Java JMX RMI Accessible with Common Credentials (Unauthenticated check) Vulnerability
search cancel

Java JMX RMI Accessible with Common Credentials (Unauthenticated check) Vulnerability

book

Article ID: 234703

calendar_today

Updated On:

Products

CA Service Catalog

Issue/Introduction

Vulnerability scans were performed and detected the following vulnerability:

"Java JMX RMI Accessible with Common Credentials (Unauthenticated check)" OPEN JDK.
Ports affected: PORT 9091, associated with process PID ####
                                  PORT 1099, associated with process PID ####

Environment

Release : 17.2

Component : SDM - Catalog

Cause

JMX RMI is listening on the default ports.

Resolution

The following steps can be followed to close ports 1099 and 11099 and address the vulnerability: 

-------------------------------------------------------------------------------------------------------------------------------

1.Disable JMX listening of ActiveMQ broker for reasons related to vulnerability

Open the file %USMHOME%\view\webapps\usm\WEB-INF\applicationContext.xml in a text editor 

Search for "useJmx"

 
Locate the following: 

<amq:broker id="amqBroker" brokerName="brkr-#{jmsConfig.brokerName}" dataDirectory="${usm.home}/logs/jms-data" 
systemExitOnShutdown="false" persistent="true" enableStatistics="true" useJmx="true" networkConnectorStartAsync="true" 
start="false"> 


 2. Update the value of "useJmx" property from true to false.

Example: 
<amq:broker id="amqBroker" brokerName="brkr-#{jmsConfig.brokerName}" dataDirectory="${usm.home}/logs/jms-data" 
systemExitOnShutdown="false" persistent="true" enableStatistics="true" useJmx="false" networkConnectorStartAsync="true" 
start="false"> 

 

3.Change the default port 1099 to something (else ex:19999 here) by adding the Highlighted portion below

 <amq:broker id="amqBroker" brokerName="brkr-#{jmsConfig.brokerName}" dataDirectory="${usm.home}/logs/jms-data"
systemExitOnShutdown="false" persistent="true" enableStatistics="true" useJmx="false" networkConnectorStartAsync="true"
start="false">

<amq:managementContext>
<amq:managementContext createConnector="true" connectorPort="19999"/>
</amq:managementContext>

4.Restart Catalog windows service 

5.Run the vulnerability scan tool and confirm the result. 

 

How to check if this has taken effect without a vulnerability scan:

In Windows Command Prompt, run the following command:

netstat -bona > out.txt

 

To Validate

In Task Manager, find the JAVAW.exe that has Service Catalog in the Command Line and note the PID

Then search the txt file above for the PID and ensure ports 1099 and 11099 are not there.

Powered by Wolken Software