JBoss BSHDeployer MBean
Description
JBoss Application Server, in its default configuration, exposes the JMX Management Console at http://localhost:8080/jmx-console without authentication. This console provides administrative access to critical server functions including JNDI tree inspection, thread management, application deployment, and server shutdown. The BSHDeployer MBean, accessible through this console, allows deployment and automatic execution of BeanShell scripts, enabling arbitrary code execution on the server.
This vulnerability affects JBoss installations that have not been hardened post-deployment, leaving administrative interfaces publicly accessible to unauthorized users.
Remediation
Secure the JMX Management Console by implementing authentication and access controls. Follow these steps:
1. Enable Authentication: Edit the jmx-console/WEB-INF/web.xml file and uncomment the security-constraint section to require authentication for console access.
2. Configure User Credentials: Define authorized users and roles in jmx-console/WEB-INF/jboss-web.xml and the corresponding security domain configuration.
3. Restrict Network Access: Configure firewall rules to limit JMX console access to trusted IP addresses or internal networks only. Block external access to port 8080/tcp or the configured JMX console port.
4. Remove Unnecessary MBeans: If BeanShell script deployment is not required, remove or disable the BSHDeployer MBean by deleting bsh-deployer.xml from the deploy directory.
5. Apply Security Updates: Upgrade to the latest supported version of JBoss/WildFly and apply all available security patches.
Example web.xml security constraint:
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>