Associated Vulnerability
Title:Jolokia agent 跨站脚本漏洞 (CVE-2018-1000129)Description:Jolokia是一个利用JSON通过Http实现JMX远程管理的开源项目,它提供JMX批量操作、安全策略等。Jolokia agent是其中的一个代理。 Jolokia agent 1.3.7版本中的HTTP servlet存在跨站脚本漏洞。远程攻击者可利用该漏洞在用户浏览器中执行恶意的JavaScript代码。
Readme
![Jolokia - JMX on Capsaicin][1]
[](https://maven-badges.herokuapp.com/maven-central/org.jolokia/jolokia-parent/)
[](https://github.com/jolokia/jolokia/actions/workflows/ci.yaml)
Jolokia is a fresh way to access JMX MBeans remotely. It is
different from JSR-160 connectors in that it is an agent-based
approach which uses JSON over HTTP for its communication in a
REST-stylish way.
Multiple agents are provided for different environments:
* **WAR Agent** for deployment as web application in a Java EE Server.
* **OSGi Agent** for deployment in an [OSGi][2] container. This agent
is packaged as a bundle and comes in two flavors (minimal,
all-in-one).
* **JVM Agent** which can be used with any JVM,
Version 11 or later and which is able to attach to a running Java process
dynamically.
## Features
The agent approach as several advantages:
* **Firewall friendly**
Since all communication is over HTTP, proxying through firewalls
becomes mostly a none-issue (in contrast to RMI communication, which
is the default mode for JSR-160)
* **Polyglot**
No Java installation is required on the client
side. E.g. [Jmx4Perl][3] provides a rich Perl client library and
Perl based tools for accessing the agents.
* **Simple Setup**
The Setup is done by a simple agent deployment. In contrast,
exporting JMX via JSR-160 can be remarkable complicated (see these
blog posts for setting up [Weblogic][4] and [JBoss][5] for native
remote JMX exposure setup)
Additionally, the agents provide extra features not available with
JSR-160 connectors:
* **Bulk requests**
In contrast to JSR-160 remoting, Jolokia can process many JMX
requests with a single round trip. A single HTTP POST request puts
those requests in its JSON payload which gets dispatched on the
agent side. These bulk requests can increase performance drastically,
especially for monitoring solutions. The Nagios plugin
[check_jmx4perl][6] uses bulk requests for its multi-check feature.
* **Fine grained security**
In addition to standard HTTP security (SSL, HTTP-Authentication)
Jolokia supports a custom policy with fine grained restrictions
based on multiple properties like the client's IP address or subnet,
and the MBean names, attributes, and operations. The policy is
defined in an XML format with support for allow/deny sections and
wildcards.
* **Proxy mode**
Jolokia can operate in an agentless mode where the only requirement
on the target platform is the standard JSR-160 export of its
MBeanServer. A proxy listens on the front side for Jolokia requests
via JSON/HTTP and propagates these to the target server through
remote JSR-160 JMX calls. Bulk requests get dispatched into
multiple JSR-160 requests on the proxy transparently.
## Resources
* For bug reports, please use the [GitHub Issue tracker][7].
* For questions and discussions, please use [GitHub discussions][8].
Even more information on Jolokia can be found at [www.jolokia.org][9], including
a complete [reference manual][10].
## Contributions
Contributions in form of pull requests are highly appreciated. All your work must be donated under the
Apache Public License, too. Please sign-off your work before
doing a pull request. The sign-off is a simple line at the end of the patch description,
which certifies that you wrote it or otherwise have the right to
pass it on as an open-source patch. The rules are very simple: if you
can certify the below (from
[developercertificate.org](https://developercertificate.org/)):
```
Developer Certificate of Origin
Version 1.1
Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
660 York Street, Suite 102,
San Francisco, CA 94110 USA
Everyone is permitted to copy and distribute verbatim copies of this
license document, but changing it is not allowed.
Developer's Certificate of Origin 1.1
By making a contribution to this project, I certify that:
(a) The contribution was created in whole or in part by me and I
have the right to submit it under the open source license
indicated in the file; or
(b) The contribution is based upon previous work that, to the best
of my knowledge, is covered under an appropriate open source
license and I have the right under that license to submit that
work with modifications, whether created in whole or in part
by me, under the same open source license (unless I am
permitted to submit under a different license), as indicated
in the file; or
(c) The contribution was provided directly to me by some other
person who certified (a), (b) or (c) and I have not modified
it.
(d) I understand and agree that this project and the contribution
are public and that a record of the contribution (including all
personal information I submit with it, including my sign-off) is
maintained indefinitely and may be redistributed consistent with
this project or the open source license(s) involved.
```
Then you just add a line to every git commit message:
Signed-off-by: Max Morlock <max.morlock@fcn.de>
Using your real name (sorry, no pseudonyms or anonymous contributions.)
If you set your `user.name` and `user.email` git configs, you can sign your
commit automatically with `git commit -s`.
If you fix some documentation (typos, formatting, ...) you are not required to sign-off.
It is possible to sign your commits in retrospective, [too](https://stackoverflow.com/questions/13043357/git-sign-off-previous-commits)
if you forgot it the first time.
[1]: https://jolokia.org/images/jolokia_logo.png "Jolokia"
[2]: https://www.osgi.org
[3]: https://www.jmx4perl.org
[4]: https://labs.consol.de/blog/jmx4perl/configuring-remote-jmx-access-for-weblogic
[5]: https://labs.consol.de/blog/jmx4perl/jboss-remote-jmx
[6]: https://search.cpan.org/~roland/jmx4perl/scripts/check_jmx4perl
[7]: https://github.com/jolokia/jolokia/issues
[8]: https://github.com/jolokia/jolokia/discussions
[9]: https://www.jolokia.org
[10]: https://www.jolokia.org/reference/html/index.html
File Snapshot
[4.0K] /data/pocs/90dc3326fbaa9d78b2bde1ce8800c87f07b05338
├── [4.0K] agent
│ └── [4.0K] jvm
│ ├── [ 12K] pom.xml
│ └── [4.0K] src
│ ├── [4.0K] deb
│ │ └── [4.0K] control
│ │ └── [ 335] control
│ ├── [4.0K] main
│ │ ├── [4.0K] assembly
│ │ │ └── [ 0] agent.xml
│ │ ├── [4.0K] java
│ │ │ └── [4.0K] org
│ │ │ └── [4.0K] jolokia
│ │ │ └── [4.0K] jvmagent
│ │ │ ├── [3.5K] CleanupThread.java
│ │ │ ├── [4.0K] client
│ │ │ │ ├── [3.2K] AgentLauncher.java
│ │ │ │ ├── [4.0K] command
│ │ │ │ │ ├── [6.1K] AbstractBaseCommand.java
│ │ │ │ │ ├── [2.9K] CommandDispatcher.java
│ │ │ │ │ ├── [2.2K] EncryptCommand.java
│ │ │ │ │ ├── [ 11K] HelpCommand.java
│ │ │ │ │ ├── [1.9K] ListCommand.java
│ │ │ │ │ ├── [2.8K] StartCommand.java
│ │ │ │ │ ├── [2.2K] StatusCommand.java
│ │ │ │ │ ├── [2.0K] StopCommand.java
│ │ │ │ │ ├── [1.7K] ToggleCommand.java
│ │ │ │ │ └── [1.6K] VersionCommand.java
│ │ │ │ └── [4.0K] util
│ │ │ │ ├── [4.0K] DirectVirtualMachineHandler.java
│ │ │ │ ├── [ 14K] OptionsAndArgs.java
│ │ │ │ ├── [5.0K] PlatformUtils.java
│ │ │ │ ├── [1.2K] ProcessDescription.java
│ │ │ │ ├── [1.9K] ProcessingException.java
│ │ │ │ ├── [4.3K] ToolsClassFinder.java
│ │ │ │ ├── [7.8K] VirtualMachineHandler.java
│ │ │ │ └── [3.1K] VirtualMachineHandlerOperations.java
│ │ │ ├── [4.0K] handler
│ │ │ │ ├── [3.1K] HttpExchangeBackChannel.java
│ │ │ │ └── [ 15K] JolokiaHttpHandler.java
│ │ │ ├── [1.6K] JolokiaHttpsConfigurator.java
│ │ │ ├── [ 27K] JolokiaServerConfig.java
│ │ │ ├── [ 23K] JolokiaServer.java
│ │ │ ├── [4.0K] JvmAgentConfig.java
│ │ │ ├── [ 12K] JvmAgent.java
│ │ │ ├── [4.5K] ParsedUri.java
│ │ │ └── [4.0K] security
│ │ │ ├── [4.0K] asn1
│ │ │ │ ├── [1.6K] DERBitString.java
│ │ │ │ ├── [ 955] DERDirect.java
│ │ │ │ ├── [3.5K] DERInteger.java
│ │ │ │ ├── [ 957] DERNull.java
│ │ │ │ ├── [3.9K] DERObjectIdentifier.java
│ │ │ │ ├── [1.1K] DERObject.java
│ │ │ │ ├── [2.5K] DEROctetString.java
│ │ │ │ ├── [1.6K] DERSequence.java
│ │ │ │ ├── [1.6K] DERSet.java
│ │ │ │ ├── [2.3K] DERTaggedObject.java
│ │ │ │ ├── [1.5K] DERUtcTime.java
│ │ │ │ ├── [1.4K] DERUtils.java
│ │ │ │ └── [ 975] package-info.java
│ │ │ ├── [6.6K] ClientCertAuthenticator.java
│ │ │ ├── [7.3K] DelegatingAuthenticator.java
│ │ │ ├── [2.4K] JaasHttpAuthenticator.java
│ │ │ ├── [ 13K] KeyStoreUtil.java
│ │ │ ├── [3.4K] MultiAuthenticator.java
│ │ │ ├── [4.2K] PKCS1Util.java
│ │ │ └── [1.8K] UserPasswordHttpAuthenticator.java
│ │ └── [4.0K] resources
│ │ └── [2.3K] default-jolokia-agent.properties
│ ├── [4.0K] site
│ │ └── [4.0K] asciidoc
│ │ └── [ 699] index.adoc
│ └── [4.0K] test
│ ├── [4.0K] java
│ │ └── [4.0K] org
│ │ └── [4.0K] jolokia
│ │ ├── [4.0K] jvmagent
│ │ │ ├── [4.0K] client
│ │ │ │ ├── [1.6K] AgentLauncherTest.java
│ │ │ │ ├── [4.0K] command
│ │ │ │ │ ├── [9.2K] CommandDispatcherTest.java
│ │ │ │ │ └── [1.5K] EncryptCommandTest.java
│ │ │ │ └── [4.0K] util
│ │ │ │ ├── [4.8K] OptionsAndArgsTest.java
│ │ │ │ ├── [2.5K] ProcessingExceptionTest.java
│ │ │ │ └── [4.9K] VirtualMachineHandlerTest.java
│ │ │ ├── [ 824] Dummy.java
│ │ │ ├── [4.0K] handler
│ │ │ │ ├── [1.8K] JolokiaHttpHandlerRestrictorTest.java
│ │ │ │ └── [ 14K] JolokiaHttpHandlerTest.java
│ │ │ ├── [ 33K] JolokiaServerTest.java
│ │ │ ├── [9.5K] JvmAgentConfigTest.java
│ │ │ ├── [1.5K] JvmAgentTest.java
│ │ │ ├── [1.3K] ParseUriTest.java
│ │ │ ├── [4.0K] security
│ │ │ │ ├── [4.0K] asn1
│ │ │ │ │ ├── [8.1K] DEREncodingTest.java
│ │ │ │ │ └── [ 966] HexUtil.java
│ │ │ │ ├── [1.9K] BaseAuthenticatorTest.java
│ │ │ │ ├── [6.0K] ClientCertAuthenticatorTest.java
│ │ │ │ ├── [8.0K] DelegatingAuthenticatorTest.java
│ │ │ │ ├── [4.1K] JaasHttpAuthenticatorTest.java
│ │ │ │ ├── [ 11K] KeyStoreUtilTest.java
│ │ │ │ ├── [4.2K] MultiAuthenticatorTest.java
│ │ │ │ ├── [4.3K] PKCS1UtilTest.java
│ │ │ │ └── [ 682] UserPasswordHttpAuthenticatorTest.java
│ │ │ └── [1.1K] TestMain.java
│ │ └── [4.0K] restrictor
│ │ ├── [1.5K] TestRestrictorWithConfig.java
│ │ └── [1.3K] TestReverseDnsLookupRestrictor.java
│ └── [4.0K] resources
│ ├── [ 691] access-restrictor.xml
│ ├── [ 636] agent-custom-authenticator-test.properties
│ ├── [ 705] agent-test-additionalHttpsConf.properties
│ ├── [ 722] agent-test.properties
│ ├── [3.2K] agent-test-specialHttpsSettings.properties
│ ├── [4.0K] certs
│ │ ├── [4.0K] ca
│ │ │ ├── [5.3K] cert-multi.pem
│ │ │ ├── [1.3K] cert.pem
│ │ │ └── [1.8K] key.pem
│ │ ├── [4.0K] client
│ │ │ ├── [4.0K] self-signed-with-key-usage
│ │ │ │ ├── [4.2K] cert.p12
│ │ │ │ ├── [2.0K] cert.pem
│ │ │ │ ├── [1.8K] client.csr
│ │ │ │ └── [3.2K] key.pem
│ │ │ ├── [4.0K] with-key-usage
│ │ │ │ ├── [3.9K] cert.p12
│ │ │ │ ├── [1.7K] cert.pem
│ │ │ │ ├── [1.8K] client.csr
│ │ │ │ └── [3.2K] key.pem
│ │ │ ├── [4.0K] without-key-usage
│ │ │ │ ├── [3.8K] cert.p12
│ │ │ │ ├── [1.6K] cert.pem
│ │ │ │ ├── [1.8K] client.csr
│ │ │ │ ├── [3.8K] client.p12
│ │ │ │ └── [3.2K] key.pem
│ │ │ └── [4.0K] with-wrong-key-usage
│ │ │ ├── [3.9K] cert.p12
│ │ │ ├── [1.7K] cert.pem
│ │ │ ├── [1.8K] client.csr
│ │ │ ├── [3.8K] client.p12
│ │ │ └── [3.2K] key.pem
│ │ ├── [ 166] client.ext
│ │ ├── [4.0K] invalid
│ │ │ ├── [1.3K] base64.pem
│ │ │ ├── [1.3K] begin.pem
│ │ │ └── [1.3K] end.pem
│ │ ├── [2.2K] README.md
│ │ └── [ 0] server.ext
│ └── [4.0K] META-INF
│ └── [4.0K] jolokia
│ └── [ 45] services
├── [ 18K] HOWTO_RELEASE.md
├── [ 11K] LICENSE
├── [ 890] NOTICE
└── [6.1K] README.md
43 directories, 116 files
Remarks
1. It is advised to access via the original source first.
2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.