CVE-2018-10899

Vulnerability

Details

A flaw was discovered in Jolokia, a Java-based JMX-HTTP bridge, affecting versions from 1.2 up to (but not including) 1.6.1. The software is vulnerable to a system-wide Cross-Site Request Forgery (CSRF) attack. Notably, this vulnerability exists even in instances that have been properly configured with strict checking of the HTTP Origin and Referer headers, as the CSRF protection mechanism can be bypassed [1][2].

Attack

Vector

An attacker can exploit this CSRF vulnerability by crafting a malicious web page or link that, when visited by an authenticated user with access to the Jolokia endpoint, triggers unauthorized requests. Since the origin and referrer checks can be circumvented, the attacker's requests appear legitimate to the Jolokia instance. This does not require network access beyond the ability to deliver the malicious payload to the target user, who must have a valid session with the Jolokia service [2][3].

Impact

Successful exploitation allows the attacker to perform arbitrary JMX operations on the target Java application server. Because JMX can be used to invoke methods and modify system properties, this can lead to a full Remote Code Execution (RCE) attack, giving the attacker complete control over the affected JVM and the underlying host system [2][3].

Mitigation

The vulnerability is fixed in Jolokia version 1.6.1, which was released on 2019-05-01 [1]. Red Hat also addressed this issue in security updates for Red Hat Fuse and A-MQ (RHSAs-2019:2413 and 2019:2804) in August and September 2019 [3][4]. Users should immediately upgrade to Jolokia 1.6.1 or later, or apply the relevant vendor patches to mitigate the risk of exploitation.