⚠ Actively exploited in ransomware campaigns

This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2022-06-15.

CVE-2010-0738 — Exposed Dangerous Method or Function in Redhat Jboss Enterprise Application Platform

CWE-749 — Exposed Dangerous Method or Function CWE-264 CWE-287 — Improper Authentication CWE-94 — Code Injection CWE-284 — Improper Access Control37 documents13 sources

Severity

9.8CRITICALNVD

NVD6.8NVD5.3CNA7.5CNA5.3VulnCheck5.3CISA5.3

EPSS

91.3%

top 0.34%

CISA KEV

KEVRansomware

Added 2022-05-25

Due 2022-06-15

Exploit

Exploited in wild

Active exploitation observed

Affected products

Redhat Jboss Enterprise Application Platform Redhat Jboss Enterprise Brms Platform Redhat Jboss Enterprise Portal Platform +2 more

Timeline

PublishedApr 28

KEV addedMay 25

KEV dueJun 15

Latest updateFeb 12

CISA Required Action: Apply updates per vendor instructions.

Description

The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to send requests to this application's GET handler by using a different method.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages5 packages

▶NVDredhat/jboss_enterprise_application_platform5.1.1+5

▶NVDredhat/jboss_enterprise_soa_platform5.1.1+6

▶NVDredhat/jboss_enterprise_brms_platform5.2.0

▶NVDredhat/jboss_enterprise_portal_platform4.3.0

▶NVDhp/procurve_manager3.20, 4.0+1

🔴Vulnerability Details

GHSA

GHSA-24wp-35x7-5hx9: The servlets invoked by httpha-invoker in JBoss Enterprise Application Platform before 5↗2022-05-17

▶

GHSA

GHSA-mm58-72w4-25hp: HP ProCurve Manager (PCM) 3↗2022-05-17

▶

GHSA

GHSA-72pp-v9jm-c6xj: The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4↗2022-05-02

▶

CVEList

CVE-2013-4810: HP ProCurve Manager (PCM) 3↗2013-09-13

▶

CVEList

CVE-2011-4085: The servlets invoked by httpha-invoker in JBoss Enterprise Application Platform before 5↗2012-11-23

▶

💥Exploits & PoCs

Exploit-DB

Hewlett-Packard (HP) UCMDB - JMX-Console Authentication Bypass↗2015-02-03

▶

Exploit-DB

JBoss & JMX Console - Misconfigured Deployment Scanner↗2011-10-03

▶

Exploit-DB

JBoss Application Server 4.2 < 4.2.0.CP09 / 4.3 < 4.3.0.CP08 - Remote Command Execution↗2011-03-04

▶

Exploit-DB

JBoss JMX - Console Beanshell Deployer WAR Upload and Deployment (Metasploit)↗2011-01-10

▶

Exploit-DB

JBoss JMX - Console Deployer Upload and Execute (Metasploit)↗2010-10-19

▶

🔍Detection Rules

Suricata

ET WEB_SERVER JBoss jmx-console Access Control Bypass Attempt↗2011-12-10

▶

Suricata

ET WEB_SERVER JBoss jmx-console Probe↗2011-12-10

▶

Suricata

ET WEB_SPECIFIC_APPS JBoss JMX Console Beanshell Deployer .WAR File Upload and Deployment Cross Site Request Forgery Attempt↗2010-07-30

▶

Suricata

ET WEB_SPECIFIC_APPS Possible JBoss JMX Console Beanshell Deployer WAR Upload and Deployment Exploit Attempt↗2010-07-30

▶

📋Vendor Advisories

CISA

Red Hat JBoss Authentication Bypass Vulnerability↗2022-05-25

▶

Red Hat

Invoker servlets authentication bypass (HTTP verb tampering)↗2011-11-16

▶

Red Hat

JBoss EAP jmx authentication bypass with crafted HTTP request↗2010-04-26

▶

🕵️Threat Intelligence

Fortinet

A Closer Look at Satan Ransomware’s Propagation Techniques↗2019-05-20

▶

Tenable

SamSam Ransomware: How to Identify and Mitigate the Risk↗2018-03-28

▶

Tenable

SamSam Ransomware: How to Identify and Mitigate the Risk↗2018-03-28

▶

📄Research Papers

arXiv

Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures↗2025-02-12

▶

💬Community

Bugzilla

CVE-2011-4085 Invoker servlets authentication bypass (HTTP verb tampering)↗2011-11-01

▶

Bugzilla

CVE-2010-0738 JBoss EAP jmx authentication bypass with crafted HTTP request↗2010-03-16

▶