CVE-2019-10104 in IntelliJ IDEA Ultimate
Summary
by MITRE
In several JetBrains IntelliJ IDEA Ultimate versions, an Application Server run configuration (for Tomcat, Jetty, Resin, or CloudBees) with the default setting allowed a remote attacker to execute code when the configuration is running, because a JMX server listened on all interfaces instead of localhost only. The issue has been fixed in the following versions: 2018.3.4, 2018.2.8, 2018.1.8, and 2017.3.7.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/30/2020
The vulnerability described in CVE-2019-10104 represents a critical remote code execution flaw within JetBrains IntelliJ IDEA Ultimate development environments. This issue specifically affects application server run configurations that support Tomcat, Jetty, Resin, and CloudBees servers, creating a significant security risk for developers who rely on these integrated development environments for application deployment and testing. The flaw stems from improper network binding configuration where the JMX (Java Management Extensions) server listens on all network interfaces rather than restricting access to localhost only, thereby exposing the development environment to external attack vectors.
The technical root cause of this vulnerability aligns with CWE-668, which describes "Exposure of Resource to Wrong Sphere," specifically manifesting as an improper restriction of access to network services. When developers configure their application servers within IntelliJ IDEA Ultimate, the default settings create a JMX server that accepts connections from any IP address rather than limiting access to the local machine. This misconfiguration allows remote attackers to establish connections to the JMX service without authentication, effectively bypassing the security boundaries that should normally protect the development environment from external interference. The vulnerability is particularly dangerous because it exists in the development tools themselves rather than in the applications being developed, making it a supply chain security concern.
The operational impact of this vulnerability extends beyond simple code execution capabilities, as it enables attackers to perform a wide range of malicious activities within the compromised development environment. Through the exposed JMX interface, an attacker can manipulate running applications, access sensitive configuration data, modify application behavior, and potentially escalate privileges to gain access to underlying system resources. The attack surface is particularly concerning for enterprise development teams where IntelliJ IDEA is used across multiple developers and projects, as a single compromised development environment can serve as a foothold for broader network infiltration. This vulnerability directly maps to ATT&CK technique T1059.007 for Windows and T1059.006 for Unix systems, as it provides remote code execution capabilities through application server interfaces.
Organizations should immediately update their IntelliJ IDEA Ultimate installations to versions 2018.3.4, 2018.2.8, 2018.1.8, or 2017.3.7 to remediate this vulnerability. System administrators should also implement network segmentation measures to restrict access to development environments and ensure that only authorized personnel can access the JMX interfaces. Additional mitigations include configuring firewall rules to block external access to JMX ports, disabling JMX monitoring when not actively required, and implementing proper network access controls between development and production environments. Regular security audits of development tool configurations should be conducted to identify similar misconfigurations that could expose development environments to remote exploitation. The vulnerability demonstrates the importance of secure configuration management in development tools and highlights the need for organizations to maintain current security practices throughout their software development lifecycle.