JBoss status servlet information leak
Description
The JBoss status servlet is publicly accessible on this server without authentication. This administrative interface exposes sensitive operational information including deployed application details, servlet configurations, active sessions, and recently accessed URLs. This servlet is intended for internal monitoring and should not be exposed to untrusted networks.
Remediation
Restrict access to the status servlet by implementing one or more of the following controls:
1. Remove or disable the status servlet if it is not required for operations. Edit the web.xml configuration file and comment out or remove the status servlet mapping.
2. Implement IP-based access restrictions to allow access only from trusted management networks. Add a security constraint in web.xml or jboss-web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Status Servlet</web-resource-name>
<url-pattern>/status/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>3. Configure firewall rules to block external access to administrative URLs at the network perimeter.
4. Verify the configuration by attempting to access the status servlet from an unauthorized network location to confirm access is properly restricted.