JBoss security vulnerability

402 views
Skip to first unread message

Murphy, Shawn N.

unread,
Apr 22, 2016, 1:19:24 AM4/22/16
to i2b2-ins...@googlegroups.com, mem...@i2b2aug.org

Dear i2b2 community,

 

Some IT departments have been very concerned about a JBoss security vulnerability present in some types of JBoss installations as described in https://access.redhat.com/solutions/2045023 as this was used in several hospital exploits with ransomware.  If your i2b2 installation has this vulnerability it can be patched (see the attached file “i2b2_patching_commons-collections.docx” which contains exact instructions).  We recommend Option 1 of the included file because it has been the most tested with i2b2.  You can also upgrade to the latest version of JBoss which is now called Wildfly (see http://Wildfly.org) which is compatible with the latest release of i2b2. 

 

We also suggest that if you have not specifically configured the “white list” of your i2b2 web client index.php proxy that you update to the index.php which is available on https://github.com/i2b2/i2b2-webclient and in release 1.7.07b of the web client which automatically configures your “white list” to be as restrictive as possible.   The index.php file should be backwardly compatible with all previous versions of i2b2, so even if you do not install web client 1.7.07b you can simply replace your current index.php with the latest version on Github no matter what version of i2b2 you may have.

 

Thanks,

Shawn and the i2b2 team

 

The information in this e-mail is intended only for the person to whom it is
addressed. If you believe this e-mail was sent to you in error and the e-mail
contains patient information, please contact the Partners Compliance HelpLine at
http://www.partners.org/complianceline . If the e-mail was sent to you in error
but does not contain patient information, please contact the sender and properly
dispose of the e-mail.

i2b2_patching_commons-collections.docx

Murphy, Shawn N.

unread,
Apr 22, 2016, 2:26:05 AM4/22/16
to i2b2-ins...@googlegroups.com, mem...@i2b2aug.org

Dear i2b2 Community,

 

We should have emphasized in our last email that we know of NO KNOWN EXPLOITS of the JBoss server software on i2b2 installations at this time  The JBoss software is used by over half the servers in the world, and IT departments are simply performing due diligence to make sure these servers are patched.  We want to make sure that our i2b2 community knows how the servers can be patched without affecting the i2b2 software so you can respond if necessary to IT department requests.

 

Thanks,

Shawn and i2b2 team.

Mendis, Michael E.

unread,
Apr 23, 2016, 3:57:19 AM4/23/16
to i2b2-ins...@googlegroups.com, mem...@i2b2aug.org
Hello all,

Just adding my experience with the testing.  According to Redhat the following Jboss are affected 
  • Red Hat JBoss Enterprise Application Platform 6.x
  • Red Hat JBoss Enterprise Application Platform 5.x
  • Red Hat JBoss Enterprise Application Platform 4.3.x
i2b2 released documentation on install i2b2 on Jboss 4.2.2 and 7.1.1, which are not in the list.   I can tell you that 7.1.1 does contain the apache-commons 3.2.1 which is the one in question.  BUT, the JMXInvokerServlet was changed after 6.x, which is why it is not in the list.   To exploit the issue, someone would need to be able to access the apache-commons-3.2.1 and that door is closed via the JMCInvokerServelet, which was running on http://localhost:8080/invoker/JMXInvokerServlet

In regards to WildFly, I have tested with great success with version 10.   If you want to test with it, change any of the build.properties files to point to the WIldFly home directory and also the {cell}_application_directory.properties with the location of the wildly home directory and location of the application directory.   Here is a sample of the crc one

crc_application_directory.properties 

###############################################

## Application properties for CRC Cell           ##

## $Id: crc_application_directory.properties,v 1.3 2008/09/12 15:31:34 lcp5 Exp $                                       

###############################################


edu.harvard.i2b2.crc.applicationdir=/opt/wildfly-10.0.0.Final/standalone/configuration/crcapp


-mike

Murphy, Shawn N.

unread,
Apr 23, 2016, 8:27:18 AM4/23/16
to i2b2-ins...@googlegroups.com, mem...@i2b2aug.org

Hi All,

 

And just to add to Mikes comments, JBoss 4.2.2 was used by very old versions of i2b2 and in my opinion should never be used any more.  JBoss 4.2.2 has numerous security vulnerabilities and I am not sure if it even possible to patch it successfully.

 

Thanks,

Shawn.

--
You received this message because you are subscribed to the Google Groups "i2b2 Install Help" group.
To unsubscribe from this group and stop receiving emails from it, send an email to i2b2-install-h...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

keith...@hms.harvard.edu

unread,
May 11, 2016, 3:18:52 PM5/11/16
to i2b2 Install Help, mem...@i2b2aug.org
Here is a summary of this issue from the perspective of a SHRINE+i2b2 environment:

Extent:

- JBoss 7.1.1 contains the vulnerable commons-collections library, commons-collections-3.2.1.jar. (JBoss 7.1.1 has been included with i2b2-provided VM images and recommended by i2b2 installation guides for a fairly long amount of time.)

- No other component of the i2b2+SHRINE environment contains the offending classes. (specifically, JBoss 7.1.1, i2b2 1.7.x, Tomcat 7.0.59, SHRINE 1.20.x) This is based on the following test of an /opt directory containing both JBoss and SHRINE+Tomcat:

  [kdwyer@shrine-qa2 opt]$ sudo grep -R InvokerTransformer

  Binary file jboss-as-7.1.1.Final/modules/org/apache/commons/collections/main/commons-collections-3.2.1.jar matches

  Binary file jboss/modules/org/apache/commons/collections/main/commons-collections-3.2.1.jar matches

  [kdwyer@shrine-qa2 opt]$ 


Fixes:

1. Shut down i2b2.

2a. Run the zip command-line tool on an affected host to remove the three recommended classes from the vulnerable library:

   cd /opt/jboss-as-7.1.1.Final/modules/org/apache/commons/collections/main

   zip -d commons-collections-3.2.1.jar org/apache/commons/collections/functors/InvokerTransformer.class org/apache/commons/collections/functors/InstantiateFactory.class org/apache/commons/collections/functors/InstantiateTransformer.class

2b. Alternatively, push a patched version of the vulnerable library (prepared using the previous command) to the affected i2b2 host. A patched version of the library is linked in the .docx attachment to Shawn's original message.

3. Start i2b2 back up again.


MD5 for an unpatched version of the library:

$ md5sum commons-collections-3.2.1.jar.unpatched

13bc641afd7fd95e09b260f69c1e4c91  commons-collections-3.2.1.jar.unpatched


MD5 for a patched version of the library (with the above-mentioned 3 classes removed):

$ md5sum commons-collections-3.2.1.jar

fcac8fdc3ccbdaf709002d00d48b881a  commons-collections-3.2.1.jar



Keith Dwyer

Harvard Catalyst, SHRINE Network Operations

office: (617) 384-5250

Reply all
Reply to author
Forward
0 new messages