Description

Jolokia is an alternative to JSR-160 connectors for remote JMX access. It provides REST-like access to JMX with JSON over HTTP.

The Jolokia API should not be publicly accessible on production websites. Jolokia includes a reloadByURL action (provided by the Logback library), that allows an attacker to reload the logging config from an external URL resulting in a XML External Entity (XXE) vulnerability.

Remediation

Restrict access to the Jolokia API endpoint. Allow access only from the internal network.

References

Related Vulnerabilities