Is the JMXInvokerServlet in JBoss EAP vulnerable to remote code execution exploits?

Updated -

FoxGlove Security [1] reported an issue affecting the JBoss Application Server (AS) 6.1.0 via the JMXInvokerServlet interface. JBoss AS is the legacy community project which is not supported by Red Hat. JBoss AS is different from JBoss Enterprise Application Platform (EAP), which is supported as part of the JBoss Middleware Suite.

The FoxGlove Security article described a vulnerability with JBoss AS 6.1.0 involving Java Object Serialization and the JMXInvokerServlet interface. An example was given demonstrating that a remote code-execution exploit is possible. This exploit requires the Apache commons-collections library [2] to be on the classpath and highlights the danger of deserializing Java Objects from untrusted sources.

The reported issue does not impact products in the JBoss Middleware Suite (including EAP 5 and 6). That is because in EAP 5 authentication is required in order to send a message to the JMXInvokerServlet, and that servlet doesn't exist on EAP 6. However, while investigating this issue, further issues were identified which need to be patched. For more information on these separate issues, see this article.

[1] http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
[2] https://commons.apache.org/proper/commons-collections/

Comments