Apache Tomcat / JBoss EJBInvokerServlet / JMXInvokerServlet Multiple Vulnerabilities

critical Nessus Plugin ID 70414
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote web server is affected by multiple vulnerabilities.

Description

The 'EBJInvokerServlet' and 'JMXInvokerServlet' servlets hosted on the web server on the remote host are accessible to unauthenticated users. The remote host is, therefore, affected by the following vulnerabilities :

- A security bypass vulnerability exists due to improper restriction of access to the console and web management interfaces. An unauthenticated, remote attacker can exploit this, via direct requests, to bypass authentication and gain administrative access.
(CVE-2007-1036)

- A remote code execution vulnerability exists due to the JMXInvokerHAServlet and EJBInvokerHAServlet invoker servlets not properly restricting access to profiles. An unauthenticated, remote attacker can exploit this to bypass authentication and invoke MBean methods, resulting in the execution of arbitrary code.
(CVE-2012-0874)

- A remote code execution vulnerability exists in the EJBInvokerServlet and JMXInvokerServlet servlets due to the ability to post a marshalled object. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to install arbitrary applications. Note that this issue is known to affect McAfee Web Reporter versions prior to or equal to version 5.2.1 as well as Symantec Workspace Streaming version 7.5.0.493 and possibly earlier.
(CVE-2013-4810)

Solution

If using EMC Data Protection Advisor, either upgrade to version 6.x or apply the workaround for 5.x.

Otherwise, contact the vendor or remove any affected JBoss servlets.

See Also

http://www.nessus.org/u?74979c27

https://www.zerodayinitiative.com/advisories/ZDI-13-229/

http://www.nessus.org/u?52567bc1

https://seclists.org/bugtraq/2013/Oct/126

https://www.securityfocus.com/archive/1/530241/30/0/threaded

https://seclists.org/bugtraq/2013/Dec/att-133/ESA-2013-094.txt

Plugin Details

Severity: Critical

ID: 70414

File Name: jmxinvokerservlet_ejbinvokerservlet_rce.nasl

Version: 1.23

Type: remote

Family: CGI abuses

Published: 10/14/2013

Updated: 1/19/2021

Dependencies: http_version.nasl

Risk Information

VPR

Risk Factor: High

Score: 7.8

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 9.5

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: E:F/RL:U/RC:ND

Vulnerability Information

CPE: cpe:/a:hp:procurve_manager, cpe:/a:hp:application_lifecycle_management, cpe:/a:hp:identity_driven_manager, cpe:/a:redhat:jboss_enterprise_web_platform, cpe:/a:redhat:jboss_enterprise_application_platform, cpe:/a:redhat:jboss_enterprise_brms_platform, cpe:/a:redhat:jboss_enterprise_application_platform, cpe:/a:jboss:jboss_application_server, cpe:/a:symantec:workspace_streaming

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Vulnerability Publication Date: 9/9/2013

Exploitable With

Core Impact

Metasploit (JBoss JMX Console Deployer Upload and Execute)

ExploitHub (EH-13-606)

Reference Information

CVE: CVE-2007-1036, CVE-2012-0874, CVE-2013-4810

BID: 57552, 62854, 77037

CERT: 632656

EDB-ID: 16318, 21080, 28713, 30211

ZDI: ZDI-13-229

HP: HPSBGN02952, SSRT101127, emr_na-c04041110

CWE: 264