Category
Administration
Product Version
7.3
Vulnerability for Java JMX Server Insecure Configuration
Answered
Active Threat of Interest Vulnerability for Java JMX Server Insecure Configuration
Does HID integrate Apache/Yellowfin with Java JMX?
example: Java JMX interface insecure configuration detected on the system.
This would allow loading classes from any remote (HTTP) URL.
QID Detection Logic (Authenticated):
This QID executes "ps -ef|grep jmxremote.authenticate |grep -i -v -E 'jmxremote.host=(localhost|127\.0\.0\.1\b)" command to list all the running process then posts if any vulnerable process uses this insecure configuration "com.sun.management.jmxremote.authenticate=false" on remote network interfaces.
The same question
wanted to know if the steps in the below url be followed
https://camel.apache.org/manual/latest/faq/how-do-i-disable-jmx.html
wanted to know if the steps in the below url be followed
https://camel.apache.org/manual/latest/faq/how-do-i-disable-jmx.html
will disabling JMX - cause any problems with YF
will disabling JMX - cause any problems with YF
Hi Nitin,
Thanks for reaching out. I can't find anything previously logged related to this as it pertains to Yellowfin so I've gone ahead and assigned this to our Security Team to investigate and provide further information. Please standby.
Regards,
Mike
Hi Nitin,
Thanks for reaching out. I can't find anything previously logged related to this as it pertains to Yellowfin so I've gone ahead and assigned this to our Security Team to investigate and provide further information. Please standby.
Regards,
Mike
Hi Nitin,
The Yellowfin installer is packaged with Apache Tomcat as an application server. In Tomcat, a remote JMX interface must be enabled using specific CATALINA_OPTS arguments within the <YellowfinInstall>/appserver/bin/catalina.(sh/bat) file, or your Windows Service file arguments.
Yellowfin does not ship with this interface enabled. Unless there has been custom work done to deploy Yellowfin into a different application server, or custom arguments added to the Tomcat deployment scripts, the above finding is likely a false positive. The Tomcat documentation details the steps required to enable such an interface here.
You should be able to determine whether this is truly enabled by analyzing files within the <YellowfinInstall>/appserver/bin folder. Check the catalina.(bat/sh) as well as any setenv.(bat/sh) that exist there. If you haven't made these types of changes to your Yellowfin installation, you do not need to take additional steps to disable JMX.
Please note that if a remote JMX interface is enabled that this is not something that falls under the scope of Yellowfin security or support, and that it should be managed and configured properly by your System Administrators.
Please have a look and let me know if you have any questions or concerns.
Regards,
Ryan
Hi Nitin,
The Yellowfin installer is packaged with Apache Tomcat as an application server. In Tomcat, a remote JMX interface must be enabled using specific CATALINA_OPTS arguments within the <YellowfinInstall>/appserver/bin/catalina.(sh/bat) file, or your Windows Service file arguments.
Yellowfin does not ship with this interface enabled. Unless there has been custom work done to deploy Yellowfin into a different application server, or custom arguments added to the Tomcat deployment scripts, the above finding is likely a false positive. The Tomcat documentation details the steps required to enable such an interface here.
You should be able to determine whether this is truly enabled by analyzing files within the <YellowfinInstall>/appserver/bin folder. Check the catalina.(bat/sh) as well as any setenv.(bat/sh) that exist there. If you haven't made these types of changes to your Yellowfin installation, you do not need to take additional steps to disable JMX.
Please note that if a remote JMX interface is enabled that this is not something that falls under the scope of Yellowfin security or support, and that it should be managed and configured properly by your System Administrators.
Please have a look and let me know if you have any questions or concerns.
Regards,
Ryan
Hi Nitin,
I wanted to check in here and see if you've had a chance to review my response.
Regards,
Ryan
Hi Nitin,
I wanted to check in here and see if you've had a chance to review my response.
Regards,
Ryan
Hi Nitin,
It's been some time since I've heard back on this. I'm going to mark this as answered, but do let me know if you have further concerns around this.
Regards,
Ryan
Hi Nitin,
It's been some time since I've heard back on this. I'm going to mark this as answered, but do let me know if you have further concerns around this.
Regards,
Ryan
we are ok for now on this issue.
Thanks
Nitin
we are ok for now on this issue.
Thanks
Nitin
Hi Nitin,
Thanks for confirming. Don't hesitate to reach out with any further questions or concerns.
Regards,
Ryan
Hi Nitin,
Thanks for confirming. Don't hesitate to reach out with any further questions or concerns.
Regards,
Ryan
Replies have been locked on this page!