|| | |||Browse by category|
A serious security vulnerability was recently found in our product. A remote, unauthenticated user can execute any Java code on the server.
The ilog.views.faces.IlvFacesController Servlet in jviews-framework-all.jar allows calling any other servlets on the classpath, even if they are not explicitly deployed exposing test servlets or administration servlets.
Resolving the problem
Starting from JViews 8.8 patch 21 and JViews 89 patch 1, the only kind of servlets that are allowed to be executed are:
- servlets declared in web.xml
- servlets which qualified name starts with ilog.views.faces.
If the you want to run another servlet you have to declare it in the IlvFacesController servlet parameter ilog.views.faces.ilvAuthorizedServletsList which holds a list of regular expressions.
Web.xml example: This would allow the execution of any servlet which name starts with bsh or toto