CVE-2018-1000130
published 2018-03-14CVE-2018-1000130: A JNDI Injection vulnerability exists in Jolokia agent version 1.3.7 in the proxy mode that allows a remote attacker to run arbitrary Java code on the server.
PriorityP183high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
73.57%
99.4th percentile
A JNDI Injection vulnerability exists in Jolokia agent version 1.3.7 in the proxy mode that allows a remote attacker to run arbitrary Java code on the server.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jolokia | webarchive_agent | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlPOST /jolokia/read/getDiagnosticOptions HTTP/1.1
path/jolokia/read/getDiagnosticOptions
command{"type":"read","mbean":"java.lang:type=Memory","target":{"url":"service:jmx:rmi:///jndi/ldap://127.0.0.1:1389/o=tomcat"}}
port1389
- →Response body contains JNDI/LDAP connection failure string indicating the proxy mode JNDI injection attempt was processed by the server — match on 'Failed to retrieve RMIServer stub: javax.naming.CommunicationException' with the attacker-controlled host:port to confirm vulnerability.
- →Exploitation requires the Jolokia WAR agent specifically; the JVM agent is not affected. Scope detection to WAR deployments with proxy mode enabled. ↗
- →Exploit payload is delivered as a JSON POST body to the Jolokia endpoint with a 'target.url' field containing an attacker-controlled JNDI/LDAP URI (service:jmx:rmi:///jndi/ldap://...). Monitor for outbound LDAP connections originating from the JVM process.
- →HTTP request Content-Type is application/x-www-form-urlencoded while the body is JSON — an anomalous combination that can be used as an additional detection signal for this specific exploit template.
- ·Vulnerability only applies when Jolokia is running in proxy mode. The WAR agent has proxy mode enabled by default; the JVM agent does not support proxy mode and is not affected. ↗
- ·Red Hat OpenStack Platform ships the affected code but proxy mode is not enabled by default in any supported RHOSP configuration, reducing practical exploitability in that environment. ↗
- ·Affected version is Jolokia agent 1.3.7; the fix (JMX service URL white-listing and corrected WAR agent defaults) was introduced in version 1.5.0. ↗
CVSS provenance
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.1HIGH
vendor_redhat8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Injection in Jolokia agent
ghsa·2022-05-14
CVE-2018-1000130 [HIGH] CWE-74 Injection in Jolokia agent
Injection in Jolokia agent
A JNDI Injection vulnerability exists in Jolokia agent version 1.3.7 in the proxy mode that allows a remote attacker to run arbitrary Java code on the server.
OSV
Injection in Jolokia agent
osv·2022-05-14
CVE-2018-1000130 [HIGH] Injection in Jolokia agent
Injection in Jolokia agent
A JNDI Injection vulnerability exists in Jolokia agent version 1.3.7 in the proxy mode that allows a remote attacker to run arbitrary Java code on the server.
VulnCheck
jolokia webarchive_agent Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
vulncheck·2018·CVSS 8.1
CVE-2018-1000130 [HIGH] jolokia webarchive_agent Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
jolokia webarchive_agent Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
A JNDI Injection vulnerability exists in Jolokia agent version 1.3.7 in the proxy mode that allows a remote attacker to run arbitrary Java code on the server.
Affected: jolokia webarchive_agent
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-03&host_type=src&vulnerability=cve-2018-1000130; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-08&host_type=src&vulnerability=cve-2018-1000130; https://dashboard.shadowser
Red Hat
jolokia: JMX proxy mode vulnerable to remote code execution
vendor_redhat·2018-02-08·CVSS 8.1
CVE-2018-1000130 [HIGH] CWE-99 jolokia: JMX proxy mode vulnerable to remote code execution
jolokia: JMX proxy mode vulnerable to remote code execution
A JNDI Injection vulnerability exists in Jolokia agent version 1.3.7 in the proxy mode that allows a remote attacker to run arbitrary Java code on the server.
Statement: For Red Hat OpenStack Platform, although the affected code is present in shipped packages, proxy mode is not enabled by default and the affected code is not used in any supported configuration of Red Hat OpenStack Platform. For this reason, the RHOSP impact as been reduced to Low and this issue is not currently planned to be addressed in future updates.
Package: jolokia-core (JBoss Developer Studio 11) - Not affected
Package: jolokia-core (Red Hat AMQ Broker 7) - Affected
Package: opendaylight (Red Hat Enterprise Linux OpenStack Platform 7 (Kilo)) - Not affec
No detection rules found.
Nuclei
Jolokia Agent - JNDI Code Injection
nuclei·CVSS 8.1
CVE-2018-1000130 [HIGH] Jolokia Agent - JNDI Code Injection
Jolokia Agent - JNDI Code Injection
Jolokia agent is vulnerable to a JNDI injection vulnerability that allows a remote attacker to run arbitrary Java code on the server when the agent is in proxy mode.
Template:
id: CVE-2018-1000130
info:
name: Jolokia Agent - JNDI Code Injection
author: milo2012
severity: high
description: |
Jolokia agent is vulnerable to a JNDI injection vulnerability that allows a remote attacker to run arbitrary Java code on the server when the agent is in proxy mode.
impact: |
Successful exploitation of this vulnerability can lead to remote code execution, compromising the affected system.
remediation: |
Apply the latest security patches or updates provided by the vendor to fix the vulnerability.
reference:
- https://jolokia.org/#Security_fixes_with_1.5.0
- https:
2018-03-14
Published
Exploited in the wild