How to fix Java JMX RMI Accessible without Credentials
Question
Any idea how to fix this security vulnerability ? Java JMX interface is accessible via following username/password pairs: admin/password admin/admin admin/activemq monitorRole/QED controlRole/R%26D controlrole/password monitorrole/password cassandra/cassandrapassword monitorRole/tomcat controlRole/tomcat monitorRole/mrpasswd controlRole/crpasswd role1/role1passwd role2/role2passwd role3/role3passwd admin/thisIsSupposedToBeAStrongPassword! QID Detection Logic (Authenticated): This QID tries to log into JMX RMI server using above credentials. Note:if remote JMX RMI sever accessible without authentication. all of above credentials will post.
fix for this mentions to change the common password, but not sure where exactly and if that is the right way. Any guidance is appreciated
1 answers
solution1
0 2020-04-20 22:22:56
You can use JAVA Console (jconsole.jar or jcnsole.exe) or Java Mission Control to verify whether you can connect with one of the default passwords listed by Qualys or without any credentials at all.
Here are the instructions on how to secure JMX from Oracle: https://docs.oracle.com/javadb/10.10.1.2/adminguide/radminjmxenablepwd.html
Here's how to enable JMX with password and SSL: https://docs.oracle.com/javadb/10.10.1.2/adminguide/radminjmxenablepwdssl.html
You may need to work with your specific vendor on how to address this for your specific configuration but here's how another particular vendor recommends addressing it: https://support.datastax.com/hc/en-us/articles/204226179-Step-by-step-instructions-for-securing-JMX-authentication-for-nodetool-utility-OpsCenter-and-JConsole
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.