Release : 17.2

Component : SDM - Catalog

JMX RMI is listening on the default ports.

The following steps can be followed to close ports 1099 and 11099 and address the vulnerability: 

-------------------------------------------------------------------------------------------------------------------------------

1.Disable JMX listening of ActiveMQ broker for reasons related to vulnerability

Open the file %USMHOME%\view\webapps\usm\WEB-INF\applicationContext.xml in a text editor 

Search for "useJmx"

 
Locate the following: 

<amq:broker id="amqBroker" brokerName="brkr-#{jmsConfig.brokerName}" dataDirectory="${usm.home}/logs/jms-data" 
systemExitOnShutdown="false" persistent="true" enableStatistics="true" useJmx="true" networkConnectorStartAsync="true" 
start="false"> 

 2. Update the value of "useJmx" property from true to false.

Example: 
<amq:broker id="amqBroker" brokerName="brkr-#{jmsConfig.brokerName}" dataDirectory="${usm.home}/logs/jms-data" 
systemExitOnShutdown="false" persistent="true" enableStatistics="true" useJmx="false" networkConnectorStartAsync="true" 
start="false"> 

3.Change the default port 1099 to something (else ex:19999 here) by adding the Highlighted portion below

 <amq:broker id="amqBroker" brokerName="brkr-#{jmsConfig.brokerName}" dataDirectory="${usm.home}/logs/jms-data"
systemExitOnShutdown="false" persistent="true" enableStatistics="true" useJmx="false" networkConnectorStartAsync="true"
start="false">

<amq:managementContext>
<amq:managementContext createConnector="true" connectorPort="19999"/>
</amq:managementContext>

4.Restart Catalog windows service 

5.Run the vulnerability scan tool and confirm the result. 

How to check if this has taken effect without a vulnerability scan:

In Windows Command Prompt, run the following command:

netstat -bona > out.txt

To Validate

In Task Manager, find the JAVAW.exe that has Service Catalog in the Command Line and note the PID

Then search the txt file above for the PID and ensure ports 1099 and 11099 are not there.