SERVER-WEBAPP JBoss JMX console access attempt
This alert is triggered when detecting an access attempt to the JBoss JMX console. The JBoss JMX (Java Management Extensions) console is a web-based interface used for managing and monitoring JBoss Application Server resources. The rule checks for access attempts to the /jmx-console/ URI, which indicates an effort to access this management console. This alert may be triggered when an adversary is attempting to exploit known vulnerabilities in the JBoss JMX, such as CVE-2007-1036 and CVE-2013-2185. These vulnerabilities can allow unauthorized remote code execution and administrative access.
ID Number
21516
Signature
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP JBoss JMX console access attempt"; flow:to_server,established; content:"/jmx-console/"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2007-1036; reference:cve,2013-2185; reference:url,docs.jboss.org/jbossas/6/Admin_Console_Guide/en-US/pdf/Admin_Console_Guide.pdf; classtype:attempted-recon; sid:21516; rev:9;)
MITRE ATT&CK Technique
-
Severity
Low
Recommendations/Investigative actions
It is recommended to verify the legitimacy of the access attempt, it might be part of a routine operation by a system administrator. Furthermore, it is recommended to deny access from an external network to JBoss JMX, if there is a need to allow external access to JBoss JMX and enable access to specific assets.