The JMXInvokerHAServlet and EJBInvokerHAServlet invoker servlets allow unauthenticated access by default in some profiles. Due to the second layer of authentication provided by the security interceptor, there is no way to directly exploit this flaw. If a user misconfigured the security interceptor or inadvertently disabled it, this flaw would be exploitable. A remote attacker could exploit this flaw to invoke MBean methods and run arbitrary code in the context of the user running the JBoss server.
Acknowledgements: This issue was discovered by David Jorm of the Red Hat Security Response Team.
This issue has been addressed in following products: JBoss Enterprise Application Platform 5.2.0 Via RHSA-2013:0194 https://rhn.redhat.com/errata/RHSA-2013-0194.html
This issue has been addressed in following products: JBEAP 5 for RHEL 5 Via RHSA-2013:0192 https://rhn.redhat.com/errata/RHSA-2013-0192.html
This issue has been addressed in following products: JBEAP 5 for RHEL 6 Via RHSA-2013:0191 https://rhn.redhat.com/errata/RHSA-2013-0191.html
This issue has been addressed in following products: JBEWP 5 for RHEL 6 Via RHSA-2013:0195 https://rhn.redhat.com/errata/RHSA-2013-0195.html
This issue has been addressed in following products: JBEAP 5 for RHEL 4 Via RHSA-2013:0193 https://rhn.redhat.com/errata/RHSA-2013-0193.html
This issue has been addressed in following products: JBEWP 5 for RHEL 4 Via RHSA-2013:0197 https://rhn.redhat.com/errata/RHSA-2013-0197.html
This issue has been addressed in following products: JBEWP 5 for RHEL 5 Via RHSA-2013:0196 https://rhn.redhat.com/errata/RHSA-2013-0196.html
This issue has been addressed in following products: JBoss Enterprise Web Platform 5.2.0 Via RHSA-2013:0198 https://rhn.redhat.com/errata/RHSA-2013-0198.html
This issue has been addressed in following products: JBoss Enterprise BRMS Platform 5.3.1 Via RHSA-2013:0221 https://rhn.redhat.com/errata/RHSA-2013-0221.html
This issue has been addressed in following products: JBoss Enterprise SOA Platform 5.3.1 Via RHSA-2013:0533 https://rhn.redhat.com/errata/RHSA-2013-0533.html
The interceptor that blocks exploitation of this flaw by default is declared in jboss-as/server/$PROFILE/deploy/jmx-invoker-service.xml: <interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor" securityDomain="java:/jaas/jmx-console"/>