Misconfigured Java web server component Jolokia expose website at cyber attacks
26.6.18 securityaffairs Hacking

Several websites using the misconfigured Java web server component Jolokia, including those operated by financial organizations. are exposed to cyber attacks.
Websites using a misconfigured Java web server component are exposed to cyber attacks. Several high-profile websites including those operated by financial organizations were affected by issues.

The security researcher Mat Mannion discovered some flaws in Jolokia Java Management Extensions (JMX) that could result in denial of service, information disclosure and other potential attacks against Java web servers.

According to Mannion, some distributions of Jolokia, such as the WAR agent, are “insecure by default.”

“Unfortunately, in a lot of cases this doesn’t happen, and the Jolokia agent is simply deployed as
jolokia.war
or similar. If Tomcat then serves requests directly or behind a reverse proxy, this then leaves the Jolokia endpoint visible by a reliable URL. If this isn’t then secured by a firewall (or similar), the /jolokia endpoint can be left open to the whole Internet without authentication.” reads the security advisory published by Mannion.

“Tomcat (and other servlet containers) export an enormous amount of information over JMX and Jolokia allows execution of arbitrary commands against these MBeans, which can lead to sensitive information disclosure or a DoS [denial of service],”

Jolokia flaws

The expert also published a proof-of-concept exploit against an Apache Tomcat 8 servlet container, but he noticed that it could be easily used against any other webserver.

The expert scanned the Internet for misconfigured Jolokia domains and discovered many vulnerable websites, then notified them via HackerOne.

“I wrote a small program to scan the Alexa top 1 million websites and to check for an unsecured /jolokia endpoint. If found, this discloses the servlet container and version.” wrote the expert.

“For each domain, the following URLs were attempted:

http://$DOMAIN$/jolokia
http://www.$DOMAIN$/jolokia
http://$DOMAIN$:8080/jolokia
https://$DOMAIN$/jolokia
https://www.$DOMAIN$/jolokia
https://$DOMAIN$:8443/jolokia"
Out of the 1,000,000 domains, the results were:

RESULT NO. OF DOMAINS
Exploitable 147
401 2016
Other 2xx 340488
Other 4xx 205645
Timeout/error 451704
The 401 response indicates that connections to Jolokia were secured through some kind of authentication.

Fortunately, many websites addressed the issue before the expert made public its discovery.

Mannion also notified a maintainer on the Jolokia and Apache security team, below the timeline of the issue.

DATE EVENT
24th May 18 Initial discovery, start scan
25th May 18 Disclosure to HackerOne
26th-28th May 18 Disclosure to affected domains, maintainer of Jolokia and Apache security team
25th June 18 Public disclosure