JBoss server hacked with a simple browser
A flaw in the way JBoss, the open source Java application server, is configured by default gives attackers unlimited access to the system using only a browser. Access to the Java Management Extensions (JMX) console is unprotected in their installation, allowing attackers to gain access to systems with the rights of the JBoss server. The JMX console configures Managed Beans (MBeans), which are Java objects that represent certain server resources or application resources. This vulnerability allows arbitrary web applications to run on the server by linking to web archive files (WAR). These files can be on another server and be deployed via the
addURL function. Security service provider n.runs has published a description of the problem showing how to find a vulnerable server and connect a
WAR file on a server so that the file accepts system commands and executes them with the rights of the JBoss server.
In the standard settings after installation, access to the JMX console is not protected, though the documentation provided for JBoss explicitly points out that protection is still necessary. Users who want to add a password should see Securing the JMX Console and Web Console on the JBoss wiki. At the end of 2006, Symantec pointed out a similar problem and recommended that passwords be set for access to the management console at port 8080.
- Hacking a default jBoss Installation using a Browser, report from n.runs.