JBoss Enterprise Application Platform '/jmx-console' Authentication Bypass
high Nessus Plugin ID 53337
Language:
Synopsis
The remote web server has an authentication bypass vulnerability.Description
The version of JBoss Enterprise Application Platform (EAP) running on the remote host allows unauthenticated access to documents under the /jmx-console directory. This is due to a misconfiguration in web.xml which only requires authentication for GET and POST requests.Specifying a different verb such as HEAD, DELETE, or PUT causes the default GET handler to be used without authentication.
A remote, unauthenticated attacker could exploit this by deploying a malicious .war file, resulting in arbitrary code execution.
This version of JBoss EAP likely has other vulnerabilities (refer to Nessus plugins 33869 and 46181).
Solution
Upgrade to JBoss EAP version 4.2.0.CP09 / 4.3.0.CP08 or later.If a non-vulnerable version of the software is being used, remove all <http-method> elements from the <security-constraint> section of the appropriate web.xml.
See Also
http://www.nessus.org/u?a1451410
http://www.mindedsecurity.com/MSA030409.html
https://bugzilla.redhat.com/show_bug.cgi?id=574105
Plugin Details
Severity: High
ID: 53337
File Name: jboss_eap_jmx_console_auth_bypass2.nasl
Version: 1.25
Type: remote
Family: Web Servers
Published: 4/8/2011
Updated: 4/11/2022
Risk Information
VPR
Risk Factor: Medium
Score: 6.9
CVSS v2
Risk Factor: High
Base Score: 7.5
Temporal Score: 6.5
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal Vector: E:H/RL:OF/RC:C
Vulnerability Information
CPE: cpe:/a:redhat:jboss_enterprise_application_platform
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 4/26/2010
Vulnerability Publication Date: 4/26/2010
Exploitable With
CANVAS (CANVAS)
Core Impact
Metasploit (JBoss JMX Console Deployer Upload and Execute)
ExploitHub (EH-12-132)
Reference Information
CVE: CVE-2010-0738
BID: 39710