JBoss Web Console JMX Invoker
Description
JBoss Application Server's default installation exposes the web console at /web-console without authentication. This console provides administrative functionality including JNDI tree inspection, thread management, application redeployment, and server shutdown capabilities. Additionally, the JMX Invoker servlet accessible at /web-console/Invoker allows unrestricted execution of arbitrary JMX (Java Management Extensions) commands. This invoker operates as a full-featured JMX interface that extends beyond the web console's visible functionality, enabling remote attackers to send any JMX command to the application server without authentication.
Remediation
Immediately restrict access to the JBoss web console and JMX Invoker using one or more of the following methods:
1. Remove or disable the web console if not required for operations by deleting the web-console.war file from the deploy directory.
2. Implement authentication by editing the web-console WAR's WEB-INF/web.xml file to add security constraints and configure user roles in conf/props/jmx-console-users.properties.
3. Restrict network access using firewall rules or servlet filters to limit console access to trusted IP addresses only.
4. Use JBoss security realms to enforce authentication by configuring the security-domain in jboss-web.xml.
Refer to the official JBoss documentation 'Securing the JMX Console and Web Console' for detailed configuration steps specific to your JBoss version.