cbcvebase.
CVE-2018-10682
published 2018-05-09

CVE-2018-10682: An issue was discovered in WildFly 10.1.2.Final. It is possible for an attacker to access the administration panel on TCP port 9990 without any authentication…

PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
8.22%
94.2th percentile
An issue was discovered in WildFly 10.1.2.Final. It is possible for an attacker to access the administration panel on TCP port 9990 without any authentication using "anonymous" access that is automatically created. Once logged in, a misconfiguration present by default (auto-deployment) permits an anonymous user to deploy a malicious .war file, leading to remote code execution. NOTE: the vendor indicates that anonymous access is not available in the default installation; however, it remains optional because there are several use cases for it, including development environments and network architectures that have a proxy server for access control to the WildFly server

Affected

1 ranges
VendorProductVersion rangeFixed in
wildflywildfly

Detection & IOCsextracted from sources · hover to see the quote

portTCP/9990
path/management
  • Monitor TCP port 9990 for unauthenticated (anonymous) access attempts to the WildFly administration panel.
  • Alert on .war file uploads/deployments via the WildFly management interface (port 9990 / /management context), especially from unauthenticated or anonymous sessions, as auto-deployment is enabled by default in misconfigured instances.
  • Detect HTTP requests to the /management context on port 9990 that do not carry authentication credentials, particularly those submitting multipart/form-data or deployment payloads.
  • ·Anonymous access is NOT enabled in the default WildFly installation; the vulnerability only applies when anonymous access has been explicitly configured. Verify whether anonymous authentication is enabled before treating detections as exploitable.
  • ·Red Hat does not classify this as a vulnerability for its products (JBoss EAP 7, JBoss Data Grid 7, RH SSO 7, RH Virtualization 4), all marked 'Not affected', because default installations enforce authentication on management interfaces.
  • ·Even with anonymous access enabled, additional mitigating architectures (proxy-based access control, network isolation) may prevent exploitation. Assess the full network path to port 9990 before concluding exposure.
  • ·When using the Elytron security subsystem, anonymous authentication policies can be defined even without a sasl-authentication-factory reference, meaning the attack surface may exist in Elytron-configured deployments as well.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.