Free and open-source vulnerability scanner
Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.
Install NowAvailable for macOS, Windows, and Linux
JBoss Console and Web Management Misconfiguration Vulnerability
Information
Severity
Severity
Family
Family
CVSSv2 Base
CVSSv2 Base
CVSSv2 Vector
CVSSv2 Vector
Solution Type
Solution Type
Created
Created
Modified
Modified
Summary
The default configuration of JBoss does not restrict access to the console and web management interfaces, which allows remote attackers to bypass authentication and gain administrative access via direct requests.
Detection Method
Detection Method
Checks if the jmx-console or web-console is accessible without authentication.
Solution
Solution
As stated by Red Hat, the JBoss AS console manager should always be secured prior to deployment, as directed in the JBoss Application Server Guide and release notes. By default, the JBoss AS installer gives users the ability to password protect the console manager. If the user did not use the installer, the raw JBoss services will be in a completely unconfigured state and these steps should be performed manually. See the referenced advisories for mitigation steps.