Solved

Securing Jmx Console and web console

Posted on 2016-10-28
2
72 Views
Last Modified: 2016-10-29
ASV scan came back and showed remote code execution vulnerability, They listed this site as the remediation

https://developer.jboss.org/wiki/SecureTheJmxConsole?_sscc=t 

so i found the jboss-web.xml file and when i look in it, it doesn't appear the security domain is commented out.  Am i looking at this wrong?

<jboss-web>
   <!-- Uncomment the security-domain to enable security. You will
      need to edit the htmladaptor login configuration to setup the
      login modules used to authentication users.
   -->
      <security-domain>java:/jaas/jmx-console</security-domain>
</jboss-web>

Open in new window

0
Comment
Question by:leadtheway
2 Comments
 
LVL 62

Accepted Solution

by:
gheist earned 500 total points
ID: 41864925
Can you share vulnerability text?
How authentication fixes RCE vulnerability? You sort of just hide it from scanner.
0
 
LVL 1

Author Comment

by:leadtheway
ID: 41865464
I found out the issue, it appears everything was uncommented and configured correctly from a security-domain perspective, but i guess digging into the CVE that there is a vulnerbility in the web.xml for the console and web console where the authentication only applied to both post and get verbiage and not Head

<http-method>GET</http-method>
<http-method>POST</http-method>

by removing those two it forces it to apply to all http verbiage

thanks for the comment
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Here are the five steps I suggest to every sysadmin to fix the fall-out from a security breach.
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
Viewers will learn about basic arrays, how to declare them, and how to use them. Introduction and definition: Declare an array and cover the syntax of declaring them: Initialize every index in the created array: Example/Features of a basic arr…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question