Description

Jolokia is an alternative to JSR-160 connectors for remote JMX access. It provides REST-like access to JMX with JSON over HTTP.

The Jolokia API should not be publicly accessible on production websites. Jolokia includes a reloadByURL action (provided by the Logback library), that allows an attacker to reload the logging config from an external URL resulting in a XML External Entity (XXE) vulnerability.

Remediation

Restrict access to the Jolokia API endpoint. Allow access only from the internal network.

References

Exploiting Spring Boot Actuators

Related Vulnerabilities

Oracle Access Manager 'opensso' Deserialization RCE (CVE-2021-35587)

Oracle Business Intelligence ReportTemplateService XXE CVE-2019-2616

Reverse proxy misrouting

VMware Horizon Log4Shell RCE

SAP Hybris Deserialization RCE

Severity

High

Classification

CWE-611 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

XXE Acumonitor