Apache James server: Privilege escalation through unauthenticated JMX

Vulnerability

CVE-2023-26269 affects Apache James server version 3.7.3 and earlier, where the JMX management service is started without authentication by default [1][2]. The root cause is the absence of required credentials for JMX remote access, which violates the principle of least privilege for management interfaces.

Exploitation

Exploitation requires local access to the host running the James server. An attacker with local user privileges can connect to the JMX service (typically on port 9999 or similar) without supplying any credentials [1]. No network-based remote exploitation is described; the attack surface is limited to local users on the same system.

Impact

A malicious local user can leverage unauthenticated JMX access to invoke management operations, leading to privilege escalation [1]. This could allow an attacker to execute arbitrary code with the privileges of the James server process, potentially gaining full control over the mail server and its data.

Mitigation

Administrators should disable JMX if not needed, or configure a JMX password [1]. Starting with version 3.7.4, Apache James automatically sets up a JMX password for Guice-based configurations [1][2]. Users are strongly advised to upgrade to 3.7.4 or later, or apply the recommended configuration changes.