Vulnerabilities > CVE-2010-0738 - Permissions, Privileges, and Access Controls vulnerability in Redhat Jboss Enterprise Application Platform
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to send requests to this application's GET handler by using a different method.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 17 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Accessing, Modifying or Executing Executable Files An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
- Leverage Executable Code in Non-Executable Files An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
- Blue Boxing This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions.
- Restful Privilege Elevation Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.
- Target Programs with Elevated Privileges This attack targets programs running with elevated privileges. The attacker would try to leverage a bug in the running program and get arbitrary code to execute with elevated privileges. For instance an attacker would look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. The malicious user try to execute its code at the same level as a privileged system call.
Exploit-Db
description JBoss JMX Console Beanshell Deployer WAR upload and deployment. CVE-2010-0738. Remote exploits for multiple platform id EDB-ID:16319 last seen 2016-02-01 modified 2011-01-10 published 2011-01-10 reporter metasploit source https://www.exploit-db.com/download/16319/ title JBoss JMX Console Beanshell Deployer WAR upload and deployment description JBoss & JMX Console & Misconfigured Deployment Scanner. CVE-2010-0738. Webapps exploit for jsp platform id EDB-ID:17924 last seen 2016-02-02 modified 2011-10-03 published 2011-10-03 reporter y0ug source https://www.exploit-db.com/download/17924/ title JBoss & JMX Console & Misconfigured Deployment Scanner description JBoss Application Server Remote Exploit. CVE-2010-0738. Webapps exploit for jsp platform id EDB-ID:16274 last seen 2016-02-01 modified 2011-03-04 published 2011-03-04 reporter kingcope source https://www.exploit-db.com/download/16274/ title JBoss Application Server Remote Exploit description JBoss Java Class DeploymentFileRepository WAR deployment. CVE-2010-0738. Remote exploits for multiple platform id EDB-ID:16316 last seen 2016-02-01 modified 2010-08-03 published 2010-08-03 reporter metasploit source https://www.exploit-db.com/download/16316/ title JBoss Java Class DeploymentFileRepository WAR deployment
Metasploit
description This module scans a JBoss instance for a few vulnerabilities. id MSF:AUXILIARY/SCANNER/HTTP/JBOSS_VULNSCAN last seen 2020-03-13 modified 2019-09-12 published 2010-06-21 references - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3273
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1429
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0738
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1428
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12149
reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/jboss_vulnscan.rb title JBoss Vulnerability Scanner description This module uses the DeploymentFileRepository class in JBoss Application Server (jbossas) to deploy a JSP file which then deploys the WAR file. id MSF:EXPLOIT/MULTI/HTTP/JBOSS_DEPLOYMENTFILEREPOSITORY last seen 2020-05-01 modified 2017-07-24 published 2012-08-15 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/jboss_deploymentfilerepository.rb title JBoss Java Class DeploymentFileRepository WAR Deployment description This module can be used to execute a payload on JBoss servers that have an exposed "jmx-console" application. The payload is put on the server by using the jboss.system:MainDeployer functionality. To accomplish this, a temporary HTTP server is created to serve a WAR archive containing our payload. This method will only work if the target server allows outbound connections to us. id MSF:EXPLOIT/MULTI/HTTP/JBOSS_MAINDEPLOYER last seen 2020-03-11 modified 2017-07-24 published 2012-06-19 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/jboss_maindeployer.rb title JBoss JMX Console Deployer Upload and Execute description This module scans for commonly found SAP Internet Communication Manager URLs and outputs return codes for the user. id MSF:AUXILIARY/SCANNER/SAP/SAP_ICM_URLSCAN last seen 2020-06-07 modified 2017-07-24 published 2011-10-22 references https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0738 reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/sap/sap_icm_urlscan.rb title SAP URL Scanner description This module can be used to install a WAR file payload on JBoss servers that have an exposed "jmx-console" application. The payload is put on the server by using the jboss.system:BSHDeployer\'s createScriptDeployment() method. id MSF:EXPLOIT/MULTI/HTTP/JBOSS_BSHDEPLOYER last seen 2020-06-14 modified 1976-01-01 published 1976-01-01 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/jboss_bshdeployer.rb title JBoss JMX Console Beanshell Deployer WAR Upload and Deployment description This module uses the DeploymentFileRepository class in the JBoss Application Server to deploy a JSP file which then deploys an arbitrary WAR file. id MSF:AUXILIARY/ADMIN/HTTP/JBOSS_DEPLOYMENTFILEREPOSITORY last seen 2020-05-22 modified 2020-05-12 published 2014-12-08 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/http/jboss_deploymentfilerepository.rb title JBoss JMX Console DeploymentFileRepository WAR Upload and Deployment description This module can be used to install a WAR file payload on JBoss servers that have an exposed "jmx-console" application. The payload is put on the server by using the jboss.system:BSHDeployer's createScriptDeployment() method. id MSF:AUXILIARY/ADMIN/HTTP/JBOSS_BSHDEPLOYER last seen 2020-06-06 modified 1976-01-01 published 1976-01-01 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/http/jboss_bshdeployer.rb title JBoss JMX Console Beanshell Deployer WAR Upload and Deployment
Nessus
NASL family HP-UX Local Security Checks NASL id HPUX_PHSS_42328.NASL description s700_800 11.X OV NNM9.00 NNM 9.0x Patch 5 : The remote HP-UX host is affected by multiple vulnerabilities : - Apotential security vulnerability has been identified with HP Network Node Manager I (NNMi) on HP-UX, Linux, Solaris, and Windows. The vulnerability could be remotely exploited resulting in unauthorized access. References: CVE-2013-2351 (SSRT101012, ZDI-CAN-1566). - A potential security vulnerability has been identified with HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows. The vulnerability could be remotely exploited resulting in unauthorized disclosure of information. (HPSBMU02714 SSRT100244) - Potential security vulnerabilities have been identified with HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows. The vulnerabilities could be remotely exploited resulting in cross site scripting (XSS). (HPSBMU02708 SSRT100633) - A potential vulnerability has been identified with HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows. The vulnerability could be remotely exploited resulting in unauthorized access to NNMi processes. (HPSBMA02659 SSRT100440) last seen 2020-06-01 modified 2020-06-02 plugin id 56849 published 2012-03-06 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/56849 title HP-UX PHSS_42328 : s700_800 11.X OV NNM9.00 NNM 9.0x Patch 5 code # # (C) Tenable Network Security, Inc. # # The descriptive text and patch checks in this plugin were # extracted from HP patch PHSS_42328. The text itself is # copyright (C) Hewlett-Packard Development Company, L.P. # include("compat.inc"); if (description) { script_id(56849); script_version("1.24"); script_cvs_date("Date: 2018/07/12 19:01:15"); script_cve_id("CVE-2010-0738", "CVE-2011-1534", "CVE-2011-4155", "CVE-2011-4156", "CVE-2013-2351"); script_bugtraq_id(47420, 50635, 61132); script_xref(name:"HP", value:"emr_na-c02788734"); script_xref(name:"IAVB", value:"2013-B-0073"); script_xref(name:"HP", value:"emr_na-c03035744"); script_xref(name:"HP", value:"emr_na-c03057508"); script_xref(name:"HP", value:"emr_na-c03747342"); script_xref(name:"HP", value:"SSRT100244"); script_xref(name:"HP", value:"SSRT100440"); script_xref(name:"HP", value:"SSRT100633"); script_name(english:"HP-UX PHSS_42328 : s700_800 11.X OV NNM9.00 NNM 9.0x Patch 5"); script_summary(english:"Checks for the patch in the swlist output"); script_set_attribute( attribute:"synopsis", value:"The remote HP-UX host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "s700_800 11.X OV NNM9.00 NNM 9.0x Patch 5 : The remote HP-UX host is affected by multiple vulnerabilities : - Apotential security vulnerability has been identified with HP Network Node Manager I (NNMi) on HP-UX, Linux, Solaris, and Windows. The vulnerability could be remotely exploited resulting in unauthorized access. References: CVE-2013-2351 (SSRT101012, ZDI-CAN-1566). - A potential security vulnerability has been identified with HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows. The vulnerability could be remotely exploited resulting in unauthorized disclosure of information. (HPSBMU02714 SSRT100244) - Potential security vulnerabilities have been identified with HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows. The vulnerabilities could be remotely exploited resulting in cross site scripting (XSS). (HPSBMU02708 SSRT100633) - A potential vulnerability has been identified with HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows. The vulnerability could be remotely exploited resulting in unauthorized access to NNMi processes. (HPSBMA02659 SSRT100440)" ); # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02788734 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?7dec283b" ); # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03035744 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?8792dae1" ); # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03057508 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?85d28e00" ); # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03747342 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?54da22c0" ); script_set_attribute( attribute:"solution", value:"Install patch PHSS_42328 or subsequent." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploithub_sku", value:"EH-12-132"); script_set_attribute(attribute:"exploit_framework_exploithub", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'JBoss JMX Console Deployer Upload and Execute'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:hp:hp-ux"); script_set_attribute(attribute:"patch_publication_date", value:"2011/11/03"); script_set_attribute(attribute:"patch_modification_date", value:"2011/11/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/03/06"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc."); script_family(english:"HP-UX Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/HP-UX/version", "Host/HP-UX/swlist"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("hpux.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/HP-UX/version")) audit(AUDIT_OS_NOT, "HP-UX"); if (!get_kb_item("Host/HP-UX/swlist")) audit(AUDIT_PACKAGE_LIST_MISSING); if (!hpux_check_ctx(ctx:"11.23 11.31")) { exit(0, "The host is not affected since PHSS_42328 applies to a different OS release."); } patches = make_list("PHSS_42328"); foreach patch (patches) { if (hpux_installed(app:patch)) { exit(0, "The host is not affected because patch "+patch+" is installed."); } } flag = 0; if (hpux_check_patch(app:"HPOvNNM.HPNMSJBOSS", version:"9.00.000")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Web Servers NASL id JBOSS_EAP_JMX_CONSOLE_AUTH_BYPASS2.NASL description The version of JBoss Enterprise Application Platform (EAP) running on the remote host allows unauthenticated access to documents under the /jmx-console directory. This is due to a misconfiguration in web.xml which only requires authentication for GET and POST requests. Specifying a different verb such as HEAD, DELETE, or PUT causes the default GET handler to be used without authentication. A remote, unauthenticated attacker could exploit this by deploying a malicious .war file, resulting in arbitrary code execution. This version of JBoss EAP likely has other vulnerabilities (refer to Nessus plugins 33869 and 46181). last seen 2020-06-01 modified 2020-06-02 plugin id 53337 published 2011-04-08 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/53337 title JBoss Enterprise Application Platform '/jmx-console' Authentication Bypass NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2010-0379.NASL description Updated JBoss Enterprise Application Platform (JBEAP) 4.3 packages that fix three security issues and multiple bugs are now available for Red Hat Enterprise Linux 5 as JBEAP 4.3.0.CP08. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. JBoss Enterprise Application Platform is the market leading platform for innovative and scalable Java applications; integrating the JBoss Application Server, with JBoss Hibernate and JBoss Seam into a complete, simple enterprise solution. This release of JBEAP for Red Hat Enterprise Linux 5 serves as a replacement to JBEAP 4.3.0.CP07. These updated packages include multiple bug fixes which are detailed in the Release Notes. The Release Notes will be available shortly from the link in the References section. The following security issues are also fixed with this release : The JMX Console configuration only specified an authentication requirement for requests that used the GET and POST HTTP last seen 2020-06-01 modified 2020-06-02 plugin id 63931 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/63931 title RHEL 5 : JBoss EAP (RHSA-2010:0379) NASL family Junos Local Security Checks NASL id JUNIPER_SPACE_JSA10627.NASL description According to its self-reported version number, the remote Junos Space version is prior to 13.3R1.8. It is, therefore, affected by multiple vulnerabilities in bundled third party software components : - Multiple vulnerabilities in RedHat JBoss application server. (CVE-2010-0738, CVE-2010-1428, CVE-2010-1429, CVE-2011-5245, CVE-2012-0818) - Multiple vulnerabilities in Oracle Java SE JDK. (CVE-2012-3143, CVE-2013-1537, CVE-2013-1557, CVE-2013-2422) - Multiple vulnerabilities in Oracle MySQL server. (CVE-2013-1502, CVE-2013-1511, CVE-2013-1532, CVE-2013-1544, CVE-2013-2375, CVE-2013-2376, CVE-2013-2389, CVE-2013-2391, CVE-2013-2392, CVE-2013-3783, CVE-2013-3793, CVE-2013-3794, CVE-2013-3801, CVE-2013-3802, CVE-2013-3804, CVE-2013-3805, CVE-2013-3808, CVE-2013-3809, CVE-2013-3812, CVE-2013-3839) - Multiple vulnerabilities in Apache HTTP Server. (CVE-2013-1862, CVE-2013-1896) - Known hard-coded MySQL credentials. (CVE-2014-3413) last seen 2020-06-01 modified 2020-06-02 plugin id 80195 published 2014-12-22 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/80195 title Juniper Junos Space < 13.3R1.8 Multiple Vulnerabilities (JSA10627) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2010-0378.NASL description Updated JBoss Enterprise Application Platform (JBEAP) 4.2 packages that fix three security issues and multiple bugs are now available for Red Hat Enterprise Linux 5 as JBEAP 4.2.0.CP09. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. JBoss Enterprise Application Platform is the market leading platform for innovative and scalable Java applications; integrating the JBoss Application Server, with JBoss Hibernate and JBoss Seam into a complete, simple enterprise solution. This release of JBEAP for Red Hat Enterprise Linux 5 serves as a replacement to JBEAP 4.2.0.CP08. These updated packages include multiple bug fixes which are detailed in the Release Notes. The Release Notes will be available shortly from the link in the References section. The following security issues are also fixed with this release : The JMX Console configuration only specified an authentication requirement for requests that used the GET and POST HTTP last seen 2020-06-01 modified 2020-06-02 plugin id 63930 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/63930 title RHEL 5 : JBoss EAP (RHSA-2010:0378) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2010-0376.NASL description Updated JBoss Enterprise Application Platform (JBEAP) 4.2 packages that fix three security issues and multiple bugs are now available for Red Hat Enterprise Linux 4 as JBEAP 4.2.0.CP09. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. JBoss Enterprise Application Platform is the market leading platform for innovative and scalable Java applications; integrating the JBoss Application Server, with JBoss Hibernate and JBoss Seam into a complete, simple enterprise solution. This release of JBEAP for Red Hat Enterprise Linux 4 serves as a replacement to JBEAP 4.2.0.CP08. These updated packages include multiple bug fixes which are detailed in the Release Notes. The Release Notes will be available shortly from the link in the References section. The following security issues are also fixed with this release : The JMX Console configuration only specified an authentication requirement for requests that used the GET and POST HTTP last seen 2020-06-01 modified 2020-06-02 plugin id 63928 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/63928 title RHEL 4 : JBoss EAP (RHSA-2010:0376) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2010-0377.NASL description Updated JBoss Enterprise Application Platform (JBEAP) 4.3 packages that fix three security issues and multiple bugs are now available for Red Hat Enterprise Linux 4 as JBEAP 4.3.0.CP08. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. JBoss Enterprise Application Platform is the market leading platform for innovative and scalable Java applications; integrating the JBoss Application Server, with JBoss Hibernate and JBoss Seam into a complete, simple enterprise solution. This release of JBEAP for Red Hat Enterprise Linux 4 serves as a replacement to JBEAP 4.3.0.CP07. These updated packages include multiple bug fixes which are detailed in the Release Notes. The Release Notes will be available shortly from the link in the References section. The following security issues are also fixed with this release : The JMX Console configuration only specified an authentication requirement for requests that used the GET and POST HTTP last seen 2020-06-01 modified 2020-06-02 plugin id 63929 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/63929 title RHEL 4 : JBoss EAP (RHSA-2010:0377)
Packetstorm
data source https://packetstormsecurity.com/files/download/90957/jboss_bshdeployer.rb.txt id PACKETSTORM:90957 last seen 2016-12-05 published 2010-06-24 reporter Patrick Hof source https://packetstormsecurity.com/files/90957/JBoss-JMX-Console-Beanshell-Deployer-WAR-Upload-And-Deployment.html title JBoss JMX Console Beanshell Deployer WAR Upload And Deployment data source https://packetstormsecurity.com/files/download/130221/MSA-2015-02.txt id PACKETSTORM:130221 last seen 2016-12-05 published 2015-02-03 reporter Hans-Martin Muench source https://packetstormsecurity.com/files/130221/Hewlett-Packard-UCMDB-10.10-JMX-Console-Authentication-Bypass.html title Hewlett-Packard UCMDB 10.10 JMX-Console Authentication Bypass data source https://packetstormsecurity.com/files/download/105520/jboss-addurl.txt id PACKETSTORM:105520 last seen 2016-12-05 published 2011-10-03 reporter y0ug source https://packetstormsecurity.com/files/105520/JBoss-addURL-Misconfiguration-Attack.html title JBoss addURL Misconfiguration Attack
Redhat
| advisories |
| ||||||||||||||||
| rpms |
|
Saint
| bid | 39710 |
| description | RedHat JBoss Enterprise Application Platform JMX Console Authentication Bypass |
| id | web_dev_jbossasver |
| osvdb | 64171 |
| title | jboss_application_server_jmx_console_authentication_bypass |
| type | remote |
Seebug
bulletinFamily exploit description No description provided by source. id SSV:20967 last seen 2017-11-19 modified 2011-10-05 published 2011-10-05 reporter Root source https://www.seebug.org/vuldb/ssvid-20967 title JBoss addURL Misconfiguration Attack bulletinFamily exploit description BUGTRAQ ID: 39710 CVE ID: CVE-2010-0738,CVE-2010-1428,CVE-2010-1429 JBoss企业应用平台(EAP)是J2EE应用的中间件平台。 JBoss企业应用平台中存在多个非授权访问漏洞,远程用户可以绕过认证执行非授权操作或读取敏感信息。 1) JMX控制台配置仅对使用GET和POST HTTP命令的请求指定了认证要求,远程攻击者可以创建没有指定GET或POST的HTTP请求,导致无需认证便被默认的GET处理器执行。 2) 默认阻断了对JBoss应用服务器Web控制台(/web-console)的非认证访问,但这种阻断并不彻底,仅阻断了GET和POST HTTP命令。远程攻击者可以利用这个漏洞访问敏感信息。 3) RHSA-2008:0828更新修复了未经认证用户可访问状态servlet的漏洞(CVE-2008-3273);但RHSA-2009:0349中的bug修复重新引入了这个漏洞。远程攻击者可以利用这个漏洞获得有关所部署的web上下文的详细信息。 RedHat JBoss EAP 4.3 RedHat JBoss EAP 4.2 厂商补丁: RedHat ------ RedHat已经为此发布了一个安全公告(RHSA-2010:0376-01)以及相应补丁: RHSA-2010:0376-01:Critical: JBoss Enterprise Application Platform 4.2.0.CP09 update 链接:https://www.redhat.com/support/errata/RHSA-2010-0376.html id SSV:19528 last seen 2017-11-19 modified 2010-04-29 published 2010-04-29 reporter Root title JBoss企业应用平台多个非授权访问漏洞 bulletinFamily exploit description No description provided by source. id SSV:72182 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-72182 title JBoss, JMX Console, misconfigured DeploymentScanner bulletinFamily exploit description No description provided by source. id SSV:70837 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-70837 title JBoss JMX Console Beanshell Deployer WAR upload and deployment
References
- https://rhn.redhat.com/errata/RHSA-2010-0379.html
- https://bugzilla.redhat.com/show_bug.cgi?id=574105
- https://rhn.redhat.com/errata/RHSA-2010-0376.html
- http://www.vupen.com/english/advisories/2010/0992
- https://rhn.redhat.com/errata/RHSA-2010-0377.html
- http://securitytracker.com/id?1023918
- http://www.securityfocus.com/bid/39710
- http://secunia.com/advisories/39563
- https://rhn.redhat.com/errata/RHSA-2010-0378.html
- http://securityreason.com/securityalert/8408
- http://marc.info/?l=bugtraq&m=132129312609324&w=2
- http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=35
- https://exchange.xforce.ibmcloud.com/vulnerabilities/58147