H3-2021-0047
JBoss Application Server HTTP Invoker Remote Code Execution Vulnerability
| Category | SECURITY_MISCONFIGURATION |
| Base Score | 9.8 |
Description
The JBoss server allows unauthenticated users to access the /invoker/JMXInvokerServlet and /invoker/EJBInvokerServlet endpoints. This is a default configuration is JBoss 4.x, 5.x, and 6.x.
Impact
This misconfiguration permits unauthenticated remote attackers to run arbitrary commands on the vulnerable host by submitting crafted serialized Java payloads to the /invoker/JMXInvokerServlet or /invoker/EJBInvokerServlet URLs.
References
- JexBoss - JBoss Verify and Exploitation Tool
- CISA Analysis Report (AR18-312A): JexBoss – JBoss Verify and EXploitation Tool
- FoxGlove Security: What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common?
- SAS Guidance: Removing the JMX Console and the EJBInvokerServlet and JMXInvokerServlet applications from the JBoss application server
- IBM: JBoss Security Remediation Guidance