SERVER-WEBAPP JBoss web console access attempt
This alert is triggered when detecting an attempt to access the web console of a JBoss application server. The JBoss web console is a graphical user interface provided by JBoss Application Server for managing and monitoring the server and its applications. This alert may be triggered when an adversary is attempting to exploit known vulnerabilities in the JBoss web console, such as CVE-2007-1036 and CVE-2013-2185. These vulnerabilities can allow unauthorized remote code execution and administrative access.
ID Number
24342
Signature
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP JBoss web console access attempt"; flow:to_server,established; content:"/web-console/"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2007-1036; reference:cve,2013-2185; reference:url,docs.jboss.org/jbossas/6/Admin_Console_Guide/en-US/pdf/Admin_Console_Guide.pdf; classtype:attempted-recon; sid:24342; rev:4;)
MITRE ATT&CK Technique
-
Severity
Medium
Recommendations/Investigative actions
It is recommended to verify the legitimacy of the access attempt, it might be part of a routine operation by a system administrator. Furthermore, it is recommended to deny access from an external network to the JBoss web console, if there is a need to allow external access to the JBoss web console and enable access to specific assets.