Changes Required in JBoss EAP 6.4 Update 04 (6.4.4) to Resolve CVE-2015-5188

Solution Verified - Updated 2 Aug 2024

Environment

JBoss EAP 6.4 Update 04 (6.4.4)

Issue

What changes were made to resolve CVE-2015-5188?

Resolution

Users of the HTTP API for management, when posting to the /management-upload resource, are now required to send an X-Management-Client header (the purpose is to identify the client, but can be any value), as well as to set a mime type on the "operation" part of a multipart/form-data message. The only supported mime types are "application/json" and "application/dmr-encoded". Existing HTTP clients which do not send these values will receive an HTTP 403 Forbidden response along with an error message informing them of the missing header and/or mime-type. No changes are required for requests sent to the /management resource.

No other management APIs are affected (CLI, native remote Java, etc).

Additionally, the patch upload facility in the EAP management console now requires a web browser which supports Content from developer.mozilla.org is not included.XMLHttpRequest and FormData JavaScript APIs. Older web browsers (such as Internet Explorer 9) which do not support these APIs will notify the user that they need to use a recent web browser for this functionality.

SBR

JBoss Base AS

Product(s)

Red Hat JBoss Enterprise Application Platform

Components

jbossas

Category

Supportability

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.