7 Replies Latest reply on Aug 30, 2012 3:48 AM by bluelabel

Security Concern?

grahamaj Oct 27, 2011 10:16 AM

I am running jBoss AS 6.1.0 and am concerned with the jmx security threat: http://community.jboss.org/blogs/mjc/2011/10/20/statement-regarding-security-threat-to-jboss-application-server

I went through the steps to secure the jmx-console that are found here: http://community.jboss.org/wiki/SecureTheJmxConsole

The insturctions metion a technical paper that gives details on securing the JMX Invokers. I couldn't find the location of the jmx-invoker-service.xml that the paper mentions within the server anywhere in the 6.1.0 server.

During every evening at 11:30pm I get the following 2 lines in the server output:

23:30:23,171 INFO [org.jboss.web.tomcat.service.deployers.TomcatDeployment] deploy, ctxPath=/jmx-console
23:36:24,475 INFO [com.arjuna.ats.arjuna] ARJUNA-12296 ExpiredEntryMonitor running at Wed, 26 Oct 2011 23:36:24

Does this output indicate that my jmx-console is getting compromised?

Is it because I can't locate the invoker authentication?

1. Re: Security Concern?

jaikiran Oct 27, 2011 1:18 PM (in response to grahamaj)

So every day 11:30 you get a log message of jmx-console being deployed? That probably would mean that it was undeployed earlier. Do you see that log somewhere? Furthermore, do you need the jmx-console? It's present in JBOSS_HOME/common/deploy folder by the way.
Actions
2. Re: Security Concern?

grahamaj Oct 27, 2011 2:26 PM (in response to jaikiran)

Well it looks as though I was confusing this output statement with one I was receiving before I went through the tutorial on securing the JMX
19:41:20,404 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/jmx-console].[HtmlAdaptor]] Servlet.service() for servlet HtmlAdaptor threw exception: javax.management.InstanceNotFoundException: jboss.admin:service=DeploymentFileRepository is not registered.
          at org.jboss.mx.server.registry.BasicMBeanRegistry.get(BasicMBeanRegistry.java:529) [:6.0.0.GA]
          at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:664) [:6.0.0.GA]
          at org.jboss.jmx.adaptor.control.Server.invokeOpByName(Server.java:258) [:]
          at org.jboss.jmx.adaptor.html.HtmlAdaptorServlet$4.run(HtmlAdaptorServlet.java:391) [:]
          at org.jboss.jmx.adaptor.html.HtmlAdaptorServlet$4.run(HtmlAdaptorServlet.java:388) [:]
          at java.security.AccessController.doPrivileged(Native Method) [:1.6.0_24]
          at org.jboss.jmx.adaptor.html.HtmlAdaptorServlet.invokeOpByName(HtmlAdaptorServlet.java:387) [:]
          at org.jboss.jmx.adaptor.html.HtmlAdaptorServlet.invokeOpByName(HtmlAdaptorServlet.java:312) [:]
          at org.jboss.jmx.adaptor.html.HtmlAdaptorServlet.processRequest(HtmlAdaptorServlet.java:106) [:]
          at org.jboss.jmx.adaptor.html.HtmlAdaptorServlet.doGet(HtmlAdaptorServlet.java:81) [:]
          at javax.servlet.http.HttpServlet.doHead(HttpServlet.java:310) [:1.0.0.Final]
          at javax.servlet.http.HttpServlet.service(HttpServlet.java:751) [:1.0.0.Final]
          at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [:1.0.0.Final]
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:324) [:6.1.0.Final]
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:242) [:6.1.0.Final]
          at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275) [:6.1.0.Final]
          at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) [:6.1.0.Final]
          at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:181) [:6.1.0.Final]
          at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:88) [:6.1.0.Final]
          at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:100) [:6.1.0.Final]
          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:159) [:6.1.0.Final]
          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [:6.1.0.Final]
          at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158) [:6.1.0.Final]
          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [:6.1.0.Final]
          at org.jboss.web.tomcat.service.request.ActiveRequestResponseCacheValve.invoke(ActiveRequestResponseCacheValve.java:53) [:6.1.0.Final]
          at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:362) [:6.1.0.Final]
          at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [:6.1.0.Final]
          at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:654) [:6.1.0.Final]
          at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:951) [:6.1.0.Final]
          at java.lang.Thread.run(Thread.java:662) [:1.6.0_24]

I did a more comprehensive search through my logs and found that the deploymet output was only in there once for every deployment. The curious thing is that this output statement showed up over 12 hours after I deployed. It is a little puzzling, but I am not too concerned.

Furthermore, do you need the jmx-console? It's present in JBOSS_HOME/common/deploy folder by the way.

I am pretty confident that I don't need the jmx-console running on the server. Would I just remove the jmx-console.war folder to get rid of it?
Actions
3. Re: Security Concern?

bluelabel Aug 8, 2012 4:01 AM (in response to jaikiran)

Hi jai,

Could you please tell me how to remove / permenently disable the jmx-console in Jboss 6.1.0 Final?
Actions
4. Re: Security Concern?

astratto Aug 13, 2012 12:42 PM (in response to bluelabel)

Hi,
if you're really sure that you don't need the jmx-console and you want to get rid of it, just remove its war directory under server/xxx/deploy.

Cheers
Actions
5. Re: Security Concern?

bluelabel Aug 30, 2012 2:53 AM (in response to astratto)
HI Stefano,
Appreciate if you could tell me exactly what directory to be removed? Because i see several directories in JBOSS_HOME/server/xxx/deploy. Below are the directories i see there, so which one should be removed and are there any specific steps to be taken before delete that directory?
hornetq - What does this do anyway?
http-invoker.sar
jbossweb.sar
jms-ra.rar
mod_cluster.sar
ROOT.war
security
uuid-key-generator.sar
xnio-provider.jar

Thanks
Actions
6. Re: Security Concern?

astratto Aug 30, 2012 3:27 AM (in response to bluelabel)
Hi Sam,
sorry but I had read 5.1 instead of 6.1...

In JBoss 6.1 the jmx-console.war directory is under common/deploy, but its deployment is on-demand and if you just remove/rename it you'll get a java.lang.IllegalStateException: Incompletely deployed.

There are two ways:
if you want to remove jmx-console only for a single profile, simply remove/rename the file server/xxx/deploy/jmx-console-activator-jboss-beans.xml
if you want to remove it for every profile, remove/rename the directory common/deploy/jmx-console.war AND remove every server/xxx/deploy/jmx-console-activator-jboss-beans.xml file

See also: https://community.jboss.org/message/734664#734664

Cheers,
Stefano
Actions
7. Re: Security Concern?

bluelabel Aug 30, 2012 3:48 AM (in response to astratto)

Thanks a lot Stefano, It really helped me. Thanks again
Actions

Go to original post