SERVER-WEBAPP JBoss admin-console access

This alert is triggered when detecting an attempt to access the admin console of a JBoss application server. The JBoss admin console is a web-based interface used for managing and configuring JBoss Application Server resources. This alert may be triggered when an adversary is attempting to exploit known vulnerabilities in the JBoss admin console, such as CVE-2007-1036 and CVE-2013-2185. These vulnerabilities can allow unauthorized remote code execution and administrative access.

ID Number

21517

Signature

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP JBoss admin-console access"; flow:to_server,established; content:"/admin-console/"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-2185; reference:url,docs.jboss.org/jbossas/6/Admin_Console_Guide/en-US/pdf/Admin_Console_Guide.pdf; classtype:attempted-recon; sid:21517; rev:6;)

MITRE ATT&CK Technique

-

Severity

Low

Recommendations/Investigative actions

It is recommended to verify the legitimacy of the access attempt, it might be part of a routine operation by a system administrator. Furthermore, it is recommended to deny access from an external network to the JBoss web console, if there is a need to allow external access to the JBoss web console and enable access to specific assets.