Misconfiguration of a commonly used Java web server component puts websites at risk of attack, web dev and security researcher Mat Mannion has warned.
Shortcomings in Jolokia's Java Management Extensions (JMX) open the door to information disclosure, denial of service, and other potential attacks against Java web servers.
The problem arises because some distributions of Jolokia, such as the WAR agent, are "insecure by default", Mannion said. Although Jolokia is mostly deployed as a monitoring technology, the scope for abuse is quite extensive.
"Tomcat (and other servlet containers) export an enormous amount of information over JMX and Jolokia allows execution of arbitrary commands against these MBeans, which can lead to sensitive information disclosure or a DoS [denial of service]," Mannion said.
He told El Reg that the problem affected several high-profile websites including those run by financial services firms and banks. In many cases, a "misconfiguration [in the] JMX bridge led to information such as database credentials being available over HTTP in cleartext".
Mannion scanned the web for unsecured Jolokia domains and discovered scores of vulnerable websites. He used HackerOne to notify affected sites, most of which have tightened up their installs to prevent abuse, prior to going public with a blog post outlining his discoveries on Monday.
His advisory includes a harmless proof-of-concept exploit against an Apache Tomcat 8 servlet container.
Mannion, who leads the web development team at the UK's University of Warwick, notified a maintainer on the Jolokia and Apache security team prior to releasing his research.
"My view is widespread misconfiguration, but the fact that the WAR agent ships in this way is something I'd hope would be fixed," he told El Reg. "Compare with how the manager app ships in Tomcat; it won't work until you define a user and roles to access it."
An Apache security team member said: "We agree with Mat [Mannion's] assessment that the WAR distribution of Jolokia is insecure by default," adding that the issue is not a vulnerability in Apache Tomcat.
Roland Huss, maintainer of Jolokia, also agreed Mannion had a point while arguing that this related to an insecure setup issue rather than a bug.
"I do believe it's a serious issue, but its not a bug in Jolokia," Huss said. "The default setup in the WAR agent (there are other kinds of agents for Jolokia, too) is unsecured as there is no easy way to describe the proper security setup as this is servlet container specific (e.g. different for Tomcat and Jetty)."
"There is a warning in the documentation to secure the WAR agent, including instruction on how to do so," Huss concluded, adding that he intended to tweak how the package is parceled to make the warning even more prominent.
We note version 1.6.0 of Jolokia was released on Monday that has WAR-Agent secured by default. If you use this software, please check it out. ®