Vulnerability for Java JMX Server Insecure Configuration

Nitin Parihar shared this question 3 years ago
Answered

Active Threat of Interest Vulnerability for Java JMX Server Insecure Configuration


Does HID integrate Apache/Yellowfin with Java JMX?


example: Java JMX interface insecure configuration detected on the system.

This would allow loading classes from any remote (HTTP) URL.

QID Detection Logic (Authenticated):

This QID executes "ps -ef|grep jmxremote.authenticate |grep -i -v -E 'jmxremote.host=(localhost|127\.0\.0\.1\b)" command to list all the running process then posts if any vulnerable process uses this insecure configuration "com.sun.management.jmxremote.authenticate=false" on remote network interfaces.

Replies (8)

photo
1

wanted to know if the steps in the below url be followed


https://camel.apache.org/manual/latest/faq/how-do-i-disable-jmx.html

photo
1

will disabling JMX - cause any problems with YF

photo
1

Hi Nitin,

Thanks for reaching out. I can't find anything previously logged related to this as it pertains to Yellowfin so I've gone ahead and assigned this to our Security Team to investigate and provide further information. Please standby.

Regards,

Mike

photo
1

Hi Nitin,

The Yellowfin installer is packaged with Apache Tomcat as an application server. In Tomcat, a remote JMX interface must be enabled using specific CATALINA_OPTS arguments within the <YellowfinInstall>/appserver/bin/catalina.(sh/bat) file, or your Windows Service file arguments.

Yellowfin does not ship with this interface enabled. Unless there has been custom work done to deploy Yellowfin into a different application server, or custom arguments added to the Tomcat deployment scripts, the above finding is likely a false positive. The Tomcat documentation details the steps required to enable such an interface here.

You should be able to determine whether this is truly enabled by analyzing files within the <YellowfinInstall>/appserver/bin folder. Check the catalina.(bat/sh) as well as any setenv.(bat/sh) that exist there. If you haven't made these types of changes to your Yellowfin installation, you do not need to take additional steps to disable JMX.

Please note that if a remote JMX interface is enabled that this is not something that falls under the scope of Yellowfin security or support, and that it should be managed and configured properly by your System Administrators.

Please have a look and let me know if you have any questions or concerns.

Regards,

Ryan

photo
1

Hi Nitin,

I wanted to check in here and see if you've had a chance to review my response.

Regards,

Ryan

photo
1

Hi Nitin,

It's been some time since I've heard back on this. I'm going to mark this as answered, but do let me know if you have further concerns around this.

Regards,

Ryan

photo
1

we are ok for now on this issue.

Thanks

Nitin

photo
1

Hi Nitin,

Thanks for confirming. Don't hesitate to reach out with any further questions or concerns.

Regards,

Ryan

Replies have been locked on this page!