JMX is usually setup on port 1099 for monitoring the JVM. It can be
either secured, or insecure (no password, no encryption) which is the
default configuration.
If you cannot modify the app, then the safest bet would probably be to
block access to the port with the system firewall (for instance,
iptables on Linux).
Check the following system properties for clues:
-Dcom.sun.management.jmxremote.port=<port>
-Dcom.sun.management.jmxremote.password.file=<password.properties>
-Dcom.sun.management.jmxremote.access.file=<access.properties>
- Manuel Dominguez Sarmiento
On 06/08/2020 10:13, Kaydo Bramble wrote:
Hi Everyone,
Our security scanner has identified an application that has "Java JMX Agent
Insecure Configuration" on one of our Tomcat 8.5 servers. This server was
setup by a vendor and I am not sure what JMX is being used for or how it is
setup. Does anyone have any ideas on how to resolve this? I tried asking
the vendor multiple times and they have no clue since 2019.
Thanks,
Kenrick "Kaydo" Bramble
Manager, Databases and Middleware - Enterprise Systems
Office of Information Technology
<mailto:ka...@rice.edu> ka...@rice.edu | <tel:713-348-8645> 713-348-8645
Rice University | 6100 Main St. | Houston, TX 77005
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
