CVE-2018-10682
published 2018-05-09CVE-2018-10682: An issue was discovered in WildFly 10.1.2.Final. It is possible for an attacker to access the administration panel on TCP port 9990 without any authentication…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
8.22%
94.2th percentile
An issue was discovered in WildFly 10.1.2.Final. It is possible for an attacker to access the administration panel on TCP port 9990 without any authentication using "anonymous" access that is automatically created. Once logged in, a misconfiguration present by default (auto-deployment) permits an anonymous user to deploy a malicious .war file, leading to remote code execution. NOTE: the vendor indicates that anonymous access is not available in the default installation; however, it remains optional because there are several use cases for it, including development environments and network architectures that have a proxy server for access control to the WildFly server
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wildfly | wildfly | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor TCP port 9990 for unauthenticated (anonymous) access attempts to the WildFly administration panel. ↗
- →Alert on .war file uploads/deployments via the WildFly management interface (port 9990 / /management context), especially from unauthenticated or anonymous sessions, as auto-deployment is enabled by default in misconfigured instances. ↗
- →Detect HTTP requests to the /management context on port 9990 that do not carry authentication credentials, particularly those submitting multipart/form-data or deployment payloads. ↗
- ·Anonymous access is NOT enabled in the default WildFly installation; the vulnerability only applies when anonymous access has been explicitly configured. Verify whether anonymous authentication is enabled before treating detections as exploitable. ↗
- ·Red Hat does not classify this as a vulnerability for its products (JBoss EAP 7, JBoss Data Grid 7, RH SSO 7, RH Virtualization 4), all marked 'Not affected', because default installations enforce authentication on management interfaces. ↗
- ·Even with anonymous access enabled, additional mitigating architectures (proxy-based access control, network isolation) may prevent exploitation. Assess the full network path to port 9990 before concluding exposure. ↗
- ·When using the Elytron security subsystem, anonymous authentication policies can be defined even without a sasl-authentication-factory reference, meaning the attack surface may exist in Elytron-configured deployments as well. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
wildfly: Anonymous access via 9990 port allows RCE via war file upload
vendor_redhat·2018-05-02·CVSS 9.8
CVE-2018-10682 [CRITICAL] CWE-306 wildfly: Anonymous access via 9990 port allows RCE via war file upload
wildfly: Anonymous access via 9990 port allows RCE via war file upload
An issue was discovered in WildFly 10.1.2.Final. It is possible for an attacker to access the administration panel on TCP port 9990 without any authentication using "anonymous" access that is automatically created. Once logged in, a misconfiguration present by default (auto-deployment) permits an anonymous user to deploy a malicious .war file, leading to remote code execution. NOTE: the vendor indicates that anonymous access is not available in the default installation; however, it remains optional because there are several use cases for it, including development environments and network architectures that have a proxy server for access control to the WildFly server
Statement: Red Hat Product Security does not conside
GHSA
GHSA-5frm-69j4-hgp7: ** DISPUTED ** An issue was discovered in WildFly 10
ghsa_unreviewed·2022-05-14
CVE-2018-10682 [CRITICAL] CWE-287 GHSA-5frm-69j4-hgp7: ** DISPUTED ** An issue was discovered in WildFly 10
** DISPUTED ** An issue was discovered in WildFly 10.1.2.Final. It is possible for an attacker to access the administration panel on TCP port 9990 without any authentication using "anonymous" access that is automatically created. Once logged in, a misconfiguration present by default (auto-deployment) permits an anonymous user to deploy a malicious .war file, leading to remote code execution. NOTE: the vendor indicates that anonymous access is not available in the default installation; however, it remains optional because there are several use cases for it, including development environments and network architectures that have a proxy server for access control to the WildFly server.
No detection rules found.
No public exploits indexed.
2018-05-09
Published