JBoss HttpAdaptor JMXInvokerServlet
Description
JBoss Application Server includes the JMXInvokerServlet, which is publicly accessible by default at /invoker/JMXInvokerServlet. This servlet accepts HTTP POST requests containing serialized Java objects (MarshalledInvocation) that are deserialized and forwarded to JMX MBeans without proper authentication. An attacker can exploit this by crafting malicious serialized objects to invoke sensitive MBeans such as BSHDeployer (to create arbitrary files) and MainDeployer (to deploy malicious applications), effectively achieving remote code execution on the server.
Remediation
Immediately restrict access to the JMXInvokerServlet by implementing one or more of the following measures:
1. Remove or disable the invoker servlet by deleting or commenting out the servlet mapping in the http-invoker.sar/web.xml file within your JBoss deployment.
2. Implement authentication by configuring security constraints in the web.xml file:
<security-constraint>
<web-resource-collection>
<web-resource-name>JMXInvokerServlet</web-resource-name>
<url-pattern>/JMXInvokerServlet</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>3. Use network-level controls to restrict access to the /invoker/* URL path to trusted IP addresses only using firewall rules or web server configurations.
4. Upgrade to a supported JBoss/WildFly version that has addressed this vulnerability and follow current security best practices for JMX access control.