016-01-13T08:52:46Z https://communities.sas.com/t5/Administration-and-Deployment/Bug-in-der-commons-collection-library-effects-for-JBOSS-in-SAS/m-p/243462#M3896 <P>Hi Gunnar,</P> <P>&nbsp;</P> <P>please take a look at the folllowing link. Is this what you are looking for?</P> <P><A href="http://support.sas.com/security/Java-deserialization.html" target="_blank">http://support.sas.com/security/Java-deserialization.html</A></P> <P>&nbsp;</P> <P>Thanks</P> <P>Anja</P> Thu, 14 Jan 2016 13:15:45 GMT https://communities.sas.com/t5/Administration-and-Deployment/Bug-in-der-commons-collection-library-effects-for-JBOSS-in-SAS/m-p/243462#M3896 anja 2016-01-14T13:15:45Z https://communities.sas.com/t5/Administration-and-Deployment/Bug-in-der-commons-collection-library-effects-for-JBOSS-in-SAS/m-p/243504#M3906 <P>Hi Gunnar,</P> <P>&nbsp;</P> <P>I highly recommend reading through this note if it applies to your version of JBoss:</P> <P>&nbsp;</P> <P><A href="https://access.redhat.com/solutions/30744" target="_blank">https://access.redhat.com/solutions/30744</A></P> <P>&nbsp;</P> <P>It's an older vulnerability with a poorly secured JMX console. Although you should be ok if you're running on an internal network and/or non-standard port, you should exercise extreme caution if you're running a publically accessible SAS server without a reverse proxy. I've had to chase a couple of trojans down, it's not fun. The fix in that link is relatively straightforward.</P> <P>&nbsp;</P> <P>Hope this helps.</P> <P>&nbsp;</P> <P>Nik</P> Thu, 14 Jan 2016 16:20:21 GMT https://communities.sas.com/t5/Administration-and-Deployment/Bug-in-der-commons-collection-library-effects-for-JBOSS-in-SAS/m-p/243504#M3906 boemskats 2016-01-14T16:20:21Z https://communities.sas.com/t5/Administration-and-Deployment/Bug-in-der-commons-collection-library-effects-for-JBOSS-in-SAS/m-p/243709#M3911 <P>Hi Anja,</P><P>&nbsp;</P><P>yes this is exatctly the issue but the link does not show any solution. It is just a notification that sas knows about the issue.</P><P>Anyhow...I am not really sure if this is a SAS responsibility or if the people behind JBoss must act here?</P><P>&nbsp;</P><P>Thanks.</P><P>Gunnar</P> Fri, 15 Jan 2016 09:18:49 GMT https://communities.sas.com/t5/Administration-and-Deployment/Bug-in-der-commons-collection-library-effects-for-JBOSS-in-SAS/m-p/243709#M3911 Gkrause 2016-01-15T09:18:49Z