Qualys vulnerability scans were performed and detected the following vulnerability:
"Java JMX RMI Accessible with Common Credentials (Unauthenticated check)" OPEN JDK.
Ports affected: PORT 9091, associated with process PID 10616
PORT 1099, associated with process PID 10616
Release : 17.2
Component : SDM - Catalog
JMX RMI is listening on the default ports.
The following steps can be followed to close ports 1099 and 11099 and address the vulnerability:
-------------------------------------------------------------------------------------------------------------------------------
1.Disable JMX listening of ActiveMQ broker for reasons related to vulnerability
Open the file %USMHOME%\view\webapps\usm\WEB-INF\applicationContext.xml in a text editor
Search for "useJmx"
Locate the following:
<amq:broker id="amqBroker" brokerName="brkr-#{jmsConfig.brokerName}" dataDirectory="${usm.home}/logs/jms-data"
systemExitOnShutdown="false" persistent="true" enableStatistics="true" useJmx="true" networkConnectorStartAsync="true"
start="false">
2. Update the value of "useJmx" property from true to false.
Example:
<amq:broker id="amqBroker" brokerName="brkr-#{jmsConfig.brokerName}" dataDirectory="${usm.home}/logs/jms-data"
systemExitOnShutdown="false" persistent="true" enableStatistics="true" useJmx="false" networkConnectorStartAsync="true"
start="false">
3.Change the default port 1099 to something (else ex:19999 here) by adding the Highlighted portion below
<amq:broker id="amqBroker" brokerName="brkr-#{jmsConfig.brokerName}" dataDirectory="${usm.home}/logs/jms-data"
systemExitOnShutdown="false" persistent="true" enableStatistics="true" useJmx="false" networkConnectorStartAsync="true"
start="false">
<amq:managementContext>
<amq:managementContext createConnector="true" connectorPort="19999"/>
</amq:managementContext>
4.Restart Catalog windows service
5.Run the vulnerability scan tool and confirm the result.
How to check if this has taken effect without a vulnerability scan:
In Windows Command Prompt, run the following command:
netstat -bona > out.txt
To Validate
In Task Manager, find the JAVAW.exe that has Service Catalog in the Command Line and note the PID
Then search the txt file above for the PID and ensure ports 1099 and 11099 are not there.