CVE-2010-1428
published 2010-04-28CVE-2010-1428: The Web Console (aka web-console) in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before…
PriorityP186high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-06-15
Exploited in the wild
EPSS
62.31%
99.1th percentile
The Web Console (aka web-console) in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to obtain sensitive information via an unspecified request that uses a different method.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| redhat | jboss_enterprise_application_platform | — | — |
| redhat | jboss_enterprise_application_platform | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP requests to /web-console using methods other than GET and POST (e.g., HEAD, PUT, DELETE, TRACE, OPTIONS) — these bypass JBoss EAP access controls and indicate exploitation of CVE-2010-1428. ↗
- →CVE-2010-1428 is actively exploited by SamSam ransomware actors targeting unpatched JBoss servers; treat any anomalous non-GET/POST access to /web-console as a high-priority alert in ransomware triage. ↗
- →Use the Metasploit auxiliary module jboss_vulnscan (rapid7/metasploit-framework) to scan for this and related JBoss vulnerabilities during assessment. ↗
- ·The /web-console path blocks only GET and POST by default; non-standard HTTP verbs (HEAD, PUT, DELETE, TRACE, OPTIONS, etc.) are NOT blocked and bypass authentication entirely on JBoss EAP 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
cisa7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Red Hat JBoss Information Disclosure Vulnerability
cisa·2022-05-25·CVSS 7.5
CVE-2010-1428 [HIGH] CWE-264 Red Hat JBoss Information Disclosure Vulnerability
Vulnerability: Red Hat JBoss Information Disclosure Vulnerability
Affected: Red Hat JBoss
Unauthenticated access to the JBoss Application Server Web Console (/web-console) is blocked by default. However, it was found that this block was incomplete, and only blocked GET and POST HTTP verbs. A remote attacker could use this flaw to gain access to sensitive information.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2010-1428
Remediation Due Date: 2022-06-15
Red Hat
JBoss Application Server Web Console Authentication bypass
vendor_redhat·2010-04-26·CVSS 7.5
CVE-2010-1428 [HIGH] JBoss Application Server Web Console Authentication bypass
JBoss Application Server Web Console Authentication bypass
The Web Console (aka web-console) in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to obtain sensitive information via an unspecified request that uses a different method.
GHSA
GHSA-vcwg-4772-7rvx: The Web Console (aka web-console) in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4
ghsa_unreviewed·2022-05-02
CVE-2010-1428 [MEDIUM] CWE-749 GHSA-vcwg-4772-7rvx: The Web Console (aka web-console) in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4
The Web Console (aka web-console) in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to obtain sensitive information via an unspecified request that uses a different method.
VulnCheck
Red Hat JBoss Information Disclosure Vulnerability
vulncheck·2010·CVSS 7.5
CVE-2010-1428 [HIGH] CWE-264 Red Hat JBoss Information Disclosure Vulnerability
Red Hat JBoss Information Disclosure Vulnerability
Unauthenticated access to the JBoss Application Server Web Console (/web-console) is blocked by default. However, it was found that this block was incomplete, and only blocked GET and POST HTTP verbs. A remote attacker could use this flaw to gain access to sensitive information.
Affected: Red Hat JBoss
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://nsarchive.gwu.edu/sites/default/files/documents/5986978/National-Security-Archive-Department-of-Justice.pdf; https://www.tenable.com/blog/samsam-ransomware-how-to-identify-and-mitigate-the-risk; https://news.sophos.com/en-us/2018/05/02/shutting-out-samsam-ransomware/; https://www.securonix.com/securonix-threat-re
Suricata
ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary UPDATE
suricata·2010-07-30·CVSS 7.5
CVE-2007-1428 [HIGH] ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary UPDATE
ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary UPDATE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary UPDATE"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"salary="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1428; reference:url,www.exploit-db.com/exploits/3455/; classtype:web-application-attack; sid:2004378; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Ac
Suricata
ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary ASCII
suricata·2010-07-30·CVSS 7.5
CVE-2007-1428 [HIGH] ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary ASCII
ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary ASCII
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary ASCII"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"salary="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1428; reference:url,www.exploit-db.com/exploits/3455/; classtype:web-application-attack; sid:2004377; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_A
Suricata
ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary DELETE
suricata·2010-07-30·CVSS 7.5
CVE-2007-1428 [HIGH] ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary DELETE
ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary DELETE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary DELETE"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"salary="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1428; reference:url,www.exploit-db.com/exploits/3455/; classtype:web-application-attack; sid:2004376; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Ac
Suricata
ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary UNION SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2007-1428 [HIGH] ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary UNION SELECT
ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary UNION SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary UNION SELECT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"salary="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1428; reference:url,www.exploit-db.com/exploits/3455/; classtype:web-application-attack; sid:2004374; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_na
Suricata
ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary INSERT
suricata·2010-07-30·CVSS 7.5
CVE-2007-1428 [HIGH] ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary INSERT
ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary INSERT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary INSERT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"salary="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1428; reference:url,www.exploit-db.com/exploits/3455/; classtype:web-application-attack; sid:2004375; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Ac
Suricata
ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2007-1428 [HIGH] ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary SELECT
ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary SELECT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"salary="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1428; reference:url,www.exploit-db.com/exploits/3455/; classtype:web-application-attack; sid:2004373; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Ac
Bugzilla
CVE-2010-1428 JBoss Application Server Web Console Authentication bypass
bugzilla·2010-04-26·CVSS 7.5
CVE-2010-1428 [HIGH] CVE-2010-1428 JBoss Application Server Web Console Authentication bypass
CVE-2010-1428 JBoss Application Server Web Console Authentication bypass
Unauthenticated access to the JBoss Application Server Web Console (/web-console) is blocked by default. However, it was found that this block was incomplete, and only blocked GET and POST HTTP "verbs".
A remote attacker could use this flaw to gain access to sensitive information.
Discussion:
This issue has been addressed in following products:
JBEAP 4.2.0 for RHEL 4
Via RHSA-2010:0376 https://rhn.redhat.com/errata/RHSA-2010-0376.html
---
This issue has been addressed in following products:
JBEAP 4.3.0 for RHEL 4
Via RHSA-2010:0377 https://rhn.redhat.com/errata/RHSA-2010-0377.html
---
This issue has been addressed in following products:
JBEAP 4.2.0 for RHEL 5
Via RHSA-2010:0378 https://rhn.redhat.com/erra
Tenable
SamSam Ransomware: How to Identify and Mitigate the Risk
blogs_tenable·2018-03-28
SamSam Ransomware: How to Identify and Mitigate the Risk
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
SamSam Ransomware: How to Identify and Mitigate the Risk
blogs_tenable·2018-03-28
SamSam Ransomware: How to Identify and Mitigate the Risk
Blog / Cyber Exposure Alerts
Subscribe
# SamSam Ransomware: How to Identify and Mitigate the Risk
Tenable Research
March 28, 2018
3 Min Read
SamSam ransomware, which hit the city of Atlanta's systems in late March 2018, continues to be a threat. The most recent iteration leverages brute force remote desktop protocol (RDP) as an attack vector.
#### Updated on August 22, 2018
The latest iteration of SamSam attacks primarily leverages brute force RDP via tools like NLBrute while it previously leveraged JBoss/deserialization vulnerabilities. Plugin 66173 will detect exposure of remote RDP targets (rdp_logon_screen.nbin)
Remote RDP widens your attack surface and can be an easy way for attackers to get into your network. If you must use remote RDP, Two-Factor Authentication (2FA) along w
http://marc.info/?l=bugtraq&m=132698550418872&w=2http://secunia.com/advisories/39563http://securitytracker.com/id?1023917http://www.securityfocus.com/bid/39710http://www.vupen.com/english/advisories/2010/0992https://bugzilla.redhat.com/show_bug.cgi?id=585899https://exchange.xforce.ibmcloud.com/vulnerabilities/58148https://rhn.redhat.com/errata/RHSA-2010-0376.htmlhttps://rhn.redhat.com/errata/RHSA-2010-0377.htmlhttps://rhn.redhat.com/errata/RHSA-2010-0378.htmlhttps://rhn.redhat.com/errata/RHSA-2010-0379.htmlhttp://marc.info/?l=bugtraq&m=132698550418872&w=2http://secunia.com/advisories/39563http://securitytracker.com/id?1023917http://www.securityfocus.com/bid/39710http://www.vupen.com/english/advisories/2010/0992https://bugzilla.redhat.com/show_bug.cgi?id=585899https://exchange.xforce.ibmcloud.com/vulnerabilities/58148https://rhn.redhat.com/errata/RHSA-2010-0376.htmlhttps://rhn.redhat.com/errata/RHSA-2010-0377.htmlhttps://rhn.redhat.com/errata/RHSA-2010-0378.htmlhttps://rhn.redhat.com/errata/RHSA-2010-0379.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2010-1428
2010-04-28
Published
2022-05-25
Added to CISA KEV
Exploited in the wild