Summary
Apache Tomcat/JBoss Application Server is prone to multiple remote code- execution vulnerabilities.
Impact
Successfully exploiting these issues may allow an attacker to execute arbitrary code within the context of the affected application. Failed exploit attempts may result in a denial-of-service condition.
Solution
Ask the Vendor for an update.
Insight
The specific flaw exists within the exposed EJBInvokerServlet and JMXInvokerServlet. An unauthenticated attacker can post a marshalled object allowing them to install an arbitrary application on the target server.
Affected
Apache Tomcat/JBoss Application Server
Detection
Determine if EJBInvokerServlet/JMXInvokerServlet accessible without authentication.
References
Updated on 2015-03-25
Severity
Classification
-
CVSS Base Score: 10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C
Related Vulnerabilities
- ActualAnalyzer Lite 'ant' Cookie Parameter Remote Command Execution Vulnerability
- 68designs 68kb Multiple Remote File Include Vulnerabilities
- Ajax File and Image Manager 'data.php' PHP Code Injection Vulnerability
- Adobe ColdFusion Information Disclosure Vulnerability
- Atmail Multiple Unspecified Security Vulnerabilities.