Websites using a misconfigured Java web server component are exposed to cyber attacks. Several high-profile websites including those operated by financial organizations were affected by issues.
The security researcher Mat Mannion discovered some flaws in Jolokia Java Management Extensions (JMX) that could result in denial of service, information disclosure and other potential attacks against Java web servers.
According to Mannion, some distributions of Jolokia, such as the WAR agent, are “insecure by default.”
“Unfortunately, in a lot of cases this doesn’t happen, and the Jolokia agent is simply deployed as
jolokia.war or similar. If Tomcat then serves requests directly or behind a reverse proxy, this then leaves the Jolokia endpoint visible by a reliable URL. If this isn’t then secured by a firewall (or similar), the /jolokia endpoint can be left open to the whole Internet without authentication.” reads the security advisory published by Mannion.
“Tomcat (and other servlet containers) export an enormous amount of information over JMX and Jolokia allows execution of arbitrary commands against these MBeans, which can lead to sensitive information disclosure or a DoS [denial of service],”
The expert also published a proof-of-concept exploit against an Apache Tomcat 8 servlet container, but he noticed that it could be easily used against any other webserver.
The expert scanned the Internet for misconfigured Jolokia domains and discovered many vulnerable websites, then notified them via HackerOne.
“I wrote a small program to scan the Alexa top 1 million websites and to check for an unsecured /jolokia endpoint. If found, this discloses the servlet container and version.” wrote the expert.
“For each domain, the following URLs were attempted:
Out of the 1,000,000 domains, the results were:
|RESULT||NO. OF DOMAINS|
The 401 response indicates that connections to Jolokia were secured through some kind of authentication.
Fortunately, many websites addressed the issue before the expert made public its discovery.
Mannion also notified a maintainer on the Jolokia and Apache security team, below the timeline of the issue.
|24th May 2018||Initial discovery, start scan|
|25th May 2018||Disclosure to HackerOne|
|26th-28th May 2018||Disclosure to affected domains, maintainer of Jolokia and Apache security team|
|25th June 2018||Public disclosure|
(Security Affairs – Jolokia, hacking)