Solved

Securing Jmx Console and web console

Posted on 2016-10-28
2
88 Views
Last Modified: 2016-10-29
ASV scan came back and showed remote code execution vulnerability, They listed this site as the remediation

https://developer.jboss.org/wiki/SecureTheJmxConsole?_sscc=t 

so i found the jboss-web.xml file and when i look in it, it doesn't appear the security domain is commented out.  Am i looking at this wrong?

<jboss-web>
   <!-- Uncomment the security-domain to enable security. You will
      need to edit the htmladaptor login configuration to setup the
      login modules used to authentication users.
   -->
      <security-domain>java:/jaas/jmx-console</security-domain>
</jboss-web>

Open in new window

0
Comment
Question by:leadtheway
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 62

Accepted Solution

by:
gheist earned 500 total points
ID: 41864925
Can you share vulnerability text?
How authentication fixes RCE vulnerability? You sort of just hide it from scanner.
0
 
LVL 1

Author Comment

by:leadtheway
ID: 41865464
I found out the issue, it appears everything was uncommented and configured correctly from a security-domain perspective, but i guess digging into the CVE that there is a vulnerbility in the web.xml for the console and web console where the authentication only applied to both post and get verbiage and not Head

<http-method>GET</http-method>
<http-method>POST</http-method>

by removing those two it forces it to apply to all http verbiage

thanks for the comment
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Viewers will learn about the regular for loop in Java and how to use it. Definition: Break the for loop down into 3 parts: Syntax when using for loops: Example using a for loop:
This tutorial explains how to use the VisualVM tool for the Java platform application. This video goes into detail on the Threads, Sampler, and Profiler tabs.
Suggested Courses

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question