CVE-2010-1871
published 2010-08-05CVE-2010-1871: JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression…
PriorityP190high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-06-10
Exploited in the wild
EPSS
83.40%
99.6th percentile
JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression Language (EL) expressions, which allows remote attackers to execute arbitrary code via a crafted URL. NOTE: this is only a vulnerability when the Java Security Manager is not properly configured.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| redhat | jboss_enterprise_application_platform | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandactionOutcome=/success.xhtml?user%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethod('getRuntime')}↗
commandactionOutcome=/success.xhtml?user%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethod('getRuntime').invoke(expressions.getClass().forName('java.lang.Runtime')).exec('#{cmd_to_run}')}↗
- →Detect exploit check requests: HTTP POST to the Seam login endpoint with a body containing 'actionOutcome=' and URL-encoded EL expression '%23{' targeting 'java.lang.Runtime' and 'getDeclaredMethod' ↗
- →Detect successful exploitation by monitoring HTTP 302 redirect responses whose Location header matches the pattern 'public+static+java.lang.Runtime+java.lang.Runtime.getRuntime%28%29' ↗
- →Detect successful RCE command execution by monitoring HTTP 302 redirect responses whose Location header contains 'user=java.lang.UNIXProcess' ↗
- →Detect file upload stage by monitoring HTTP 302 redirect responses whose Location header matches 'user=&conversationId', indicating a successful file write via the EL injection ↗
- →Monitor for unexpected JSP and JAR file creation in the JBoss web application root directory, as the exploit uploads a JAR payload and a JSP stager, then calls the JSP to execute the payload ↗
- ·The vulnerability is only exploitable when the Java Security Manager is absent or misconfigured; a properly configured Security Manager prevents exploitation ↗
- ·The exploit targets the /admin-console/login.seam endpoint by default, which is known to be vulnerable without requiring authentication on JBoss AS 5 and 6 ↗
- ·The vulnerability also affects IBM WebSphere 6.1 running on iSeries, not only Red Hat JBoss EAP 4.3.0 ↗
- ·Only JBoss Seam versions < 2.2.1CR2 are vulnerable; the flaw did not affect the version of Seam shipped in JBEAP 4.2 ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.8HIGH
cisa8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r6fv-qmrc-3h24: JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4
ghsa_unreviewed·2022-05-17
CVE-2010-1871 [MEDIUM] CWE-20 GHSA-r6fv-qmrc-3h24: JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4
JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression Language (EL) expressions, which allows remote attackers to execute arbitrary code via a crafted URL. NOTE: this is only a vulnerability when the Java Security Manager is not properly configured.
VulnCheck
Red Hat Linux JBoss Seam 2 Remote Code Execution Vulnerability
vulncheck·2010·CVSS 8.8
CVE-2010-1871 [HIGH] CWE-20 Red Hat Linux JBoss Seam 2 Remote Code Execution Vulnerability
Red Hat Linux JBoss Seam 2 Remote Code Execution Vulnerability
JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, allows attackers to perform remote code execution. This vulnerability can only be exploited when the Java Security Manager is not properly configured.
Affected: Red Hat JBoss Seam 2
Required Action: Apply updates per vendor instructions.
Exploitation References: https://raesene.github.io/blog/2011/07/30/from-poc-to-shell-cve-2010-1871/; https://blogs.juniper.net/en-us/threat-research/everything-but-the-kitchen-sink-more-attacks-from-the-gitpaste-12-worm; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-06-10
CISA
Red Hat Linux JBoss Seam 2 Remote Code Execution Vulnerability
cisa·2021-12-10·CVSS 8.8
CVE-2010-1871 [HIGH] CWE-20 Red Hat Linux JBoss Seam 2 Remote Code Execution Vulnerability
Vulnerability: Red Hat Linux JBoss Seam 2 Remote Code Execution Vulnerability
Affected: Red Hat JBoss Seam 2
JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, allows attackers to perform remote code execution. This vulnerability can only be exploited when the Java Security Manager is not properly configured.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2010-1871
Remediation Due Date: 2022-06-10
Red Hat
Seam2: Improper sanitization of parametrized JBoss EL expressions (ACE)
vendor_redhat·2010-07-27·CVSS 8.8
CVE-2010-1871 [HIGH] Seam2: Improper sanitization of parametrized JBoss EL expressions (ACE)
Seam2: Improper sanitization of parametrized JBoss EL expressions (ACE)
JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression Language (EL) expressions, which allows remote attackers to execute arbitrary code via a crafted URL. NOTE: this is only a vulnerability when the Java Security Manager is not properly configured.
No detection rules found.
Exploit-DB
JBoss Seam 2 - Arbitrary File Upload / Execution (Metasploit)
exploitdb·2015-04-06
CVE-2010-1871 JBoss Seam 2 - Arbitrary File Upload / Execution (Metasploit)
JBoss Seam 2 - Arbitrary File Upload / Execution (Metasploit)
---
#
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'rex/proto/http'
require 'msf/core'
class Metasploit3 'JBoss Seam 2 File Upload and Execute',
'Description' => %q{
Versions of the JBoss Seam 2 framework [ 'vulp1n3 ' ],
'References' =>
[
# JBoss EAP 4.3.0 does not properly sanitize JBoss EL inputs
['CVE', '2010-1871'],
['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=615956'],
['URL', 'http://blog.o0o.nu/2010/07/cve-2010-1871-jboss-seam-framework.html'],
['URL', 'http://archives.neohapsis.com/archives/bugtraq/2013-05/0117.html']
],
'DisclosureDate' => "Aug 05 2010",
'License' => MSF_LICENSE,
'Platform' => %w{ java },
'Targets
Metasploit
JBoss Seam 2 File Upload and Execute
metasploit
JBoss Seam 2 File Upload and Execute
JBoss Seam 2 File Upload and Execute
Versions of the JBoss Seam 2 framework < 2.2.1CR2 fails to properly sanitize inputs to some JBoss Expression Language expressions. As a result, attackers can gain remote code execution through the application server. This module leverages RCE to upload and execute a given payload. Versions of the JBoss application server (AS) admin-console are known to be vulnerable to this exploit, without requiring authentication. Tested against JBoss AS 5 and 6, running on Linux with JDKs 6 and 7. This module provides a more efficient method of exploitation - it does not loop to find desired Java classes and methods.
Metasploit
JBoss Seam 2 Remote Command Execution
metasploit
JBoss Seam 2 Remote Command Execution
JBoss Seam 2 Remote Command Execution
JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression Language (EL) expressions, which allows remote attackers to execute arbitrary code via a crafted URL. This modules also has been tested successfully against IBM WebSphere 6.1 running on iSeries. NOTE: this is only a vulnerability when the Java Security Manager is not properly configured.
Bugzilla
CVE-2010-1871 JBoss Seam / Seam2: Improper sanitization of parametrized JBoss EL expressions (ACE)
bugzilla·2010-07-19·CVSS 8.8
CVE-2010-1871 [HIGH] CVE-2010-1871 JBoss Seam / Seam2: Improper sanitization of parametrized JBoss EL expressions (ACE)
CVE-2010-1871 JBoss Seam / Seam2: Improper sanitization of parametrized JBoss EL expressions (ACE)
An improper input sanitization flaw was found in the way JBoss Seam
web application framework processed certain parametrized JBoss
Expression Language expressions. A remote attacker could use this flaw
to execute arbitrary code via a URL, containing appended, specially-crafted
expression language parameters, provided to certain applications based on
the JBoss Seam framework. Note: A properly configured and enabled Java
Security Manager would prevent exploitation of this flaw.
References:
[1] http://seamframework.org/
[2] http://docs.jboss.org/seam/2.2.0.GA/en-US/html/elenhancements.html
Acknowledgements:
Red Hat would like to thank Meder Kydyraliev of Google Security Team
for responsibly
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Checkpoint
SpeakUp: A New Undetected Backdoor Linux Trojan
blogs_checkpoint·2019-02-04
CVE-2018-20062 SpeakUp: A New Undetected Backdoor Linux Trojan
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## SpeakUp: A New Undetected Backdoor Linux Trojan
Check Point Research has discovered a new campaign exploiting Linux servers to implant a new Backdoor Trojan.
Dubbed ‘SpeakUp’, the new Tro
http://archives.neohapsis.com/archives/bugtraq/2013-05/0117.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0564.htmlhttp://www.securityfocus.com/bid/41994http://www.securitytracker.com/id?1024253http://www.vupen.com/english/advisories/2010/1929https://bugzilla.redhat.com/show_bug.cgi?id=615956https://exchange.xforce.ibmcloud.com/vulnerabilities/60794https://security.netapp.com/advisory/ntap-20161017-0001/http://archives.neohapsis.com/archives/bugtraq/2013-05/0117.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0564.htmlhttp://www.securityfocus.com/bid/41994http://www.securitytracker.com/id?1024253http://www.vupen.com/english/advisories/2010/1929https://bugzilla.redhat.com/show_bug.cgi?id=615956https://exchange.xforce.ibmcloud.com/vulnerabilities/60794https://security.netapp.com/advisory/ntap-20161017-0001/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2010-1871
2010-08-05
Published
2021-12-10
Added to CISA KEV
Exploited in the wild