Securing Jmx Console and web console

ASV scan came back and showed remote code execution vulnerability, They listed this site as the remediation

https://developer.jboss.org/wiki/SecureTheJmxConsole?_sscc=t 

so i found the jboss-web.xml file and when i look in it, it doesn't appear the security domain is commented out.  Am i looking at this wrong?

<jboss-web>
   <!-- Uncomment the security-domain to enable security. You will
      need to edit the htmladaptor login configuration to setup the
      login modules used to authentication users.
   -->
      <security-domain>java:/jaas/jmx-console</security-domain>
</jboss-web>

Open in new window

LVL 1
leadthewayAsked:
Who is Participating?
 
gheistConnect With a Mentor Commented:
Can you share vulnerability text?
How authentication fixes RCE vulnerability? You sort of just hide it from scanner.
0
 
leadthewayAuthor Commented:
I found out the issue, it appears everything was uncommented and configured correctly from a security-domain perspective, but i guess digging into the CVE that there is a vulnerbility in the web.xml for the console and web console where the authentication only applied to both post and get verbiage and not Head

<http-method>GET</http-method>
<http-method>POST</http-method>

by removing those two it forces it to apply to all http verbiage

thanks for the comment
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.