Attackers are increasingly targeting a two-year-old vulnerability in JBoss Java EE application servers that insecurely exposes the “HTTP Invoker” service. In October, security researcher Andrea Micalizzi released an exploit for many products that incorporate vulnerable 4.x and 5.x versions of JBoss. The rapid targeting of the vulnerability exposes some of the dangers of incorporating outdated open source components into products and underscores the importance of testing code for flaws whenever it is implemented.
Micalizzi’s exploit code, called pwn.jsp, can be used to carry out shell commands on the operating system via HTTP requests. The commands have the same privileges as the user running JBoss, which are often the same as the administrator, Network World reported. The vulnerability is due to insecure default configurations that expose JBoss management interfaces and invokers to unauthenticated attacks. This issue has been known since 2011, when researchers from Matasano Security estimated around 7,300 servers were vulnerable. According to researchers at Imperva, that number has more than tripled, and more than 200 sites running on JBoss servers, including some run by governments and universities, have been compromised.
“Although this specific JBoss AS security issue has been known to the security community for a few years, it is amazing to realize that during these years the attack surface had not decayed, but in fact had grown in terms of the number of the vulnerable web application,” Imperva’s Barry Shteiman wrote in a blog post.
JBoss, which is developed by Red Hat, was recently renamed WildFly, and the latest stable version is 7.1.1. However, many organizations still deploy 4.x or 5.x versions for compatibility reasons. Additionally, these older versions are used in many products from vendors like McAfee, Symantec, Hewlett-Packard and IBM. The growing attack surface of the vulnerability shows some of the dangers of insecure open source code finding its way into new products, as well as underscoring the length of time a zero-day can persist in the wild. For developers, this incident can serve as a reminder that software security must be considered in any legacy code that is added to a project. Running source code analysis tests can help catch errors and ensure companies are using stable versions of third-party code.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.