8 Replies Latest reply on Oct 5, 2012 1:05 AM by sunilkumarsh

    Need help

    Ankur Gupta Newbie

      Hi,

       

      While scaning on my server,vulnerability has been found at my server

       

      Below is the report:-

       

       

      Port

      Severity

      CVSS BASE

      Vulnerability

      Solution

      Action / Business Justification

      Screen Shot File Name

      8080

      High

      1. 7.5

      Jboss HttpAdaptor JMXInvokerServlet is Accessible to Unauthenticated Remote Users

      Restrict access to the HttpAdaptor JMXInvokerServlet

       

       

      8080

      High

      1. 7.5

      Jboss EJMXInvokerServlet is Accessible to Unauthenticated Remote Users

      Restrict access to the EJMXInvokerServlet

       

       

       

      Medium

      5

      TCP Sequence Number Approximation Based Denial of service

       

       

       

      8080

      Medium

      1. 6.8

      Slow HTTP headers Vulnerability

      Solution is server-specific Countemeasures for Apache ate described here (http://httpd.apache.org/docs/trunk/misc/security_tips.html#dos)

       

       

      8080

      Medium

      1. 6.8

      Slow HTTP Post Vulnerability

       

       

       

       

       

       

      Please advice me, how can i resolve it.

        • 1. Re: Need help
          Wolf-Dieter Fink Master

          Hi Ankur,

          welcome to the forum.

          I will give you some general hints, a 'need help' subject will be useless as anybody here is looking for help or have a problem.

          You should give a description what the problem is, what JBoss version you use and what do you want to achieve.

           

          From your post I suppose that you have a JBoss installed and the admin interfaces are not secured, is that your issue?

          Is the JBoss public accessable? Otherwise it might not be a problem.

          1 of 1 people found this helpful
          • 2. Re: Need help
            Ankur Gupta Newbie

            Hi Flink,

             

            Thanks you very much for your reply and your kind advice & hints.

             

            yaa, I have installed Jboss-6.0.0.0 and i want to secure admin console,

            this server is public accessiable, so I want to secure it.

             

            Please suggest me further.

             

            Thanks & Regards

            Ankur Gupta

            • 3. Re: Need help
              Wolf-Dieter Fink Master

              Have a look to

              https://community.jboss.org/wiki/SecureTheJmxConsole

              or

              http://docs.jboss.org/jbossas/docs/Server_Configuration_Guide/4/html/Inspecting_the_Server___the_JMX_Console_Web_Application-Securing_the_JMX_Console.html

               

              also you might remove unnecessary services from the installation, see this guide

              https://community.jboss.org/wiki/JBoss6xTuningSlimming

              more you will find in the AS5 guide (see link on the wiki above), most of it is aplicable for AS6.

              • 4. Re: Need help
                Newbie

                Hi Dieter

                 

                Can you also please confirm whether changing the configuration file would not result into the increase of the log file or any other impact

                 

                Bye

                 

                Sunil Sharma

                • 5. Re: Need help
                  Wolf-Dieter Fink Master

                  Increase the log traffic might happen if you add new components or change the loggging level.

                  And what should I confirm, if you change the configuration this might have impacts depend on what you change. So I don't understand exacty what you meant by this.

                  • 6. Re: Need help
                    Newbie

                    Hi Dieter,

                     

                    1.       To Restrict access to the HttpAdaptor JMXInvokerServlet, we have commented following text on web.xml at [JBOSS_App_server_path]\server\lc_turnkey\deploy\httpha-invoker.sar\invoker.war\WEB-INF\. After commenting we are getting message “The requested resource (/invoker/JMXInvokerServlet) is not available” when trying to access /invoker/JMXInvokerServlet and that solves our issue.

                     

                    <!-- <servlet>

                           <servlet-name>JMXInvokerServlet</servlet-name>

                           <description>The JMXInvokerServlet receives posts containing serlized

                           MarshalledInvocation objects that are routed to the invoker given by

                           the the MBean whose object name hash is specified by the

                           invocation.getObjectName() value. The return content is a serialized

                           MarshalledValue containg the return value of the inovocation, or any

                           exception that may have been thrown.

                           </description>

                           <servlet-class>org.jboss.invocation.http.servlet.InvokerServlet</servlet-class>

                           <load-on-startup>1</load-on-startup>

                       </servlet>

                    -->

                     

                    2.      Just wanted to know are above changes having impact into the increase of the JBOSS server log files or any other impact on the JBOSS ?

                     

                    • 7. Re: Need help
                      jaikiran pai Master

                      Sunil Sharma wrote:

                       

                       

                      2.      Just wanted to know are above changes having impact into the increase of the JBOSS server log files

                       

                      Why do you think that's going to increase the log file size?

                      • 8. Re: Need help
                        Newbie

                        I mean size of JBOSS log files may be due to errors or exceptions reported due to commenting of “JMXInvokerServlet” in Web.XML mentioned in earlier post. Are there any possibilities that errors or exception will be reported?