-
1. Re: Wildfly Security risk, access administration panel on port 9990 without authentication using "anonymous" access
dlofthouse Aug 27, 2019 4:00 AM (in response to natarajanram)Yes both of those reports were disputed.
Since the very first JBoss AS 7 release all admin access has required authentication out of the box in all our default configurations.
The reports that were raised were that an administrator can reconfigure the server to switch off authentication but this is an application server - we offer various configuration options so it is possible an administrator can both decrease or increase the security policies to meet their own environmental needs.
-
2. Re: Wildfly Security risk, access administration panel on port 9990 without authentication using "anonymous" access
natarajanram Sep 3, 2019 3:53 AM (in response to dlofthouse)Thank you Darran for your response.
As an example, by default the http-interface is associated with the ManagementRealm in Wildfly 15.0.1
<management-interfaces>
<http-interface security-realm="ManagementRealm">
<http-upgrade enabled="true"/>
<socket-binding http="management-http"/>
</http-interface>
</management-interfaces>
Just to confirm this, as long as http-interface or http-remoting-connector or http-connector etc are associated with a Security Realm (management or Application) in standalone-full.xml, we should not see this vulnerability. Is that correct?
Thanks
Ram
-
3. Re: Wildfly Security risk, access administration panel on port 9990 without authentication using "anonymous" access
dlofthouse Sep 3, 2019 5:02 AM (in response to natarajanram)+1 provided the management interface is associated with a security realm and that security realm contains a definition for authentication all access to that endpoint will require authentication.