Java JMX Agent Insecure Configuration
search cancel

Java JMX Agent Insecure Configuration

book

Article ID: 130586

calendar_today

Updated On:

Products

CA Service Management - Asset Portfolio Management CA Service Management - Service Desk Manager

Issue/Introduction

Security Scan Vulnerability Finding on our CA Catalog servers on port 1099: 

Java JMX Agent Insecure Configuration (118039) 

Synopsis 
A remote Java JMX agent is configured without SSL client and password authentication. 

Description 
A Java JMX agent running on the remote host is configured without SSL client and password authentication. An unauthenticated, remote attacker can connect to the JMX agent and monitor and manage the Java application that has enabled the agent. 

Moreover, this insecure configuration could allow the attacker to create a javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs, at least if there is no security manager. In other words, the attacker could execute arbitrary code on the remote host under the security context of the remote Java VM. 

Solution 
Enable SSL client or password authentication for the JMX agent.

Environment


SERVICE MANAGEMENT 17.x
Service Catalog 17.x

Resolution

1)Below article may help to give some background\context for JMX. 
         "https://www.mulesoft.com/tcat/tomcat-jmx

2) Another case reporting a vulnerability on port 1099. Port 1099 is the JMX port of ActiveMQ Broker component used by Catalog. This port is used to allow remote monitoring of ActiveMQ Broker. 

This port 1099 is open by default in order to allow Java monitoring tools to monitor the performance of ActiveMQ Broker. 

The following steps can be followed to close port 1099 and address the vulnerability: 
--------------------------------------------- 
i. Open the file %USMHOME%\view\webapps\usm\WEB-INF\applicationContext.xml in a text editor 

ii. Search for "useJmx" 

iii. The following entry will match the search 

<amq:broker id="amqBroker" brokerName="brkr-#{jmsConfig.brokerName}" dataDirectory="${usm.home}/logs/jms-data" 
systemExitOnShutdown="false" persistent="true" enableStatistics="true" useJmx="true" networkConnectorStartAsync="true" 
start="false"> 

iv. Update the value of "useJmx" property from true to false. For eg: 

<amq:broker id="amqBroker" brokerName="brkr-#{jmsConfig.brokerName}" dataDirectory="${usm.home}/logs/jms-data" 
systemExitOnShutdown="false" persistent="true" enableStatistics="true" useJmx="false" networkConnectorStartAsync="true" 
start="false"> 

v. Restart Catalog windows service 

vi. Run the vulnerable port scan tool and confirm the result. 

Additional Information

For Java Deserialization Vulnerability with Service Catalog, please refer to below kb:

https://knowledge.broadcom.com/external/article/7834/java-deserialization-vulnerability-with.html

Powered by Wolken Software