JBoss Application Server (AS) is a full-featured open source Java application server that includes full support for J2EE-based APIs. JBoss AS runs on numerous operating systems (e.g., Linux, FreeBSD, Mac OS X, and Microsoft Windows), as long as a suitable Java Virtual Machine (JVM) is present.
Java Management Extensions (JMX) is a Java technology that provides tools for managing and monitoring applications, system objects, devices (e.g., printers) and service oriented networks. JMX Console is a JMX-based management console application for JBoss AS that comes bundled with the JBoss AS distribution.
JMX Console uses HTTP password authentication to control access to the application. However, JBoss AS allows verb-based authentication and access control (VBAAC), which allows specifying different access controls for different HTTP verbs (e.g., GET, POST, HEAD). The default JBoss AS authentication configuration restricts access to JMX Console via HTTP GET and POST verbs to users in the JBossAdmin role, but there is no restriction placed on access via other HTTP verbs. Since HEAD requests are executed by the GET verb handler, any command embedded in a HTTP HEAD request will be executed the same way as the same command using the GET request, but without requiring authentication and without sending the response body to the requester. By sending a crafted HTTP request with a verb other than GET or POST to the target server, a remote unauthenticated attacker can inject and execute arbitrary unrestricted Java code on the target server, including file access and invocation of command shell, in the context of the JBoss AS process, normally jboss on *NIX systems and SYSTEM on Windows systems.
JBoss Enterprise Application Platform should be upgraded to 4.3 CP08, 4.2 CP09, or higher.
To secure the JMX Console, use the advanced installer options to configure JBoss to only allow authenticated administrative access.
Exploit works on Red Hat JBoss Enterprise Application Platform 4.2.0.CP08.
The JMX Console service must be accessible remotely. By default, it is only accessible locally.