Summary

Security Advisory ID : BSA-2018-841

Component : Hard-coded Credentials

Revision : 3.0: Final

A vulnerability in Brocade Network Advisor Version Before 14.3.1 could allow an unauthenticated, remote attacker to log in to the JBoss  Administration interface of an affected system using an undocumented user credentials and install additional JEE applications.
The vulnerability is due to the presence of an undocumented, user credentials with encrypted default password and access to JBoss Web Console Management.
A remote unauthenticated user who has access to Network Advisor client libraries and able to decrypt the Jboss credentials could gain access to the Jboss web console.

Affected Products
Brocade Network Advisor Version before 14.3.1.

Products Confirmed Not Vulnerable
No other Brocade Fibre Channel technology products from Broadcom are currently known to be affected by this vulnerability.

Solution
Security updates for the issue described in this advisory are provided in Brocade Network Advisor Version 14.3.1.
The patch releases have been posted to the MyBroadcom web portal.

Recommended Action
Brocade recommends that all customers run supported Network Advisor Version and block JMX Console access.

Note:
Note:There is a second vulnerability described in Brocade Security advisory BSA 2018-743 that affects JMX console access.
JMX console access must be secured by denying inbound access to the port on the host.
JMX console runs on 24604 (in default configuration) or the 5th port from Jboss start port user configured during installation.

Credits:
Brocade is grateful to Jakub Palaczynski and Hans-Martin Münch from MOGWAI LABS GmbH for reporting the issue.

Revision History

Version	Change	Date
1.0	Initial Publication	December 19, 2018
2.0	Updated the solution section	July 10, 2019
3.0	Major update. Splitted from BSA 2018-743	August 12, 2019