BSA-2017-314

Brocade Security Advisory ID

BSA-2017-314

Initial Publication Date

06/23/2017

Last Updated

09/10/2018

Revision

5.0: Final

Risk Impact

Low

Workaround

Yes

Component

WildFly

Affected CVE

CVE-2016-0793

CVSS Score

3.5

Summary

Incomplete blacklist vulnerability in the servlet filter restriction mechanism in WildFly (formerly JBossApplication Server) before 10.0.0.Final on Windows allows remote  unauthenticated attackers to read sensitive files.

Statement
Only Wildfly application servers running on Windows operating systems are affected; no versions of Red Hat JBoss EAP or layered products are affected.

Affected Products
Brocade Network Advisor versions released prior to and including 14.0.2.

Notes:
A security update was delivered in BNA 14.0.3 and 14.1.1 to correct two issues with the filter restriction mechanism:
1. Accepting unauthenticated requests
2. Accepting malformed requests to disclose data on server or allow executing remote code.

A further security update has been made in BNA 14.4.3 to address security scanners reporting of this issue. 

Products Confirmed Not Vulnerable
Brocade Fabric OS.
Brocade Network Advisor for Linux OS

Workaround

  • Brocade recommends restricting access to the Brocade Network Advisor server only from the trusted network.
  • Install Brocade Network Advisor versions for  Linux OS

Revision History

Version Change Date
1.0 Initial Publication June 23, 2017
2.0 Updated to address NOS September 8, 2017
3.0 Updated the Risk Assessment September 18, 2017
4.0 Updated to reword Affected Products and Workaround October 13, 2017
5.0 Updated with BNA version and to reflect Fibre Channel Products Only.
September 10, 2018

Disclaimer

THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.