Architecting, installing and maintaining your SAS environment

Bug in der commons-collection library - effects for JBOSS in SAS Web Application unclear

Reply
Occasional Contributor
Posts: 9

Bug in der commons-collection library - effects for JBOSS in SAS Web Application unclear

Hi Guys!

 

This is a rather general question. There is a security bug which affects the JBOSS-Servers (check: https://bugzilla.redhat.com/show_bug.cgi?id=1279330). A lot of SAS-Webapplications are using JBOSS, i wonder what effect this may have on these applications.

Thanks.

 

Gunnar

SAS Super FREQ
Posts: 291

Re: Bug in der commons-collection library - effects for JBOSS in SAS Web Application unclear

Hi Gunnar,

 

please take a look at the folllowing link. Is this what you are looking for?

http://support.sas.com/security/Java-deserialization.html

 

Thanks

Anja

Occasional Contributor
Posts: 9

Re: Bug in der commons-collection library - effects for JBOSS in SAS Web Application unclear

Hi Anja,

 

yes this is exatctly the issue but the link does not show any solution. It is just a notification that sas knows about the issue.

Anyhow...I am not really sure if this is a SAS responsibility or if the people behind JBoss must act here?

 

Thanks.

Gunnar

Frequent Contributor
Posts: 91

Re: Bug in der commons-collection library - effects for JBOSS in SAS Web Application unclear

Hi Gunnar,

 

I highly recommend reading through this note if it applies to your version of JBoss:

 

https://access.redhat.com/solutions/30744

 

It's an older vulnerability with a poorly secured JMX console. Although you should be ok if you're running on an internal network and/or non-standard port, you should exercise extreme caution if you're running a publically accessible SAS server without a reverse proxy. I've had to chase a couple of trojans down, it's not fun. The fix in that link is relatively straightforward.

 

Hope this helps.

 

Nik

Ask a Question
Discussion stats
  • 3 replies
  • 338 views
  • 1 like
  • 3 in conversation