Apache James server: Privilege escalation via JMX pre-authentication deserialisation

In Apache James versions prior to 3.7.5 and 3.8.0, the JMX endpoint exposed on localhost is vulnerable to pre-authentication deserialization of untrusted data [1]. This means an attacker who can reach the JMX port (by default bound only to localhost) can send a crafted serialized object that the server will deserialize without requiring any authentication [1].

The vulnerability can be exploited if an attacker gains the ability to send data to the local JMX port, for example through another flaw that allows remote code execution or by having local access to the system. While the JMX endpoint is only bound to localhost by default, this still presents a risk if combined with other attack vectors that allow network or local access to the JMX interface [1].

Successful exploitation, given a suitable deserialization gadget available in the classpath, could allow an attacker to perform arbitrary code execution, leading to privilege escalation within the context of the Apache James server [1]. The impact is particularly severe because the deserialization happens before authentication checks, bypassing any access controls on the JMX endpoint [1].

Users are advised to upgrade to Apache James version 3.7.5 or 3.8.0 or later, which contain fixes for this vulnerability. If upgrade is not immediately possible, running Apache James isolated from other processes (e.g., in a dedicated container or virtual machine) or turning off the JMX endpoint entirely are recommended mitigations [1]. The vendor also notes that using a Docker container or dedicated VM can limit the exposure of the local JMX endpoint.