[Description]
A security flaw has been recently found which allows intruders to inject malicious code into ADempiere and access the whole database using that code.
[Risk]
Fatal
[Fix]
Not available yet.
[Progress]
No progress yet.
[Recommended Preventive Actions]
1. Run ADempiere on a small -as small as possible- set of computers.
2. Run ADempiere only using a trusted version, i.e. don't allow users to run their own modified versions.
3. Monitor the softwares installed on the machine running ADempiere (both client and server). Particularly disallow using Eclipse or NetBeans or whatever Java IDE on that machine.
4. Remove Adempiere.properties when you're done with ADempiere.
5. If (4) is not possible, protect Adempiere.properties from network access and disallow any copy of it to be distributed even in the trusted LAN.
6. Configure the database and the application server to accept incoming connection from only a set of trusted IP addresses.
7. If possible, configure the database to keep a full log of database access by users (who/when logged in to database).
[Comments]
None of the recommended actions above guarantees the safety of your installation. Therefore pay close attention to who is using ADempiere and how/when it's being used.
ADempiere Security Team
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi community, thanks Bahman for pointing to those flaws and triggering this discussion.
I want to depict a current possible SECURE SCENARIO to use Adempiere:
(Please notice this is applicable also to Compiere installations)
CLIENTS
1 - Don't install clients
2 - Install two servers - one for NX (call it NXServer), and the other for oracle and JBoss (call it ADServer)
3 - Allow clients just run through NX connection (you'll have total control of the ADempiere.properties in a linux box)
4 - Configure the ADServer to only accept connections from NXServer
5 - Configure the Oracle in ADServer to only accept connections from the same ADServer and from NXServer
SERVICES ON WEB
1 - Don't expose web services from jboss directly
2 - Install an apache server to expose in a controlled way just the needed services and pages from jboss adempiere
In this scenario NX can be replaced with any terminal server software (Microsoft TS, Citrix, Sun Global Secure Desktop, etc).
And you must incur in costs of terminal server software licensing - but security is not free.
And you must ensure all those servers - ensure NX, ensure oracle, ensure jboss, ensure apache, ensure linux, etc.
-------------------
I also want to add that this security warning is latent in any software - even proprietary - but is more notorious in open source.
i.e.: There are underground modified versions of Windows Vista that hacks computers
But obviously is easier to hack a linux box and install modified libraries to hack the system - the sources are free.
The recommended scenario here points to isolate the access to the server in a way that nobody can install or execute malicious code. There can be thousands of other possible scenarios - just be creative :-)
[Description]
A security flaw has been recently found which allows intruders to inject malicious code into ADempiere and access the whole database using that code.
[Risk]
Fatal
[Fix]
Not available yet.
[Progress]
No progress yet.
[Recommended Preventive Actions]
1. Run ADempiere on a small -as small as possible- set of computers.
2. Run ADempiere only using a trusted version, i.e. don't allow users to run their own modified versions.
3. Monitor the softwares installed on the machine running ADempiere (both client and server). Particularly disallow using Eclipse or NetBeans or whatever Java IDE on that machine.
4. Remove Adempiere.properties when you're done with ADempiere.
5. If (4) is not possible, protect Adempiere.properties from network access and disallow any copy of it to be distributed even in the trusted LAN.
6. Configure the database and the application server to accept incoming connection from only a set of trusted IP addresses.
7. If possible, configure the database to keep a full log of database access by users (who/when logged in to database).
[Comments]
None of the recommended actions above guarantees the safety of your installation. Therefore pay close attention to who is using ADempiere and how/when it's being used.
ADempiere Security Team
Hi community, thanks Bahman for pointing to those flaws and triggering this discussion.
I want to depict a current possible SECURE SCENARIO to use Adempiere:
(Please notice this is applicable also to Compiere installations)
CLIENTS
1 - Don't install clients
2 - Install two servers - one for NX (call it NXServer), and the other for oracle and JBoss (call it ADServer)
3 - Allow clients just run through NX connection (you'll have total control of the ADempiere.properties in a linux box)
4 - Configure the ADServer to only accept connections from NXServer
5 - Configure the Oracle in ADServer to only accept connections from the same ADServer and from NXServer
SERVICES ON WEB
1 - Don't expose web services from jboss directly
2 - Install an apache server to expose in a controlled way just the needed services and pages from jboss adempiere
In this scenario NX can be replaced with any terminal server software (Microsoft TS, Citrix, Sun Global Secure Desktop, etc).
And you must incur in costs of terminal server software licensing - but security is not free.
And you must ensure all those servers - ensure NX, ensure oracle, ensure jboss, ensure apache, ensure linux, etc.
-------------------
I also want to add that this security warning is latent in any software - even proprietary - but is more notorious in open source.
i.e.: There are underground modified versions of Windows Vista that hacks computers
But obviously is easier to hack a linux box and install modified libraries to hack the system - the sources are free.
The recommended scenario here points to isolate the access to the server in a way that nobody can install or execute malicious code. There can be thousands of other possible scenarios - just be creative :-)
Regards,
Carlos Ruiz - globalqss
http://globalqss.com