Misconfigured Java web server component Jolokia expose website at cyber attacks

Pierluigi Paganini June 26, 2018

Several websites using the misconfigured Java web server component Jolokia, including those operated by financial organizations. are exposed to cyber attacks.

Websites using a misconfigured Java web server component are exposed to cyber attacks.  Several high-profile websites including those operated by financial organizations were affected by issues.

The security researcher Mat Mannion discovered some flaws in Jolokia Java Management Extensions (JMX) that could result in denial of service, information disclosure and other potential attacks against Java web servers.

According to Mannion, some distributions of Jolokia, such as the WAR agent, are “insecure by default.”

“Unfortunately, in a lot of cases this doesn’t happen, and the Jolokia agent is simply deployed as jolokia.war or similar. If Tomcat then serves requests directly or behind a reverse proxy, this then leaves the Jolokia endpoint visible by a reliable URL. If this isn’t then secured by a firewall (or similar), the /jolokia endpoint can be left open to the whole Internet without authentication.” reads the security advisory published by Mannion.

“Tomcat (and other servlet containers) export an enormous amount of information over JMX and Jolokia allows execution of arbitrary commands against these MBeans, which can lead to sensitive information disclosure or a DoS [denial of service],”

Jolokia flaws

The expert also published a proof-of-concept exploit against an Apache Tomcat 8 servlet container, but he noticed that it could be easily used against any other webserver.

The expert scanned the Internet for misconfigured Jolokia domains and discovered many vulnerable websites, then notified them via HackerOne.

“I wrote a small program to scan the Alexa top 1 million websites and to check for an unsecured /jolokia endpoint. If found, this discloses the servlet container and version.” wrote the expert.

“For each domain, the following URLs were attempted:

  • http://$DOMAIN$/jolokia
  • http://www.$DOMAIN$/jolokia
  • http://$DOMAIN$:8080/jolokia
  • https://$DOMAIN$/jolokia
  • https://www.$DOMAIN$/jolokia
  • https://$DOMAIN$:8443/jolokia"

Out of the 1,000,000 domains, the results were:

Exploitable 147
401 2016
Other 2xx 340488
Other 4xx 205645
Timeout/error 451704

The 401 response indicates that connections to Jolokia were secured through some kind of authentication.

Fortunately, many websites addressed the issue before the expert made public its discovery.

Mannion also notified a maintainer on the Jolokia and Apache security team, below the timeline of the issue.

24th May 2018 Initial discovery, start scan
25th May 2018 Disclosure to HackerOne
26th-28th May 2018 Disclosure to affected domains, maintainer of Jolokia and Apache security team
25th June 2018 Public disclosure


[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Jolokia, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment