3 Replies Latest reply on Aug 11, 2006 6:13 AM by jyotsna.hcl

    Update JBoss to maintain security?

    maraudermuc
    maraudermuc Aug 9, 2006 4:16 AM

      Hello,

      We're running a productive Application von JBoss 3.2.3 with Tomcat 4.1.29 for a while now.

      Since the Server should be partially opened to the Internet now - I have the task to define security-specs for this server.

      Of course make sure all Win-Patches are in place, update the Apache is mandatory... JDK will also be updated to the latest bugfix release 1.4.2_12

      But is it reasonable to update the old JBoss 3.2.3 and/or Tomcat to the latest 3.2.8 SP1 release for security reasons?
      The App itself is running fine and I would like to avoid touching a running system if it's not reasonable

      Second - if we better upgrade the App-Server - is there a best practice to do so?

      Thanks for the help...

      • 2449 Views
      • Tags:
        • 1. Re: Update JBoss to maintain security?
          aq12ws
          aq12ws Aug 10, 2006 6:58 AM (in response to maraudermuc)

          Hi ,
          Are you talking about securing the JBoss or upgrading ? The out of the box JBoss intallation is not secure . If u expose the jmx-console , your server can be shutdown from the web itself .
          If u are talking about security issues like this then i can provide more information on that ,.

          Rgds,
          Alok

            • Actions
          • 2. Re: Update JBoss to maintain security?
            maraudermuc
            maraudermuc Aug 11, 2006 3:11 AM (in response to maraudermuc)

             

            "aq12ws" wrote:
            Hi ,
            Are you talking about securing the JBoss or upgrading ?


            I intended to ask, if I should upgrade JBoss to the latest "patchlevel" for security reasons.
            E.g. It is recommended to upgrade apache 2.0.x to the latest version 2.0.58, because security-holes have been fixed in this version.

            Is this also best practice for JBoss - so if I use 3.2.3 should I go for 3.2.8 SP1 to have all known bugs fixed... or are there no security-related fixes in JBoss?

            "aq12ws" wrote:

            The out of the box JBoss intallation is not secure . If u expose the jmx-console , your server can be shutdown from the web itself .
            If u are talking about security issues like this then i can provide more information on that ,.


            The server has been setup with regard to security a while ago (not from me)... and of course is not fully exposed to the net.
            Anyhow - I would be very interested in more information on securing JBoss to double-check our settings and learn from more experienced users...

            Thx for the help,
            Thorsten

              • Actions
            • 3. Re: Update JBoss to maintain security?
              jyotsna.hcl
              jyotsna.hcl Aug 11, 2006 6:13 AM (in response to maraudermuc)

              how to make session beans secure and entity beans insecure in jboss.xml

                • Actions