简体繁体 English

如何测试JBoss 4.2.2中是否使用了jmx-console.war？

[英]How can I test whether jmx-console.war is being used in JBoss 4.2.2?

原文 2013-04-18 20:26:15 7 1 security/ jboss/ console/ jmx/ nessus

There is a file within the .\\jboss-4.2.2.GA\\server\\default\\deploy folder, named "jmx-console.war". 。\\ jboss-4.2.2.GA \\ server \\ default \\ deploy文件夹中有一个文件，名为“ jmx-console.war”。 I am getting a security vulnerability dealing with this module. 我正在处理此模块的安全漏洞。 How can I tell if our application is using this module. 我如何知道我们的应用程序是否正在使用此模块。 I implemented an open source tool, but I'm not sure how to test whether it's being used. 我实现了一个开源工具，但不确定如何测试它是否正在使用。

Nessus vulnerability of High Severity: Nessus高严重性漏洞：

JBoss JMX Console Unrestricted Access JBoss JMX控制台无限制访问

http://www.tenable.com/plugins/index.php?view=single&id=23842 http://www.tenable.com/plugins/index.php?view=single&id=23842

1 个解决方案

If you see that war file in the deploy folder, then most likely your application is using it. 如果您在deploy文件夹中看到该war文件，则很可能您的应用程序正在使用它。 That is to say, it is most likely being loaded. 也就是说，它很可能正在加载。 It should be fairly easy to test for, assuming you know the HTTP port the JBoss instance is listening on. 假设您知道JBoss实例正在侦听的HTTP端口，应该可以轻松进行测试。 By default, it is 8080 so point your browser to http://[your jboss host]:8080/jmx-console and see if the console comes up, keeping in mind that it might be password protected, and your HTTP port might not be 8080. 默认情况下为8080，因此将浏览器指向http：// [您的jboss主机]：8080 / jmx-console并查看控制台是否启动，请记住它可能受到密码保护，并且您的HTTP端口可能不受保护是8080。

You should also see something like this in the server.log or configured equivalent: 您还应该在server.log或已配置的等效项中看到以下内容：

11:52:30,165 INFO main [TomcatDeployer] deploy, ctxPath=/jmx-console, warUrl=.../deploy/jmx-console.war/ 11：52：30,165 INFO主[TomcatDeployer]部署，ctxPath = / jmx-console，warUrl = ... / deploy / jmx-console.war /

Having said that, there's a couple of ways I can think of that would indicate or cause the jmx-console to not be deployed: 话虽如此，我有几种方法可以指示或指示不部署jmx-console：

The folder you referenced is in the default server directory. 您引用的文件夹在默认服务器目录中。 This is only one instance out of 3 (default, all, minimal) and you may be running one of the others, or even a custom configured server. 这只是3个实例中的一个（默认，全部，最小），您可能正在运行其他实例，甚至运行定制配置的服务器。 That is to say, if you were running the minimal server instance, or one that did not contain the jmx-console.war, then the presence of that file in the default server's deploy directory would not cause it to be deployed in another server's instance. 也就是说，如果您正在运行最小服务器实例，或者运行的是不包含jmx-console.war的服务器实例，那么该文件在默认服务器的deploy目录中的存在将不会导致该文件被部署在另一台服务器的实例中。 (that all sounds more complicated than it really is) （听起来比实际要复杂的多）
War files in the deploy directory depend on another directory called jboss-web.deployer which actually deploys war files. 部署目录中的war文件依赖于另一个名为jboss-web.deployer的目录，该目录实际部署war文件。 If that directory is not there, my guess is that war deployment has been disabled. 如果该目录不存在，我猜是战争部署已被禁用。 Highly unlikely though, as there are easier ways of doing this, and if someone went to the trouble of removing this folder, they probably would have removed the wars too. 不过，这种可能性极小，因为这样做的方法更简单，而且如果有人麻烦删除此文件夹，他们可能也会删除战争。

Bottom line is, the easiest way would be to find the http port, then hit the jmx-console URL and see if it responds, or check the log file. 最重要的是，最简单的方法是找到http端口，然后点击jmx-console URL，看看它是否响应，或者检查日志文件。 It is conceivable that someone could rename jmx-console.war to something else (in an ill-conceived attempt to hide it perhaps ?) in which case, you would need to execute a battery of http request scans and try and find a jmx-console signature, but that's out of my (otherwise quite large...) area of expertise. 可以想象有人可以将jmx-console.war重命名为其他名称（试图将其隐藏的错误尝试），在这种情况下，您将需要执行一系列HTTP请求扫描并尝试找到jmx-控制台签名，但这超出了我的专业知识范围（否则很大）。