JMX Vulnerabilities and security concerns on Agents
search cancel

JMX Vulnerabilities and security concerns on Agents

book

Article ID: 236115

calendar_today

Updated On:

Products

CA Release Automation - Release Operations Center (Nolio)

Issue/Introduction

Hi Team,

By default, all agent components of CA Release Automation expose a web-based JMX console on port 8282.  

The username and password are exchanged over an unencrypted connection, and the default credentials are accepted.  

To remediate this, TLS encryption must be put in place and the credentials changed from the defaults.  

The other alternative is to disable the console on all affected machines.  See: https://knowledge.broadcom.com/external/article/29126/how-to-enabledisable-jmx-console-in-ca-r.html.

Can you please provide some guidance on same?

Environment

Release : 6.x

Component : CA RELEASE AUTOMATION CORE

Cause

CA Release Automation(CARA) exposes below JMX port for respective components

  • Agent: 8282
  • NES/NAC: 20203

Please refer to below mentioned KB's for more details around JMX and Security Configurations

Resolution

JMX on Agents doesn't have TLS configuration, and not used for any administrative task. Henceforth we recommend if needed to disable the same as mentioned in document above.

JMX of NAC and NES used for administrative operation on product both support TLS configuration, refer document Secure Communications With Signed Certificates (Enabling TLS for JMX refer section JMX)

For any specific administrative task requiring JMX of Agent it can enable, used and disable on adhoc basis. 

Additional Information