Reputation: 564
EJBInvokerServlet / JMXInvokerServlet
thanks to anyone reading this post.
A penetration test was performed by an external agency on my Staging server application which is on JBoss 4.0.4 instance.
It was reported for ‘Apache Tomcat / JBoss EJBInvokerServlet / JMXInvokerServlet Marshalled Object Remote Code Execution’
It is suggested to upgrade the JBoss server to close the vulnerability. Because of different business reasons I cannot upgrade to latest versions for the next 1 year or so.
In my application we don’t need to use any war deployment through any of these Servlets. I made some changes to work around [work around for the next 1 year]. What is the best way to test whether the environment is still vulnerable to this reported case? – Don’t have option to get the service from the external agency again.
By the way after my changes, for the urls http:///invoker/EJBInvokerServlet and http:///invoker/JMXInvokerServlet I can see the page with message ‘The requested resource (/invoker/JMXInvokerServlet) is not available.’ Before the changes these urls were opening EJBInvokerServlet and JMXInvokerServlet
Can someone please suggest the way to validate whether the environment is still vulnerable?
Also let me know if there is any recommended solution is available fix the vulnerability in JBoss 4.0.4.
Thank you.
Upvotes: 1
Views: 12814
Answers (3)
Reputation: 51
Use Apache Web server (or any other http server) as a reverse proxy in front of JBoss and disable access to JBoss management endpoints. So basicly JBoss is listening only on localhost.
<VirtualHost *:443>
ServerName server.domain
...
ProxyPass /invoker/EJBInvokerServlet !
ProxyPass /invoker/JMXInvokerServlett !
ProxyPass / ajp://localhost:8080/
ProxyPassReverse / ajp://localhost/
</VirtualHost>
Upvotes: 0
Reputation: 26
It seems you are refering to CVE-2012-0874:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0874
An exploit for this vulnerability may be found at:
http://www.securityfocus.com/bid/62854
Look under the "exploit" tab on that page. The PHP code attempts an HTTP POST request to deploy an abritrary war file.
You said you can no longer access the /invoker/EJBInvokerServlet and /invoker/JMXInvokerServlet resources, so you are safe.
Upvotes: 1
Reputation: 19445
Have you also disabled or secured the JMX Console?
If you have secured it by commenting out the security constraints in it's web.xml make sure that you remove all the http-method elements otherwise attackers can use the HEAD method to gain unsecured access.
The recommended solution to fix all vulnerabilities is to upgrade.
Upvotes: 1
Related Questions
- JBOSS JMXInvokerServlet security access issue
- Configuring EJB security on Weblogic
- EJB3 @RunAs annotation and security
- Java EE Server Independent Security
- Custom Security mechanism in Java EE 6/7 application
- Security in a Java EE client-server architecture
- Securing JMXConnectorServerService (jmx-remoting.sar) in JBoss 5.1.0.GA
- JAAS web-security on jboss 5
- JBoss security issue
- Security in Java EE Application with JBoss