Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:07 AM
Connect Directly

Who's The Boss Over Your JBoss Servers?

If you haven't patched a 2011 vulnerability found in more than 21,000 servers connected online, then the answer could be the person who installed a crimeware webshell

A widely unpatched vulnerability in JBoss Application Server (AS) discovered back in 2011 is opening up tens of thousands of enterprise data center servers to attack, with at least 500 actively compromised, according to a report out this week by Imperva. The analysis done by Imperva's security research team suggests that enterprises are not hardening their servers adequately and as a result are putting their entire data center operations at risk.

"The attackers are looking to circumvent methods that are supposed to be hardened because they expect vendors not to do a good job hardening their administrative access or functions," says Barry Shteiman, director of security strategy for Imperva. "Because of that, attackers are using that to inject standard or classic forms of attack -- in this case, a webshell -- which generally allows them full control over the server."

In this instance, Shteiman and his team noticed the attack trend after seeing a surge of attacks in online systems that demonstrated features they hadn't commonly seen before. Looking into it further, the team found the attacks all shared a distinct commonality: They were all suffered by JBoss servers.

"When we looked into it, we found that JBoss has a component called HTTPInvoker, and that component was found vulnerable, similarly to some other vulnerabilities we looked into recently that basically allowed an administrative function to be accessed without actually being an administrator logged in," Shteiman says. "In this case, it's a function that is supposed to populate new servlets or new pieces of code in the server. In a default state, JBoss allows that function to be used by anyone that wants it."

[How do you know if you've been breached? See Top 15 Indicators of Compromise.]

Attackers leveraged that hole to inject a webshell on vulnerable servers and achieve "full control over the data center," says Shteiman. He says that his research has shown there are likely around 500 JBoss servers currently compromised at the moment, by anywhere between 15 to 17 flavors of webshells. Among those, the most popular are a webshell called pwn.jsp that was demonstrated in an exploit published last month, along with a more slick crimeware webshell called JspSpy.

As Shteiman explains, JBoss AS is the de facto server platform for enterprises writing applications in Java.

"A lot of trading companies and banks are using it to hold up their main banking applications," says Shteiman. Even more frightening is its popularity among technology vendors that use it as a component for enterprise products and who could potentially be compromised before even shipping, essentially sending out products with built-in backdoors, he says.

The vulnerability in question was actually found in 2011 by Luca Carettoni, at the time a senior security consultant for Matasano Security, who then reported about 7,000 servers online susceptible to the vulnerability. Since then, rather than declining, the number of vulnerable servers has tripled, says Shteiman, who believes that part of the problem was a misclassification in the CVE database.

"It was classified as a vulnerability that affected product elements of HP ProCurve, and therefore I don't think anyone ever understood the research to its full effect," he says.

Nevertheless, security experts say this is something that should have been caught by more organizations, given the age of the vulnerability discovery.

"When the solution to this JBoss exploit is to simply update the affected servers, there is hardly any excuse for anyone to be affected by it, especially when the vulnerability has been discovered more than two years ago," says Michael Yuen, security engineer at application security firm Cenzic.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/22/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Is Zero Trust the Best Answer to the COVID-19 Lockdown?
Dan Blum, Cybersecurity & Risk Management Strategist,  5/20/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-25
The Knock Knock plugin before 1.2.8 for Craft CMS allows IP Whitelist bypass via an X-Forwarded-For HTTP header.
PUBLISHED: 2020-05-25
The Knock Knock plugin before 1.2.8 for Craft CMS allows malicious redirection.
PUBLISHED: 2020-05-25
EM-HTTP-Request 1.1.5 uses the library eventmachine in an insecure way that allows an attacker to perform a man-in-the-middle attack against users of the library. The hostname in a TLS server certificate is not verified.
PUBLISHED: 2020-05-25
An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There are CSRF issues with the log-clear controller action.
PUBLISHED: 2020-05-25
An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There is stored XSS in the Bulk Resize action.