7 Replies Latest reply on Aug 30, 2012 3:48 AM by bluelabel

    Security Concern?

    grahamaj

      I am running jBoss AS 6.1.0 and am concerned with the jmx security threat:  http://community.jboss.org/blogs/mjc/2011/10/20/statement-regarding-security-threat-to-jboss-application-server

       

      I went through the steps to secure the jmx-console that are found here: http://community.jboss.org/wiki/SecureTheJmxConsole

      The insturctions metion a technical paper that gives details on securing the JMX Invokers. I couldn't find the location of the jmx-invoker-service.xml that the paper mentions within the server anywhere in the 6.1.0 server.

       

      During every evening at 11:30pm I get the following 2 lines in the server output:

      23:30:23,171 INFO  [org.jboss.web.tomcat.service.deployers.TomcatDeployment] deploy, ctxPath=/jmx-console

      23:36:24,475 INFO  [com.arjuna.ats.arjuna] ARJUNA-12296 ExpiredEntryMonitor running at Wed, 26 Oct 2011 23:36:24

       

      Does this output indicate that my jmx-console is getting compromised?

      Is it because I can't locate the invoker authentication?

        • 1. Re: Security Concern?
          jaikiran

          So every day 11:30 you get a log message of jmx-console being deployed? That probably would mean that it was undeployed earlier. Do you see that log somewhere? Furthermore, do you need the jmx-console? It's present in JBOSS_HOME/common/deploy folder by the way.

          • 2. Re: Security Concern?
            grahamaj

            Well it looks as though I was confusing this output statement with one I was receiving before I went through the tutorial on securing the JMX

            19:41:20,404 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/jmx-console].[HtmlAdaptor]] Servlet.service() for servlet HtmlAdaptor threw exception: javax.management.InstanceNotFoundException: jboss.admin:service=DeploymentFileRepository is not registered.

                      at org.jboss.mx.server.registry.BasicMBeanRegistry.get(BasicMBeanRegistry.java:529) [:6.0.0.GA]

                      at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:664) [:6.0.0.GA]

                      at org.jboss.jmx.adaptor.control.Server.invokeOpByName(Server.java:258) [:]

                      at org.jboss.jmx.adaptor.html.HtmlAdaptorServlet$4.run(HtmlAdaptorServlet.java:391) [:]

                      at org.jboss.jmx.adaptor.html.HtmlAdaptorServlet$4.run(HtmlAdaptorServlet.java:388) [:]

                      at java.security.AccessController.doPrivileged(Native Method) [:1.6.0_24]

                      at org.jboss.jmx.adaptor.html.HtmlAdaptorServlet.invokeOpByName(HtmlAdaptorServlet.java:387) [:]

                      at org.jboss.jmx.adaptor.html.HtmlAdaptorServlet.invokeOpByName(HtmlAdaptorServlet.java:312) [:]

                      at org.jboss.jmx.adaptor.html.HtmlAdaptorServlet.processRequest(HtmlAdaptorServlet.java:106) [:]

                      at org.jboss.jmx.adaptor.html.HtmlAdaptorServlet.doGet(HtmlAdaptorServlet.java:81) [:]

                      at javax.servlet.http.HttpServlet.doHead(HttpServlet.java:310) [:1.0.0.Final]

                      at javax.servlet.http.HttpServlet.service(HttpServlet.java:751) [:1.0.0.Final]

                      at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [:1.0.0.Final]

                      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:324) [:6.1.0.Final]

                      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:242) [:6.1.0.Final]

                      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275) [:6.1.0.Final]

                      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) [:6.1.0.Final]

                      at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:181) [:6.1.0.Final]

                      at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:88) [:6.1.0.Final]

                      at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:100) [:6.1.0.Final]

                      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:159) [:6.1.0.Final]

                      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [:6.1.0.Final]

                      at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158) [:6.1.0.Final]

                      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [:6.1.0.Final]

                      at org.jboss.web.tomcat.service.request.ActiveRequestResponseCacheValve.invoke(ActiveRequestResponseCacheValve.java:53) [:6.1.0.Final]

                      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:362) [:6.1.0.Final]

                      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [:6.1.0.Final]

                      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:654) [:6.1.0.Final]

                      at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:951) [:6.1.0.Final]

                      at java.lang.Thread.run(Thread.java:662) [:1.6.0_24]

             

             

            I did a more comprehensive search through my logs and found that the deploymet output was only in there once for every deployment.  The curious thing is that this output statement showed up over 12 hours after I deployed.  It is a little puzzling, but I am not too concerned.

             

            Furthermore, do you need the jmx-console? It's present in JBOSS_HOME/common/deploy folder by the way.

             

            I am pretty confident that I don't need the jmx-console running on the server.  Would I just remove the jmx-console.war folder to get rid of it?

            • 3. Re: Security Concern?
              bluelabel

              Hi jai,

               

              Could you please tell me how to remove / permenently disable the jmx-console in Jboss 6.1.0 Final?

              • 4. Re: Security Concern?
                astratto

                Hi,

                if you're really sure that you don't need the jmx-console and you want to get rid of it, just remove its war directory under server/xxx/deploy.

                 

                Cheers

                • 5. Re: Security Concern?
                  bluelabel

                  HI Stefano,

                  Appreciate if you could tell me exactly what directory to be removed? Because i see several directories in JBOSS_HOME/server/xxx/deploy. Below are the directories i see there, so which one should be removed and are there any specific steps to be taken before delete that directory?

                  1. hornetq -  What does this do anyway?
                  2. http-invoker.sar
                  3. jbossweb.sar
                  4. jms-ra.rar
                  5. mod_cluster.sar
                  6. ROOT.war
                  7. security
                  8. uuid-key-generator.sar
                  9. xnio-provider.jar

                   

                  Thanks

                  • 6. Re: Security Concern?
                    astratto

                    Hi Sam,

                    sorry but I had read 5.1 instead of 6.1...

                     

                    In JBoss 6.1 the jmx-console.war directory is under common/deploy, but its deployment is on-demand and if you just remove/rename it you'll get a java.lang.IllegalStateException: Incompletely deployed.

                     

                    There are two ways:

                    • if you want to remove jmx-console only for a single profile, simply remove/rename the file server/xxx/deploy/jmx-console-activator-jboss-beans.xml
                    • if you want to remove it for every profile, remove/rename the directory common/deploy/jmx-console.war AND remove every server/xxx/deploy/jmx-console-activator-jboss-beans.xml file

                     

                    See also: https://community.jboss.org/message/734664#734664

                     

                    Cheers,

                    Stefano

                    • 7. Re: Security Concern?
                      bluelabel

                      Thanks a lot Stefano, It really helped me. Thanks again