3 Replies Latest reply on Mar 24, 2009 1:32 PM by Peter Johnson

    Default installations are unsecured

    Ondrej Medek Apprentice

      Hi,

      http://goohackle.com/jboss-security-vulnerability-jmx-management-console/

      http://www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf

      Just try to google for "jboss jmx management console" or "MBean inspector" and you can hack or shutdown lot of JBoss instalations.

      I know that it is fault of the admins, but there are techniques how to prevent it. Maybe collegues from RedHat security can advise. Something like:

      - the console is secured and random password for admin is generated during the installation process (or maybe during the first run of the server? or anytime a password is null a random password is generated?)

      - the console is not configured by default. instead, the localhost:8080 points to a static web page, which tell the user how to start secured (or unsecured) jmx-console