[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Securing Jmx Console and web console

Posted on 2016-10-28
2
Medium Priority
?
119 Views
Last Modified: 2016-10-29
ASV scan came back and showed remote code execution vulnerability, They listed this site as the remediation

https://developer.jboss.org/wiki/SecureTheJmxConsole?_sscc=t 

so i found the jboss-web.xml file and when i look in it, it doesn't appear the security domain is commented out.  Am i looking at this wrong?

<jboss-web>
   <!-- Uncomment the security-domain to enable security. You will
      need to edit the htmladaptor login configuration to setup the
      login modules used to authentication users.
   -->
      <security-domain>java:/jaas/jmx-console</security-domain>
</jboss-web>

Open in new window

0
Comment
Question by:leadtheway
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 62

Accepted Solution

by:
gheist earned 2000 total points
ID: 41864925
Can you share vulnerability text?
How authentication fixes RCE vulnerability? You sort of just hide it from scanner.
0
 
LVL 1

Author Comment

by:leadtheway
ID: 41865464
I found out the issue, it appears everything was uncommented and configured correctly from a security-domain perspective, but i guess digging into the CVE that there is a vulnerbility in the web.xml for the console and web console where the authentication only applied to both post and get verbiage and not Head

<http-method>GET</http-method>
<http-method>POST</http-method>

by removing those two it forces it to apply to all http verbiage

thanks for the comment
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What's worse than having your data encrypted by ransomware? Getting attacked by a so-called "wiper," which simply destroys the data and offers you no hope of ever seeing it again.
If you're a modern-day technology professional, you may be wondering if certifications are really necessary. They are. Here's why.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question