A vulnerability has been found in the version of JBoss used by Sophos Mobile Control (SMC). The JBoss server could be altered remotely to execute code and gain full access to the file system.
For more detailed information about JBoss and this vulnerability, refer to the section Additional information/FAQs below.
Applies to the following Sophos product(s) and version(s)
Sophos Mobile Control 3.5
Sophos Mobile Control 3.0
Sophos Mobile Control 2.5.0
Sophos Mobile Control 3.6
All Windows Servers
What To Do
To avoid the exploit from being executed, we strongly recommend that you do the following:
- Stop the SMC Service (SMCSVC).
- Delete the folder: %MDM_HOME%\jboss\server\mdm\deploy\http-invoker.sar
Important: Do not rename this folder. You must delete it.
- Start the SMC Service (SMCSVC)
As of SMC version 3.6 this issue will be fixed. You should upgrade to version 3.6 as soon as possible after it is released. According to the current plan, we hope to release SMC v 3.6 on or about 14 November 2013.
What is JBoss?
JBoss is the underlying Java application server which is used by SMC.
What exactly does the vulnerability allow an attacker to do?
The JBoss server could be altered remotely to execute code and gain full access to the file system. It does this by running code on the server using the same permissions as those JBoss is running under.
Does this mean that an attacker can gain remote execution for most of our SMC installations?
For a typical customer configuration, is this vulnerability exposed over the internet?
Does the fix described above (of deleting the folder) completely remove the vulnerability?
How was the vulnerability reported?
The vulnerability was reported to Security Focus on October 15, and Sophos has just become aware of it.
Have any exploits been reported yet?
What action has Sophos taken to protect us against this vulnerability?
- Sophos has fixed the vulnerability in the forthcoming version 3.6.
- We have identified a quick fix (described above) to remove it from current versions.
- We advise all customers to implement this fix immediately.This will prevent the exploit from being executed.
- We also recommend that you upgrade to version 3.6 as soon as possible after it is released.