Public Access on Java Management Extension in Opencast Matterhorn
21 views
Skip to first unread message
Lars Kiesow
Dec 1, 2014, 10:18:13 AM12/1/14
to security...@opencast.org
Hello,
this is the official security notice regarding a minor security issue
recently discovered in Opencast Matterhorn.
Description:
This issue might allow attackers to remotely connect to a Matterhorn
instance which have Java Management Extension enabled, getting
detailed information about the running Matterhorn instance.
Affects:
This issue affects all reference start scripts for Opencast
Matterhorn. It will only affect you if port 1090/tcp is accessible
from remote machines (e.g. no firewall).
If you are not using a reference start script them you may not be
affected by this bug. Please check the details below.
Details:
The start scripts for Opencast Matterhorn contain an unprotected JMX
configuration which is enabled by default:
JMX="-Dcom.sun.management.jmxremote"
JMX="${JMX} -Dcom.sun.management.jmxremote.port=1090"
JMX="${JMX} -Dcom.sun.management.jmxremote.authenticate=false"
JMX="${JMX} -Dcom.sun.management.jmxremote.ssl=false"
This means that you can remotely connect to the JVM running
Matterhorn given that port 1090/tcp is accessible (e.g. no firewall).
The access is read only.
Patching the system:
Unless you need JMX, we recommend to comment out or delete the default
JMX configuration and restart Matterhorn. The start scripts can
usually be found (depending on your installation type) at
/usr/sbin/matterhorn
or
/etc/init.d/matterhorn
Patches for 1.4 to 1.6 have been submitted [#350 - #352] and will be
included in upcoming releases (1.4.5, 1.5.2, 1.6.0).
If you need JMX enabled, please make sure to have it properly
configured and secured by setting up authentication mechanisms or by
configuring your firewall to block public access to port 1090/tcp.
this is the official security notice regarding a minor security issue
recently discovered in Opencast Matterhorn.
Description:
This issue might allow attackers to remotely connect to a Matterhorn
instance which have Java Management Extension enabled, getting
detailed information about the running Matterhorn instance.
Affects:
This issue affects all reference start scripts for Opencast
Matterhorn. It will only affect you if port 1090/tcp is accessible
from remote machines (e.g. no firewall).
If you are not using a reference start script them you may not be
affected by this bug. Please check the details below.
Details:
The start scripts for Opencast Matterhorn contain an unprotected JMX
configuration which is enabled by default:
JMX="-Dcom.sun.management.jmxremote"
JMX="${JMX} -Dcom.sun.management.jmxremote.port=1090"
JMX="${JMX} -Dcom.sun.management.jmxremote.authenticate=false"
JMX="${JMX} -Dcom.sun.management.jmxremote.ssl=false"
This means that you can remotely connect to the JVM running
Matterhorn given that port 1090/tcp is accessible (e.g. no firewall).
The access is read only.
Patching the system:
Unless you need JMX, we recommend to comment out or delete the default
JMX configuration and restart Matterhorn. The start scripts can
usually be found (depending on your installation type) at
/usr/sbin/matterhorn
or
/etc/init.d/matterhorn
Patches for 1.4 to 1.6 have been submitted [#350 - #352] and will be
included in upcoming releases (1.4.5, 1.5.2, 1.6.0).
If you need JMX enabled, please make sure to have it properly
configured and secured by setting up authentication mechanisms or by
configuring your firewall to block public access to port 1090/tcp.
Reply all
Reply to author
Forward
0 new messages