-
1. Re: Securing JMX console (JBoss)
peterj Apr 3, 2008 2:38 PM (in response to mcdan311)In XML files, comments are formed as follows:
<!-- this is a comment -->
In the web.xml file for the jmx console, move the-->
line that appears after the security-constraint end tag to before the security-constraint start tag. It should then look like this:<!-- A security constraint that restricts access to the HTML JMX console to users with the role JBossAdmin. Edit the roles to what you want and uncomment the WEB-INF/jboss-web.xml/security-domain element to enable secured access to the HTML JMX console. --> <security-constraint> <web-resource-collection> <web-resource-name>HtmlAdaptor</web-resource-name> <description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application </description> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>JBossAdmin</role-name> </auth-constraint> </security-constraint> <login-config> . . .
The line in red is the one that was moved. -
2. Re: Securing JMX console (JBoss)
mcdan311 Apr 4, 2008 10:06 AM (in response to mcdan311)What if the red arrow is not there from the beginning what does that mean?
<!-- A security constraint that restricts access to the HTML JMX console
to users with the role JBossAdmin. Edit the roles to what you want and
uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
secured access to the HTML JMX console.
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
-->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>JBoss JMX Console</realm-name>
</login-config>
<security-role>
<role-name>JBossAdmin</role-name>
</security-role>
</web-app> -
3. Re: Securing JMX console (JBoss)
peterj Apr 4, 2008 11:26 AM (in response to mcdan311)Note that the arrow is after the closing security-constraint tag. That means the entire security-constraint phrase is commented out.
-
4. Re: Securing JMX console (JBoss)
peterj Apr 4, 2008 11:30 AM (in response to mcdan311)Read my previous post again, paying attention to the steps I mentioned. Note that I stated that I moved the arrow. I even mentioned where it was be fore I moved it.
Also, while the example of an XML comment that I gave was on a single line, that is not a requirement - the begin and end markers for a comment can appear on different lines. -
5. Re: Securing JMX console (JBoss)
mcdan311 Apr 4, 2008 3:26 PM (in response to mcdan311)This is the results to the script:
<!-- A security constraint that restricts access to the HTML JMX console
to users with the role JBossAdmin. Edit the roles to what you want and
uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
secured access to the HTML JMX console.
<security-constraint>
-->
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>JBoss JMX Console</realm-name>
</login-config>
<security-role>
<role-name>JBossAdmin</role-name>
</security-role>
</web-app>
I'm still a little confuse with the modifications. After making the changes and ran a security scan on the server it is still coming up with the vulnerability. So did I make the correct changes above ? -
6. Re: Securing JMX console (JBoss)
mcdan311 Apr 4, 2008 3:29 PM (in response to mcdan311)this is the correct script:
<!-- A security constraint that restricts access to the HTML JMX console
to users with the role JBossAdmin. Edit the roles to what you want and
uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
secured access to the HTML JMX console.
<!-- A security constraint that restricts access to the HTML JMX console
to users with the role JBossAdmin. Edit the roles to what you want and
uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
secured access to the HTML JMX console.
-->
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>JBoss JMX Console</realm-name>
</login-config>
<security-role>
<role-name>JBossAdmin</role-name>
</security-role>
</web-app>
Please disregard previous script.
Thanks -
7. Re: Securing JMX console (JBoss)
peterj Apr 4, 2008 3:49 PM (in response to mcdan311)Please embed any xml text in code tags (select the text and click the Code button), or it will not show properly (the browser will interpret the xml tags a html tags and then weird things happen).
What do you mean when you say that a security scan is coming up with a vulnerability? What is the security scanner scanning for and what information does it provide about the vulnerability? -
8. Re: Securing JMX console (JBoss)
mcdan311 Apr 7, 2008 8:02 AM (in response to mcdan311)This is the message that is being detected when security performs a scan on the server.
23842(8080/tcp) JBoss JMX Console Unrestricted Access
Vulnerability
CGI abuses
Synopsis :
The remote web server allows unauthenticated access to an
administrative Java servlet.
Description :
The remote web server appears to be a version of JBoss that allows
unauthenticated access to the JMX and/or Web Console servlets used to
manage JBoss and its services. A remote attacker can leverage this
issue to disclose sensitive information about the affected application
or even take control of it.
See also :
http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole
Solution :
Follow the Wiki article referenced above to secure access to the JMX /
Web Console.
Risk factor :
High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P) -
9. Re: Securing JMX console (JBoss)
peterj Apr 7, 2008 12:30 PM (in response to mcdan311)Open a browser at http://localhost:8080/jmx-console, and what do you see? You should get a logon request.
-
10. Re: Securing JMX console (JBoss)
mcdan311 Apr 7, 2008 3:25 PM (in response to mcdan311)I get the following message:
The page cannot be displayed
The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings.
Michael McDaniel, Can you call me at 301-763-5294 around 9:00 am EST? -
11. Re: Securing JMX console (JBoss)
peterj Apr 7, 2008 3:30 PM (in response to mcdan311)Did you use the exact URL I gave or did you change the host name? If you used the exact URL, are you running the browser on the same machine on which JBossAS is running?
I do not see how the security tool can say that the jmx console is unsecured if you cannot even access the jmx console from a browser. -
12. Re: Securing JMX console (JBoss)
mcdan311 Apr 7, 2008 3:36 PM (in response to mcdan311)Could this be a false positive? This application is imbedded in a server application call Mercury Quality Center. And I believe that the application interfaces with JBoss. There is no Jboss services running on the server.
-
13. Re: Securing JMX console (JBoss)
peterj Apr 7, 2008 3:39 PM (in response to mcdan311)If JBossAS is not running on the machine but Mercury Quality Center is telling you that JBossAS in u8nsecured, then yes, this is a false positive.
-
14. Re: Securing JMX console (JBoss)
mcdan311 Apr 8, 2008 7:13 AM (in response to mcdan311)Thanks for your patient and time. It is very confusing trying to interpretate the JBoss scripts. However the last scripts for uncommenting were correct, right?