Symptoms

Currently OACI uses vulnerable version of xstream library. Successfully exploiting this issue may allow an attacker to execute arbitrary code in the context of the user running the affected application. OACI Instance Manager deserializes XML that comes from untrusted source into Java object using vulnerable xstream library. By adding EventHandler proxy to serialized object it is possible to execute any Java code. To exploit this issue no authentication is required.

CVE-2013-7285 has been assigned to this issue.

Cause

This behavior is caused by CCU-12488, will be fixed in future OACI updates.

Resolution

ActiveMQ server is listening on public interface on port 61616. To prevent remote code execution ActiveMQ service should be configured to listen on local IP address. The following steps should be done:

  1. In file '/usr/apache-activemq/conf/activemq.xml' on the OACI Instance Manager the following part of configuration file:

    <transportConnectors>
    <transportConnector name="openwire" allowLinkStealing="true" uri="tcp://0.0.0.0:61616"/>
    </transportConnectors>
    

    to:

    <transportConnectors>
    <transportConnector name="openwire_localhost" allowLinkStealing="true" uri="tcp://localhost:61616"/>
    <transportConnector name="openwire_backnet" allowLinkStealing="true" uri="tcp://<BACKNET_IP>:61616"/>
    </transportConnectors>
    

    where <BACKNET_IP> is the internal IP address of Instance Manager, it is used by PACI-aps running on Operation Automation management node. Also make sure that localhost resolves to 127.0.0.1 IP address.

  2. It is recommended to close all ports on public interface of Instance Manager except 4465 - it is used for OACI public API and http endpoint requires authentication there. Please refer to Configuring Firewall Rules chapter of OACI deployment guide.

  3. It is recommended to allow network connections to ActiveMQ service from OA Management node only:

    iptables -I INPUT -p tcp -s 0.0.0.0/0 --dport 61616 -j DROP
    iptables -I INPUT -p tcp -s  <OSAMN_BACKNET_IP>,127.0.0.1  --dport 61616 -j ACCEPT
    

    where <OAMN_BACKNET_IP> is a OA Management node backnet IP address.

  4. Please note that if you have additional listeners configured in /usr/local/share/PACI-im/IM-config.xml configuration file - please tune them accordingly.

    Listeners are configured in the following part of IM-config.xml file:

       <jax-rs root="/paci" staticContent="true">
       <installRequestLogger disable="false" logResponses="true" />
       <formatXmlOutput />
       <validateRequests />
       <listener host="0.0.0.0" keystore-pwd="secret" maxThreads="100" minThreads="5" name="insecure" port="4465" reuseAddress="false" secure="false" />
    </jax-rs>
    

Internal content