H3-2022-0058¶

Jolokia Local File Inclusion Misconfiguration

Description¶

Jolokia is a JMX-HTTP bridge giving an alternative to JSR-160 connectors. It is an agent based approach with support for many platforms.

Impact¶

When the Jolokia Library is in the target application classpath, it is automatically exposed by Spring Boot under the '/jolokia' actuator endpoint. The DiagnosticCommand MBean and compilerDirectivesAdd function can be used to disclose the contents of arbitrary files on the misconfigured host.

References¶

• Blog Post on Hacking Jolokia
• Jolokia Exploitation Toolkit
• Exploiting Spring Boot Actuators
• CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')