CVE-2024-1233
📋 TL;DR
This vulnerability allows attackers to perform server-side request forgery (SSRF) attacks against JBoss EAP servers. When the JWT validator processes tokens with a 'jku' (JWK Set URL) parameter, it fetches public keys from arbitrary URLs without validation, enabling attackers to make the server send HTTP requests to internal or external systems. This affects JBoss EAP deployments using JWT validation with the vulnerable component.
💻 Affected Systems
- JBoss EAP
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access internal services, exfiltrate sensitive data, or pivot to other systems by making the vulnerable server send requests to internal network resources, potentially leading to data breaches or further compromise.
Likely Case
Attackers could probe internal networks, access metadata services (like AWS/Azure instance metadata), or interact with internal APIs to gather information or perform limited actions.
If Mitigated
With proper network segmentation and egress filtering, impact would be limited to external resources only, reducing the risk of internal network compromise.
🎯 Exploit Status
Exploitation requires the ability to submit JWT tokens to the vulnerable endpoint. The vulnerability is straightforward to exploit once an attacker can interact with the JWT validation functionality.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Multiple versions as specified in Red Hat advisories RHSA-2024:3559, RHSA-2024:3560, RHSA-2024:3561, RHSA-2024:3563, RHSA-2024:3580
Vendor Advisory: https://access.redhat.com/errata/RHSA-2024:3559
Restart Required: Yes
Instructions:
1. Identify affected JBoss EAP version. 2. Apply the appropriate Red Hat patch from the advisory links. 3. Restart the JBoss EAP server. 4. Verify the fix by checking the version and testing JWT validation.
🔧 Temporary Workarounds
Disable jku processing
allConfigure JWT validation to ignore or reject tokens containing 'jku' parameters
Modify JWT validator configuration to set 'allowJku' to false or implement custom validation that rejects jku URLs
Network egress filtering
allRestrict outbound HTTP requests from JBoss EAP servers to only trusted domains
Configure firewall rules to block outbound HTTP/HTTPS from JBoss servers except to approved destinations
🧯 If You Can't Patch
- Implement network segmentation to isolate JBoss EAP servers from sensitive internal systems
- Deploy web application firewall (WAF) rules to block JWT tokens containing suspicious jku URLs
🔍 How to Verify
Check if Vulnerable:
Check if JBoss EAP is using JWT validation with JwtValidator and if the version matches affected ranges in Red Hat advisoriesCheck Version:
jboss-cli.sh --connect --command=":read-attribute(name=product-version)" or check server logs for version informationVerify Fix Applied:
Verify the JBoss EAP version has been updated to a patched version and test that JWT tokens with jku parameters no longer trigger unfiltered HTTP requests📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from JBoss EAP server to unexpected domains
- JWT validation errors or warnings related to jku processing
Network Indicators:
- HTTP requests from JBoss servers to internal IP ranges or unusual external domains
- Pattern of requests triggered by JWT validation
SIEM Query:
source="jboss" AND (http_request OR url_fetch) AND (jku OR jwks_uri)🔗 References
- https://access.redhat.com/errata/RHSA-2024:3559
- https://access.redhat.com/errata/RHSA-2024:3560
- https://access.redhat.com/errata/RHSA-2024:3561
- https://access.redhat.com/errata/RHSA-2024:3563
- https://access.redhat.com/errata/RHSA-2024:3580
- https://access.redhat.com/errata/RHSA-2024:3581
- https://access.redhat.com/errata/RHSA-2024:3583
- https://access.redhat.com/errata/RHSA-2025:9582
- https://access.redhat.com/errata/RHSA-2025:9583
- https://access.redhat.com/security/cve/CVE-2024-1233
- https://bugzilla.redhat.com/show_bug.cgi?id=2262849
- https://github.com/advisories/GHSA-v4mm-q8fv-r2w5
- https://github.com/wildfly/wildfly/pull/17812/commits/0c02350bc0d84287bed46e7c32f90b36e50d3523
- https://issues.redhat.com/browse/WFLY-19226
- https://access.redhat.com/errata/RHSA-2024:3559
- https://access.redhat.com/errata/RHSA-2024:3560
- https://access.redhat.com/errata/RHSA-2024:3561
- https://access.redhat.com/errata/RHSA-2024:3563
- https://access.redhat.com/errata/RHSA-2024:3580
- https://access.redhat.com/errata/RHSA-2024:3581
- https://access.redhat.com/errata/RHSA-2024:3583
- https://access.redhat.com/security/cve/CVE-2024-1233
- https://bugzilla.redhat.com/show_bug.cgi?id=2262849
- https://github.com/advisories/GHSA-v4mm-q8fv-r2w5
- https://github.com/wildfly/wildfly/pull/17812/commits/0c02350bc0d84287bed46e7c32f90b36e50d3523
- https://issues.redhat.com/browse/WFLY-19226
