cbcvebase.
CVE-2013-4810
published 2013-09-16

CVE-2013-4810: HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, Identity Driven Manager (IDM) 4.0, and Application Lifecycle Management allow remote attackers to…

PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
79.00%
99.5th percentile
HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, Identity Driven Manager (IDM) 4.0, and Application Lifecycle Management allow remote attackers to execute arbitrary code via a marshalled object to (1) EJBInvokerServlet or (2) JMXInvokerServlet, aka ZDI-CAN-1760. NOTE: this is probably a duplicate of CVE-2007-1036, CVE-2010-0738, and/or CVE-2012-0874.

Affected

2 ranges
VendorProductVersion rangeFixed in
hpprocurve_manager
hpprocurve_manager

Detection & IOCsextracted from sources · hover to see the quote

url/invoker/EJBInvokerServlet/
url/invoker/JMXInvokerServlet/
uaJava/1.6.0_21
otherContentType: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation
path/a/pwn.jsp
  • Alert on HTTP requests with User-Agent 'Java/1.6.0_21' POSTing to invoker servlet paths, as this is the hardcoded agent in the public exploit.
  • Monitor for GET requests to /a/pwn.jsp with a 'cmd' query parameter, indicating successful WAR deployment and webshell access following exploitation.
  • The exploit deploys a WAR file from a remote URL; monitor outbound HTTP connections from the JBoss/PCM server to external hosts fetching .war files shortly after an invoker servlet POST.
  • CVE-2013-4810 specifically targets unauthenticated exposure of JMXInvokerServlet and EJBInvokerServlet; verify these endpoints require authentication and block unauthenticated access at the network perimeter.
  • ·All supported Red Hat JBoss products apply authentication to JMXInvokerServlet and EJBInvokerServlet by default and are NOT affected; only older unsupported community releases of JBoss AS (WildFly) 4.x and 5.x are vulnerable.
  • ·JBoss AS (WildFly) 7.x community releases are also not affected by this issue.
  • ·This CVE is likely a duplicate of earlier issues CVE-2007-1036, CVE-2010-0738, and/or CVE-2012-0874 covering the same unauthenticated invoker servlet attack surface.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.