cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
Gkrause
Fluorite | Level 6 Gkrause
Fluorite | Level 6

Bug in der commons-collection library - effects for JBOSS in SAS Web Application unclear

Posted 01-13-2016 03:52 AM (1214 views)

Hi Guys!

 

This is a rather general question. There is a security bug which affects the JBOSS-Servers (check: https://bugzilla.redhat.com/show_bug.cgi?id=1279330). A lot of SAS-Webapplications are using JBOSS, i wonder what effect this may have on these applications.

Thanks.

 

Gunnar

0 Likes
Reply
3 REPLIES 3
anja
SAS Employee anja
SAS Employee

Re: Bug in der commons-collection library - effects for JBOSS in SAS Web Application unclear

Posted 01-14-2016 08:15 AM (1200 views)  |   In reply to Gkrause

Hi Gunnar,

 

please take a look at the folllowing link. Is this what you are looking for?

http://support.sas.com/security/Java-deserialization.html

 

Thanks

Anja

0 Likes
Reply
Gkrause
Fluorite | Level 6 Gkrause
Fluorite | Level 6

Re: Bug in der commons-collection library - effects for JBOSS in SAS Web Application unclear

Posted 01-15-2016 04:18 AM (1165 views)  |   In reply to anja

Hi Anja,

 

yes this is exatctly the issue but the link does not show any solution. It is just a notification that sas knows about the issue.

Anyhow...I am not really sure if this is a SAS responsibility or if the people behind JBoss must act here?

 

Thanks.

Gunnar

0 Likes
Reply
boemskats
Lapis Lazuli | Level 10 boemskats
Lapis Lazuli | Level 10

Re: Bug in der commons-collection library - effects for JBOSS in SAS Web Application unclear

Posted 01-14-2016 11:20 AM (1197 views)  |   In reply to Gkrause

Hi Gunnar,

 

I highly recommend reading through this note if it applies to your version of JBoss:

 

https://access.redhat.com/solutions/30744

 

It's an older vulnerability with a poorly secured JMX console. Although you should be ok if you're running on an internal network and/or non-standard port, you should exercise extreme caution if you're running a publically accessible SAS server without a reverse proxy. I've had to chase a couple of trojans down, it's not fun. The fix in that link is relatively straightforward.

 

Hope this helps.

 

Nik

Reply

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Watch Get Started with SAS Information Catalog in SAS Viya on YouTube

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 3 replies
  • ‎01-13-2016 03:52 AM
  • 1215 views
  • 1 like
  • 3 in conversation