CVE-2013-4810

What is HP ProCurve Manager?

HP ProCurve Manager (PCM) and its variants (PCM+, Identity Driven Manager, Application Lifecycle Management) are network management platforms used by enterprises to manage HP ProCurve/Aruba network switches and infrastructure. These products run on Windows servers and use JBoss Application Server as their application platform to provide a web-based management interface. Enterprise network management platforms represent high-value targets: compromising them provides administrative access to the managed network infrastructure.

Overview

CVE-2013-4810 is a critical remote code execution vulnerability in multiple HP management products caused by unauthenticated access to JBoss Application Server's EJBInvokerServlet and JMXInvokerServlet endpoints. These JBoss servlets accept serialized Java objects via HTTP POST; when HP deployed JBoss without restricting access to these endpoints, any remote attacker could send a specially crafted serialized Java object and achieve arbitrary code execution on the server. No authentication was required.

HP patched this via security bulletin HPSBPI02897.

Affected Versions

Technical Details

JBoss Application Server exposes several internal management servlets that are designed for administrative use. Two of these — EJBInvokerServlet (at /invoker/EJBInvokerServlet) and JMXInvokerServlet (at /invoker/JMXInvokerServlet) — accept serialized Java objects via HTTP POST and invoke the deserialized objects within the server's JVM context.

The vulnerability: HP deployed JBoss without configuring authentication or access controls on these endpoints, leaving them accessible from the network without credentials. A remote attacker can POST a specially crafted serialized Java object to either endpoint. When the JBoss server deserializes the object, it executes the attacker-controlled deserialization gadget chain, resulting in arbitrary OS command execution as the JBoss/server process user.

Deserialization RCE: Java deserialization vulnerabilities in JBoss application servers were a significant vulnerability class in the 2010s. The same pattern — unauthenticated JBoss invoker servlets — was exploited at scale across many applications beyond HP PCM, as the common vulnerability was JBoss's default permissive deployment configuration. Metasploit modules for JBoss invoker servlet exploitation were publicly available.

Impact on network infrastructure: HP PCM runs with administrative access to managed network devices. Code execution on PCM provides the attacker with credentials and network access to manage switches, routing, and VLANs — giving broad access to the network infrastructure managed by the platform.

Discovery

The JBoss EJBInvokerServlet attack class was widely known in the security research community from at least 2011. HP's exposure was identified through testing of HP PCM installations and disclosed via HP's security program.

Exploitation Context

CISA confirmed exploitation in the wild. Network management platforms are high-value targets for APT actors seeking persistent network access and for ransomware operators seeking to move laterally through managed infrastructure. The unauthenticated CVSS 9.8 severity and JBoss exploitation tooling being publicly available made this straightforward to exploit for any attacker with network access to the PCM server.

Remediation

1. Apply HP security bulletin HPSBPI02897 patches for the affected HP products
2. If patching is not immediate: restrict access to the HP PCM management interface to authorized management workstations only, using firewall rules — block access to /invoker/ servlet paths at the network perimeter
3. For JBoss deployments generally: audit whether EJBInvokerServlet and JMXInvokerServlet are accessible without authentication and restrict or disable them
4. Run network management platforms on isolated management VLANs with strict ingress/egress filtering
5. Review HP PCM administrative credentials for signs of compromise if the system was network-accessible