SERVER-WEBAPP JBoss JMXInvokerServlet access attempt

This alert is triggered when detecting an attempt to access the JMXInvokerServlet in the JBoss application server. JBoss JMXInvokerServlet is a component of JBoss Application Server that provides access to the JMX (Java Management Extensions) console, enabling users to manage and monitor resources in a Java Virtual Machine (JVM). This alert may be triggered when an adversary is attempting to exploit known vulnerabilities in the JBoss JMXInvokerServlet, such as CVE-2007-1036 and CVE-2013-2185. These vulnerabilities can allow unauthorized remote code execution and administrative access.

ID Number

24343

Signature

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP JBoss JMXInvokerServlet access attempt"; flow:to_server,established; content:"/invoker/JMXInvokerServlet"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2007-1036; reference:cve,2013-2185; reference:url,docs.jboss.org/jbossas/6/Admin_Console_Guide/en-US/pdf/Admin_Console_Guide.pdf; classtype:attempted-admin; sid:24343; rev:4;)

MITRE ATT&CK Technique

-

Severity

Medium

Recommendations/Investigative actions

It is recommended to verify the legitimacy of the access attempt, it might be part of a routine operation by a system administrator. Furthermore, it is recommended to deny access from an external network to JBoss JMXInvokerServlet, if there is a need to allow external access to JBoss JMXInvokerServlet and enable access to specific assets.