Description
JBoss allows for using adaptors for accessing MBean services over any supported protocols. For HTTP, the JBoss AS provides the HttpAdaptor. In a default installation, the HttpAdaptor is not activated. However, the HttpAdaptor's JMX Invoker is running and publicly available at the URL http://localhost:8080/invoker/JMXInvokerServlet.
This Invoker accepts HTTP POST requests which contain a serialized JMX invocation in the data section (the objects belong to the JBoss AS Java class MarshalledInvocation). After deserialization the object is forwarded to the target MBean. Using this functionality an attacker can invoke the BSHDeployer MBean to create a local file and later call MainDeployer to deploy the locally created file.
Remediation
Restrict access to the HttpAdaptor JMXInvokerServlet.