Solved

Securing Jmx Console and web console

Posted on 2016-10-28
2
96 Views
Last Modified: 2016-10-29
ASV scan came back and showed remote code execution vulnerability, They listed this site as the remediation

https://developer.jboss.org/wiki/SecureTheJmxConsole?_sscc=t 

so i found the jboss-web.xml file and when i look in it, it doesn't appear the security domain is commented out.  Am i looking at this wrong?

<jboss-web>
   <!-- Uncomment the security-domain to enable security. You will
      need to edit the htmladaptor login configuration to setup the
      login modules used to authentication users.
   -->
      <security-domain>java:/jaas/jmx-console</security-domain>
</jboss-web>

Open in new window

0
Comment
Question by:leadtheway
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 62

Accepted Solution

by:
gheist earned 500 total points
ID: 41864925
Can you share vulnerability text?
How authentication fixes RCE vulnerability? You sort of just hide it from scanner.
0
 
LVL 1

Author Comment

by:leadtheway
ID: 41865464
I found out the issue, it appears everything was uncommented and configured correctly from a security-domain perspective, but i guess digging into the CVE that there is a vulnerbility in the web.xml for the console and web console where the authentication only applied to both post and get verbiage and not Head

<http-method>GET</http-method>
<http-method>POST</http-method>

by removing those two it forces it to apply to all http verbiage

thanks for the comment
0

Featured Post

Enroll in June's Course of the Month

June’s Course of the Month is now available! Experts Exchange’s Premium Members, Team Accounts, and Qualified Experts have access to a complimentary course each month as part of their membership—an extra way to sharpen your skills and increase training.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ready for our next Course of the Month? Here's what's on tap for June.
Article by: Justin
In light of the WannaCry ransomware attack that affected millions of Windows machines, you might wonder if your Mac needs protecting. Yes, it does and here is how to do it.
Viewers will learn how to properly install Eclipse with the necessary JDK, and will take a look at an introductory Java program. Download Eclipse installation zip file: Extract files from zip file: Download and install JDK 8: Open Eclipse and …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question