[Owasp-leaders] What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability. |

johanna curiel curiel johanna.curiel at owasp.org
Sun Nov 8 21:02:28 UTC 2015


Hi Kevin

As mention on the site: 'Interestingly the JMXInvokerServlet that this
exploit requires to work is very often left open to the Internet and has a
history of issues.'

The jboss vuln  checks if the JMXInvokerServlet is found open, that's why I
think is a very handy test to check if the vulnerability mentioned can be
further exploited . indeed it does not attempt to exploit it directly
[image: Inline image 1]

regards

Johanna

On Sun, Nov 8, 2015 at 2:25 PM, Kevin W. Wall <kevin.w.wall at gmail.com>
wrote:

> On Sun, Nov 8, 2015 at 10:38 AM, johanna curiel curiel
> <johanna.curiel at owasp.org> wrote:
> > Hi all
> >
> > One of the vulnerabilities he mentions regarding the JBOSS can be easily
> > checked using metasploit module
> > https://www.rapid7.com/db/modules/auxiliary/scanner/http/jboss_vulnscan
> >
> > regards
> >
> > On Fri, Nov 6, 2015 at 11:37 PM, Tom Brennan <tomb at owasp.org> wrote:
> >>
> >> Great write up - take notice, take action.
> >>
> >>
> >>
> http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
>
> I don't think this is testing for the same vulnerability. That refers
> to CVE-2010-0738,
> which is a different and much older vulnerability. That vulnerability
> had to do with
> an authentication bypass via the JXM console. Yes,
> auxiliary/scanner/http/jboss_vulnscan
> seems to check for some of the tell-tale signs that would be present,
> but you could do that
> more simply (well, at least if you don't already have metasploit
> installed) by just checking
> for the default RMI and JMX ports that JBoss uses via nmap, or if you
> have local server
> access, using lsof or netstat to look for the port #s.
>
> For most correctly configured JBoss installs, where the default
> password has been
> changed, I think you're most likely to get an indication of
> non-vulnerabilities being
> present because I suspect that most people have patched JBoss to address
> CVE-2010-0738 by now.
>
> -kevin
> --
> Blog: http://off-the-wall-security.blogspot.com/
> NSA: All your crypto bit are belong to us.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151108/3503b8c5/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 192107 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151108/3503b8c5/attachment-0001.png>


More information about the OWASP-Leaders mailing list