[Owasp-leaders] What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability. |

Kevin W. Wall kevin.w.wall at gmail.com
Sun Nov 8 18:25:05 UTC 2015


On Sun, Nov 8, 2015 at 10:38 AM, johanna curiel curiel
<johanna.curiel at owasp.org> wrote:
> Hi all
>
> One of the vulnerabilities he mentions regarding the JBOSS can be easily
> checked using metasploit module
> https://www.rapid7.com/db/modules/auxiliary/scanner/http/jboss_vulnscan
>
> regards
>
> On Fri, Nov 6, 2015 at 11:37 PM, Tom Brennan <tomb at owasp.org> wrote:
>>
>> Great write up - take notice, take action.
>>
>>
>> http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

I don't think this is testing for the same vulnerability. That refers
to CVE-2010-0738,
which is a different and much older vulnerability. That vulnerability
had to do with
an authentication bypass via the JXM console. Yes,
auxiliary/scanner/http/jboss_vulnscan
seems to check for some of the tell-tale signs that would be present,
but you could do that
more simply (well, at least if you don't already have metasploit
installed) by just checking
for the default RMI and JMX ports that JBoss uses via nmap, or if you
have local server
access, using lsof or netstat to look for the port #s.

For most correctly configured JBoss installs, where the default
password has been
changed, I think you're most likely to get an indication of
non-vulnerabilities being
present because I suspect that most people have patched JBoss to address
CVE-2010-0738 by now.

-kevin
-- 
Blog: http://off-the-wall-security.blogspot.com/
NSA: All your crypto bit are belong to us.


More information about the OWASP-Leaders mailing list