Misconfigured Java web server component Jolokia expose website at cyber attacks


Several websites using the misconfigured Java web server component Jolokia, including those operated by financial organizations. are exposed to cyber attacks.

Websites using a misconfigured Java web server component are exposed to cyber attacks.  Several high-profile websites including those operated by financial organizations were affected by issues.

The security researcher Mat Mannion discovered some flaws in Jolokia Java Management Extensions (JMX) that could result in denial of service, information disclosure and other potential attacks against Java web servers.

According to Mannion, some distributions of Jolokia, such as the WAR agent, are “insecure by default.”

“Unfortunately, in a lot of cases this doesn’t happen, and the Jolokia agent is simply deployed as jolokia.war or similar. If Tomcat then serves requests directly or behind a reverse proxy, this then leaves the Jolokia endpoint visible by a reliable URL. If this isn’t then secured by a firewall (or similar), the /jolokia endpoint can be left open to the whole Internet without authentication.” reads the security advisory published by Mannion.

“Tomcat (and other servlet containers) export an enormous amount of information over JMX and Jolokia allows execution of arbitrary commands against these MBeans, which can lead to sensitive information disclosure or a DoS [denial of service],”

Jolokia flaws

The expert also published a proof-of-concept exploit against an Apache Tomcat 8 servlet container, but he noticed that it could be easily used against any other webserver.

The expert scanned the Internet for misconfigured Jolokia domains and discovered many vulnerable websites, then notified them via HackerOne.

“I wrote a small program to scan the Alexa top 1 million websites and to check for an unsecured /jolokia endpoint. If found, this discloses the servlet container and version.” wrote the expert.

“For each domain, the following URLs were attempted:

  • http://$DOMAIN$/jolokia
  • http://www.$DOMAIN$/jolokia
  • http://$DOMAIN$:8080/jolokia
  • https://$DOMAIN$/jolokia
  • https://www.$DOMAIN$/jolokia
  • https://$DOMAIN$:8443/jolokia"

Out of the 1,000,000 domains, the results were:

Exploitable 147
401 2016
Other 2xx 340488
Other 4xx 205645
Timeout/error 451704

The 401 response indicates that connections to Jolokia were secured through some kind of authentication.

Fortunately, many websites addressed the issue before the expert made public its discovery.

Mannion also notified a maintainer on the Jolokia and Apache security team, below the timeline of the issue.

24th May 2018 Initial discovery, start scan
25th May 2018 Disclosure to HackerOne
26th-28th May 2018 Disclosure to affected domains, maintainer of Jolokia and Apache security team
25th June 2018 Public disclosure



To read the original article



Laisser un commentaire

Next Post

Lazarus APT hackers leverages HWP Documents in a recent string of attacks

Security researchers at AlienVault uncovered a series of cyber attacks on cryptocurrency exchanges leveraging weaponized Hangul Word Processor HWP documents (Hangul Word Processor documents). The string of attacks involving the HWP documents has been attributed to the North Korea-linked Lazarus APT group, and includes the hack of the South Korean virtual currency […]