cbcvebase.
CVE-2010-1871
published 2010-08-05

CVE-2010-1871: JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression…

PriorityP190high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-06-10
Exploited in the wild
EPSS
83.40%
99.6th percentile
JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression Language (EL) expressions, which allows remote attackers to execute arbitrary code via a crafted URL. NOTE: this is only a vulnerability when the Java Security Manager is not properly configured.

Affected

1 ranges
VendorProductVersion rangeFixed in
redhatjboss_enterprise_application_platform

Detection & IOCsextracted from sources · hover to see the quote

url/admin-console/login.seam
port8080
commandactionOutcome=/success.xhtml?user%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethod('getRuntime')}
commandactionOutcome=/success.xhtml?user%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethod('getRuntime').invoke(expressions.getClass().forName('java.lang.Runtime')).exec('#{cmd_to_run}')}
  • Detect exploit check requests: HTTP POST to the Seam login endpoint with a body containing 'actionOutcome=' and URL-encoded EL expression '%23{' targeting 'java.lang.Runtime' and 'getDeclaredMethod'
  • Detect successful exploitation by monitoring HTTP 302 redirect responses whose Location header matches the pattern 'public+static+java.lang.Runtime+java.lang.Runtime.getRuntime%28%29'
  • Detect successful RCE command execution by monitoring HTTP 302 redirect responses whose Location header contains 'user=java.lang.UNIXProcess'
  • Detect file upload stage by monitoring HTTP 302 redirect responses whose Location header matches 'user=&conversationId', indicating a successful file write via the EL injection
  • Monitor for unexpected JSP and JAR file creation in the JBoss web application root directory, as the exploit uploads a JAR payload and a JSP stager, then calls the JSP to execute the payload
  • ·The vulnerability is only exploitable when the Java Security Manager is absent or misconfigured; a properly configured Security Manager prevents exploitation
  • ·The exploit targets the /admin-console/login.seam endpoint by default, which is known to be vulnerable without requiring authentication on JBoss AS 5 and 6
  • ·The vulnerability also affects IBM WebSphere 6.1 running on iSeries, not only Red Hat JBoss EAP 4.3.0
  • ·Only JBoss Seam versions < 2.2.1CR2 are vulnerable; the flaw did not affect the version of Seam shipped in JBEAP 4.2

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.8HIGH
cisa8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.