JBoss Java Object Deserialization RCE
Critical Nessus Plugin ID 87312
SynopsisThe remote JBoss server is affected by multiple remote code execution vulnerabilities.
DescriptionThe remote JBoss server is affected by multiple remote code execution vulnerabilities :
- A flaw exists due to the JMXInvokerHAServlet and EJBInvokerHAServlet invoker servlets not properly restricting access to profiles. A remote attacker can exploit this issue to bypass authentication and invoke MBean methods, allowing arbitrary code to be executed in the context of the user running the server.
- The remote host is affected by a remote code execution vulnerability due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons Collections (ACC) library. An unauthenticated, remote attacker can exploit this, by sending a crafted RMI request, to execute arbitrary code on the target host.
SolutionApply the appropriate interim fix according to the vendor advisory.
Alternatively, ensure that all exposed ports used by the JBoss server are firewalled from any public networks.