Is the JMXInvokerServlet in JBoss EAP vulnerable to remote code execution exploits?
FoxGlove Security [1] reported an issue affecting the JBoss Application Server (AS) 6.1.0 via the JMXInvokerServlet interface. JBoss AS is the legacy community project which is not supported by Red Hat. JBoss AS is different from JBoss Enterprise Application Platform (EAP), which is supported as part of the JBoss Middleware Suite.
The FoxGlove Security article described a vulnerability with JBoss AS 6.1.0 involving Java Object Serialization and the JMXInvokerServlet interface. An example was given demonstrating that a remote code-execution exploit is possible. This exploit requires the Apache commons-collections library [2] to be on the classpath and highlights the danger of deserializing Java Objects from untrusted sources.
The reported issue does not impact products in the JBoss Middleware Suite (including EAP 5 and 6). That is because in EAP 5 authentication is required in order to send a message to the JMXInvokerServlet, and that servlet doesn't exist on EAP 6. However, while investigating this issue, further issues were identified which need to be patched. For more information on these separate issues, see this article.
[1] Content from foxglovesecurity.com is not included.http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
[2] Content from commons.apache.org is not included.https://commons.apache.org/proper/commons-collections/
- Red Hat JBoss BPM Suite
- Red Hat JBoss Data Virtualization
- Red Hat JBoss Enterprise Application Platform
- Red Hat JBoss Fuse Service Works
- Red Hat JBoss Operations Network
- Red Hat JBoss Portal
- Red Hat JBoss SOA Platform
- Red Hat JBoss Data Services
- Red Hat Data Grid
- Red Hat Decision Manager
- Red Hat JBoss Web Server
- JBoss Enterprise Web Platform
- Red Hat AMQ
- Red Hat Fuse