Creating a firewall rule to block the JMX port 7199 on VMware vRealize Log Insight 2.5 (CVE-2015-0225)
search cancel

Creating a firewall rule to block the JMX port 7199 on VMware vRealize Log Insight 2.5 (CVE-2015-0225)

book

Article ID: 340392

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

VMware vRealize Log Insight 2.5 ships with Apache Cassandra 2.0.10 and is affected by CVE-2015-0225.

Under its default configuration, Apache Cassandra 2.0.10 binds an unauthenticated JMX/RMI interface to all network interfaces. RMI is an API for transport and remote execution of serialized Java. This article provides steps to create a firewall rule to block the JMX/RMI port on the Log Insight virtual appliance.


Environment

VMware vRealize Log Insight 2.5.x
VMware vRealize Log Insight 3.0.x

Resolution

This issue is resolved in VMware vRealize Log Insight 3.0, available from VMware Downloads.

This issue can be addressed by creating a firewall rule to block JMX/RMI traffic to the Log Insight virtual appliance.

To create a firewall rule in the Log Insight virtual appliance:

  1. Open a console or SSH connection to the Log Insight appliance and login as root.

  2. Use the iptables command to display the existing firewall rules. For example:

    iptables -L INPUT

    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    REJECT tcp -- anywhere anywhere tcp dpt:9240 reject-with icmp-port-unreachable


  3. Create a new firewall rule using this command:

    iptables -A INPUT ! -i lo -p tcp --dport 7199 -j REJECT

  4. Save the firewall rules using this command.

    iptables-save > /opt/vmware/etc/li-iptables.cfg

    Note: The configuration persists across reboots.

  5. Use the iptables command to display the new firewall rules. For example:

    iptables -L INPUT

    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    REJECT tcp -- anywhere anywhere tcp dpt:9240 reject-with icmp-port-unreachable
    REJECT tcp -- anywhere anywhere tcp dpt:7199 reject-with icmp-port-unreachable


  6. Verify that a TCP connection to the JMX port fails. From a different computer, use the telnet command to establish a connection to port 7199 in your Log Insight virtual appliance.

    telnet LogInsightApplianceHostnameOrIP 7199

    For example:

    telnet 10.11.12.13 7199

    Expected output:

    Trying 10.11.12.13...
    telnet: connect to address
    10.11.12.13: Connection refused
    telnet: Unable to connect to remote host


  7. Remote TCP connection to the Log Insight virtual appliance's Apache Cassandra JMX port are blocked. The configuration persists across reboots.



Additional Information


VMware vRealize Log Insight 2.5 (CVE-2015-0225) 上の JMX ポート 7199 をブロックするファイアウォール ルールの作成