CVE-2010-1428

What is Red Hat JBoss and the Web-Console?

Red Hat JBoss Enterprise Application Platform (EAP) includes two management web interfaces: the JMX-Console (/jmx-console) for Java Management Extensions operations, and the Web-Console (/web-console) for server status monitoring and management. The web-console exposes detailed information about the JBoss server environment including deployed applications, server configuration, thread activity, and system properties. In production environments both consoles are meant to be restricted to administrators — but both suffered from the same HTTP verb bypass weakness, making them two halves of the same attack toolkit.

Overview

CVE-2010-1428 is a high-severity information disclosure vulnerability (CVSS 7.5) in the JBoss Application Server web-console. The access control filtering on /web-console blocked GET and POST requests from unauthenticated users — but accepted requests using other HTTP methods without enforcing authentication. An unauthenticated remote attacker could use this to access sensitive JBoss server information. CISA added both CVE-2010-1428 and its sibling CVE-2010-0738 (JMX-Console verb bypass) to KEV simultaneously in May 2022; the ransomwareUse: true designation reflects their combined exploitation in ransomware pre-deployment reconnaissance.

Affected Versions

Technical Details

The vulnerability is an HTTP verb tampering issue in the web-console's servlet filter. The filter checked whether incoming requests used GET or POST methods and required authentication for those — but did not apply the same restriction to requests made with other valid HTTP verbs (HEAD, DELETE, OPTIONS, TRACE, PUT, or arbitrary custom verbs).

An attacker sending a HEAD or other non-GET/POST request to web-console URLs bypassed the authentication filter entirely. The web-console handlers then processed the requests and returned server information, exposing:

• Deployed application names and configuration
• Server version, JVM details, and system properties
• MBean tree information revealing server internals
• Thread dumps and memory statistics

The practical severity is substantially higher than the CVSS 7.5 "Confidentiality: High" score suggests in isolation. Used in conjunction with CVE-2010-0738 (the JMX-Console variant of the same class of flaw), the combination gave attackers a complete unauthenticated administration capability: CVE-2010-1428 provided reconnaissance into what was deployed on the server, and CVE-2010-0738 provided the ability to deploy malicious WAR files and execute code.

Discovery

Discovered and disclosed simultaneously with CVE-2010-0738 by security researchers analyzing JBoss access control mechanisms. Both vulnerabilities share the same root cause — incomplete HTTP method coverage in the JBoss management interface filters — and were reported together to Red Hat. The pairing of the two CVEs reflects a single logical vulnerability class affecting both /web-console and /jmx-console.

Exploitation Context

JBoss web-console attacks were part of the same ransomware and cryptomining campaign toolkit as CVE-2010-0738:

• Reconnaissance for follow-up exploitation: Attackers used CVE-2010-1428 to enumerate deployed applications and server configuration before using CVE-2010-0738 to deploy malicious WAR files. The web-console data revealed what was installed on the server, helping attackers craft targeted payloads.
• Ransomware deployment chain: The ransomwareUse: true designation reflects documented patterns where ransomware operators used JBoss management interface access as a pre-deployment reconnaissance step — identifying servers worth compromising and confirming the deployment environment before dropping ransomware.
• Mass scanning: JBoss servers listening on port 8080 with exposed management consoles were routinely identified by internet scanning. Both /jmx-console and /web-console paths were standard scanner targets from 2010 onward.
• Long-tail exploitability: JBoss AS 4.x deployments persisted in enterprise Java environments for years beyond the 2010 disclosure. CISA's 2022 KEV addition reflects confirmed continued exploitation of legacy JBoss installations.

Remediation

1. Restrict web-console access: Apply JBoss security configurations to require authentication for ALL HTTP methods to /web-console, not just GET and POST.
2. Remove web-console from production: In production deployments, the web-console should be completely removed or disabled.
3. Apply Red Hat Security Advisory: Update JBoss EAP to the patched version addressing CVE-2010-1428.
4. Network firewall: Block external access to JBoss management ports (8080, 9990) at the network perimeter.
5. Upgrade JBoss: JBoss AS 4.x and JBoss EAP 4.3 are end-of-life. Upgrade to JBoss EAP 7 or WildFly.
6. Audit alongside CVE-2010-0738: If remediating this CVE, also verify the JMX-Console is secured against the companion HTTP verb bypass (CVE-2010-0738).