3 Replies Latest reply on Sep 3, 2019 5:02 AM by dlofthouse

    Wildfly Security risk, access administration panel on port 9990 without authentication using "anonymous" access



      The above question refers to: https://www.cvedetails.com/vulnerability-list/vendor_id-17992/Wildfly.html  which lists 2 vulnerabilities related to accessing administration panel on TCP port 9990 without any authentication using "anonymous" access that is automatically created.

      As per the notes above, Wildfly/RedHat dispute the vulnerability by stating: the Security Realms documentation in the product's Admin Guide indicates that "without a security realm reference" implies "effectively unsecured."


      I am currently using Wildfly 15.0.1 and its starts with standalone-full.xml, and when trying to access: localhost:9990/console, the message is:


      Your WildFly Application Server is running.

      However you have not yet added any users to be able to access the admin console.

      To add a new user execute the add-user.sh script within the bin folder of your WildFly installation and enter the requested information.

      By default the realm name used by WildFly is "ManagementRealm" this is already selected by default.


      Does this mean now anonymous user cannot get access to the admin panel hence the above vulnerability is addressed? I was hoping to find some documentation in Wildfly release notes about this, but did not find any. I checked the release notes of Wildfly 11 and also 15.0.1. Any information on this would help.


      thanks in advance.