JolokiaPwn – Java Web Server Vulnerability
A vulnerability in the Jolokia Java management extension (JMX) allows server information to be passed to an unauthorised user. A remote attacker could exploit this to gain access to sensitive data or cause a denial-of-service on a targeted device.
Jolokia is a widely-used JMX, a Java-based technology used to provide administration and monitoring tools for web applications and resources. These are represented by objects called MBeans. Jolokia uses WebArchive (WAR) agents called jolokia.war to offer services to deployed applications. By default jolokia.war are insecure, requiring modification of their web.xml component to secure them. If an unsecured agent is then deployed and no further security features, such as a firewall, are used it can be exposed to the Internet.
Most Java servers will export large quantities of information over JMX using MBeans. A remote attacker could send commands to these MBeans through Jolokia to access this information. Information shown to be accessible includes:
- Server information
- Session ID lists
- Database attributes and details
On 25th June 2018 version 1.6.0 of Jolokia was released, which requires a user with the Jolokia role to be configured with the WAR agent.
Further details here – https://matmannion.com/jolokiapwn/
Remediation
Jolokia 1.6.0 has been confirmed to rectify this vulnerability. Users should update their affected systems in line with their standard patching process. If users are unable to update to 1.6.0 the Jolokia reference manual provides details on how to secure jolokia.war agents.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.