H3-2021-0047¶
JBoss Application Server HTTP Invoker Remote Code Execution Vulnerability
| Category | SECURITY_MISCONFIGURATION |
| Base Score | 9.8 |
Description¶
The JBoss server allows unauthenticated users to access the /invoker/JMXInvokerServlet and /invoker/EJBInvokerServlet endpoints. This is a default configuration is JBoss 4.x, 5.x, and 6.x.
Impact¶
This misconfiguration permits unauthenticated remote attackers to run arbitrary commands on the vulnerable host by submitting crafted serialized Java payloads to the /invoker/JMXInvokerServlet or /invoker/EJBInvokerServlet URLs.
References¶
- JexBoss - JBoss Verify and Exploitation Tool
- CISA Analysis Report (AR18-312A): JexBoss – JBoss Verify and EXploitation Tool
- FoxGlove Security: What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common?
- SAS Guidance: Removing the JMX Console and the EJBInvokerServlet and JMXInvokerServlet applications from the JBoss application server
- IBM: JBoss Security Remediation Guidance
- MITRE ATT&CK Technique: T1210: Exploitation of Remote Services