edit-icon download-icon

[Vulnerability notice] Weak password vulnerability in JBoss jmx-console

Last Updated: May 07, 2018

Description

The JBoss JMX console has a weak password vulnerability. This vulnerability allows methods that are not specified in the configuration file (such as HEAD, PUT, or DELETE) to directly call the GET processor as JBossAdmin, and to deploy Webshell through JBoss’s HtmlAdaptor module.

Fix

Configure network access control

Use ECS security group to limit the IP addresses that can access the JBoss JMX console, and do not open the console to the Internet.

Delete the default console files

If you do not need to use the console to manage and publish code, we recommend that you uninstall the console.

You can remove the Jmx-console.war and Web-console.war files under $JBOSS_HOME/[server]/all/deploy and $JBOSS_HOME/[server]/default/deploy to uninstall the console.

Enable account authentication

By default, the JBoss deployment and management information can be accessed by visiting http://localhost:8080/jmx-console without the username and password. This imposes a security risk.

The following JBoss configurations make a username and password a compulsory for accessing the JMX console.

  1. Open /server/default/deploy/jmx-console.war/WEB-INF/jboss-web.xml under the JBoss installation directory, and uncomment the <security-domain>java:/jaas/jmx-console</security-domain> section.

    The revised content is as follows:

    1. <jboss-web>
    2. <!-- Uncomment the security-domain to enable security. You will
    3. need to edit the htmladaptor login configuration to setup the
    4. login modules used to authentication users.-->
    5. <security-domain>java:/jaas/jmx-console</security-domain>
    6. </jboss-web>
  2. Open web.xml under the same directory of jboss-web.xml in Step 1, and uncomment the <security-constraint/> node.

    The revised content of this section is as follows:

    1. <!-- A security constraint that restricts access to the HTML JMX console
    2. to users with the role JBossAdmin. Edit the roles to what you want and
    3. uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
    4. secured access to the HTML JMX console.-->
    5. <security-constraint>
    6. <web-resource-collection>
    7. <web-resource-name>HtmlAdaptor</web-resource-name>
    8. <description>An example security config that only allows users with the
    9. role JBossAdmin to access the HTML JMX console web application
    10. </description>
    11. <url-pattern>/*</url-pattern>
    12. <http-method>GET</http-method>
    13. <http-method>POST</http-method>
    14. </web-resource-collection>
    15. <auth-constraint>
    16. <role-name>JBossAdmin</role-name>
    17. </auth-constraint>
    18. </security-constraint>

    After this modification, the JMX console can only be accessed by users with the role JBossAdmin.

  3. Open login-config.xml under the JBoss installation directory /server/default/conf to further configure the jmx-console security domain in Step 1 and the logon role JBossAdmin in Step 2.

    1. Locate the application-policy named jmx-console.

      1. <application-policy name = "jmx-console">
      2. <authentication>
      3. <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
      4. flag = "required">
      5. <module-option name="usersProperties">props/jmx-console-users.properties</module-option>
      6. <module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>
      7. </login-module>
      8. </authentication>
      9. </application-policy>

      From the policy, the logon role and user information are set in the jmx-console-roles.properties and jmx-console-users.properties files under the props directory respectively.

    2. Open jmx-console-users.properties. The content is as follows.

      1. # A sample users.properties file for use with the UsersRolesLoginModule
      2. admin=admin
      • This file is formatted in username=password.
      • The username admin and password admin are defined by default.

      You can change the default username and password to your preferred username and password. The password is advised to meet the strong password policy. For example, it must consist of eight or more characters, including uppercase and lowercase letters, special symbols, and numbers.

    3. Open jmx-console-roles.properties. The content is as follows.

      1. # A sample roles.properties file for use with the UsersRolesLoginModule
      2. admin=JBossAdmin, HttpInvoker
      • This file is formatted in username=role. Multiple roles are separated by ,.
      • The user admin has two roles (JBossAdmin and HttpInvoker) by default.

      You must add the JBossAdmin role for users allowed to access the JMX console.

  4. After the configuration, the username and password defined in jmx-console-users.properties are required to access the JMX console by visiting http://localhost:8088/jmx-console/.

Thank you! We've received your feedback.