Java JMX Agent Insecure Configuration
65 views
Skip to first unread message
Bill English
Jan 14, 2020, 6:33:35 PM1/14/20
to islandora
In scanning our server with Nessus to identify potential security vulnerabilities, I've been presented with this item as a HIGH importance..
Moreover, this insecure configuration could allow the attacker to create a javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs, at least if there is no security manager. In other words, the attacker could execute arbitrary code on the remote host under the security context of the remote Java VM.
Solution
Enable SSL client or password authentication for the JMX agent.
Description
A Java JMX agent running on the remote host is configured without SSL client and password authentication. An unauthenticated, remote attacker can connect to the JMX agent and monitor and manage the Java application that has enabled the agent.Moreover, this insecure configuration could allow the attacker to create a javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs, at least if there is no security manager. In other words, the attacker could execute arbitrary code on the remote host under the security context of the remote Java VM.
Solution
Enable SSL client or password authentication for the JMX agent.
Before I begin testing resolutions for this, I was wondering if any others had worked through this configuration, and might be willing to share some experience with it?
Thanks,
Bill
Bill English
Mar 30, 2020, 7:24:13 PM3/30/20
to islandora
Ok, I have taken a little deeper look at this, here is what I've found...
running ps -ef|grep jmx
returned two processes that started using the -Dcom.sun.management.jmxremote parameter, with no additional properties
ActiveMQ and Karaf.
The recommendations about providing authentication is to adjust the startup parameters to use the following
-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=<port#> -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.access.file=/install/path/to/tomcat/conf/jmxremote.access -Dcom.sun.management.jmxremote.password.file=/install/path/to/tomcat/conf/tomcat/conf/jmxremote.password"
I wanted to ask about the ports in use by those packages....
From what I've found ActiveMQ uses port 61616 AND 8161 (both ports show in netstat using the same PID and program name), if I were to update the env file for it, would I use 61616 or 8161? OR, would I just leave the jmxremote.port parameter out of the config (is that port specified elsewhere)?
The Karaf config might be a little trickier, as it is loads a little differently, and Google says it should use port 8181, but I think its using 8101 (based on netstat)
So, the big questions here are, which ports should be specified for those packages, and how can I test break-test each package's functionality after making the configuration changes?
And of course the biggest question, am I missing anything?
Thanks in advance for any help!!
Bill
Jared Whiklo
Mar 30, 2020, 8:16:47 PM3/30/20
to isla...@googlegroups.com
Hey Bill,
Port 61616 is the JMS port, you can find it defined in the activemq.xml fine inside is conf directory. You only need this open to external machines if you have a multi server setup otherwise you can restrict bind to localhost.
Anyways, I would wager the other is the JMX port.
Cheers,
Jared
--
For more information about using this group, please read our Listserv Guidelines: http://islandora.ca/content/welcome-islandora-listserv
---
You received this message because you are subscribed to the Google Groups "islandora" group.
To unsubscribe from this group and stop receiving emails from it, send an email to islandora+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/islandora/dcebe20a-704a-41f9-accf-1d853b2e2aaf%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages