Vulnerability CVE-2015-0225

book

Article ID: 143963

calendar_today

Updated On:

Products

CA Infrastructure Management CA Performance Management - Usage and Administration CA Performance Management - Data Polling DX NetOps

Issue/Introduction

Vulnerability critical error in Data Aggregator and Collector servers:

Java JMX RMI Accessible with Common Credentials
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0225

On the DA, the process causing this issue is java here:
# netstat -tulpn | grep 11099
tcp        0      0 0.0.0.0:11099           0.0.0.0:*               LISTEN      950/java

# ls -al /proc/950/exe
lrwxrwxrwx 1 root root 0 Jan  3 22:20 /proc/950/exe -> /ca/IMDataAggregator/jre/bin/java

This is a Java doc for authentication to do with JMX:
https://docs.oracle.com/javase/6/docs/technotes/guides/management/agent.html

 

 

 

Cause

Java JMX RMI Accessible with Common Credentials

 

Environment

Release : 3.7

Component : IM Reporting / Admin / Configuration

Resolution

Verify that ports 1099 and 11099 are blocked from external access.
These ports must remain open locally for internal communication.

See more on sites:
DA:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/it-operations-management/performance-management/3-7/prepare-to-install-the-data-aggregator.html

DC:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/it-operations-management/performance-management/3-7/installing/prepare-to-install-the-data-collectors.html

 

Additional Information

Alternately you can to enable username/password:
In activemq.xml, file change:
        <managementContext>
            <managementContext connectorPort="11099" createConnector="true" />
        </managementContext>

To:
        <managementContext>
            <managementContext connectorPort="11099" createConnector="true" jmxDomainName="org.apache.activemq">
              <property xmlns="http://www.springframework.org/schema/beans" name="environment">
                <map xmlns="http://www.springframework.org/schema/beans">
                  <entry xmlns="http://www.springframework.org/schema/beans"
                         key="jmx.remote.x.password.file"
                         value="${activemq.base}/conf/jmx.password"/>
                  <entry xmlns="http://www.springframework.org/schema/beans"
                         key="jmx.remote.x.access.file"
                         value="${activemq.base}/conf/jmx.access"/>
                </map>
              </property>
            </managementContext>
        </managementContext>

edit conf/jmx.password to have a different password for admin.

After next upgrade is necessary to change the activemq.xml and jmx.password files