Description

In the default configuration, after JBoss is installed, the web console is available at http://localhost:8080/web-console. The Web console can be used to display the JNDI tree, dump the list of threads, redeploy an application or even shutdown the application server. By default, the console is not secured and can be used by remote attackers. Check References for detailed information.

The Web Console includes a JMX Invoker that normally residing at the URL http://localhost:8080/web-console/Invoker.
This Invoker is a fully-edged JMX Invoker and not limited to the functionality provided by the Web Console. Access to this Invoker is unrestricted even from remote by default, so that attackers can use it to send arbitrary JMX commands to the JBoss AS.

Remediation

Restrict access to JBoss Web Console.

References

Securing the JMX Console and Web Console

Bridging the Gap between the Enterprise and You - or - Who's the JBoss now?

Related Vulnerabilities

WordPress Plugin Cherry Team Members Information Disclosure (1.4.1)

Joomla! Core 3.x.x Information Disclosure (3.0.0 - 3.8.7)

Joomla! Core 2.5.x Information Disclosure (2.5.0 - 2.5.3)

Whoops error handler component detected

Joomla! Core 1.6.x Information Disclosure (1.6.0 - 1.6.6)

Severity

High

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:A

Tags

Information Disclosure Configuration