-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Manuel and Kaydo,
On 8/6/20 09:23, Manuel Dominguez Sarmiento wrote: > JMX is usually setup on port 1099 for monitoring the JVM. It can > be either secured, or insecure (no password, no encryption) which > is the default configuration. If you cannot modify the app, then > the safest bet would probably be to block access to the port with > the system firewall (for instance, iptables on Linux). > > Check the following system properties for clues: > -Dcom.sun.management.jmxremote.port=<port> > -Dcom.sun.management.jmxremote.password.file=<password.properties> > -Dcom.sun.management.jmxremote.access.file=<access.properties> +1 Unfortunately, iptables and similar can't stop someone on localhost from hitting that interface. It turns a remote-access issue into a local-access issue which is arguably more secure. You might want to determine if you even need access to JMX at all. This is usually used for remote-monitoring or remote-control of a server. If you aren't doing those things, you may simply be able to disable JMX entirely with no replacement. Another option would be to disable the JMX agent and instead use Tomcat's JMXProxyServlet from the Manager application. This has the following advantages: 1. Configuration is easier to understand -- same as application access control instead of weird system-property-based access control 2. Any number of users can be configured (I think more recent JVMs allow more nuanced configuration for JMX, but Tomcat's authentication works no matter what JVM you are using) 3. More secure: TLS config can be tweaked, can filter by IP, etc. (everything you can do with any other application) Hope that helps, - -chris > On 06/08/2020 10:13, Kaydo Bramble wrote: >> Hi Everyone, >> >> >> Our security scanner has identified an application that has "Java >> JMX Agent Insecure Configuration" on one of our Tomcat 8.5 >> servers. This server was setup by a vendor and I am not sure >> what JMX is being used for or how it is setup. Does anyone have >> any ideas on how to resolve this? I tried asking the vendor >> multiple times and they have no clue since 2019. >> >> >> Thanks, >> >> >> Kenrick "Kaydo" Bramble >> >> Manager, Databases and Middleware - Enterprise Systems Office of >> Information Technology <mailto:ka...@rice.edu> ka...@rice.edu | >> <tel:713-348-8645> 713-348-8645 >> >> Rice University | 6100 Main St. | Houston, TX 77005 >> >> >> >> >> > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8sI0IACgkQHPApP6U8 pFiHNg//YjsFZgnQe/+U0u3K89zFJVX067w3J+Tsg9a62fxWR8dZuNnEqkmNDxba v34iCyv0jqLvVwT+JigYmL3DJx52vRvZiZ6k7QCEeNj9fZV4ISf3IAuSqbqd6ZAH 2bQr5FKosF1Fc1RbA7Rm26hDKniEUXTHvJsnaq8IcGUjaqYsqdju0VMLz/WDJBI6 Iclvq+0IMBfbvl9eiIg7PWwx9hpQ4ed1AHJT3phxAmV3MPltejvtxNDOn3/OyhpI Xm7b6Pk/uE3gcibt9rb4H6mHorINFO74nhjPAjyMuXkAC5FOCwdXe3JepQ7/Rhxh t9W5q7sxrpxUB66Y/gHaPbMRIvWH2JPzQS92o+kp8/CAWvFAZmO5JIInaouItynm VWwJ9yFIdraZwzsxYEIFg8/Cfp3BANDwHvR3GoP1KQBQllnTc2X3AWS2ncS19mEJ MBhRvIAnZ/ZFOxPBZhlpnVuZ/81UUsAfE6B3xQywEk03DHhRWB7FAwOeYFxREt02 U1+lGNG3OuZibQsvNzZb1X4aNrBXtLbkWz1zBMran3/32rRoZ8LY2uF8tnMx5egs iMamMDFY2q/x5uL0yEyay959vsHvjVZVfR5mIsgL55u+5qDkKrP1NJ8QkwokWgUO Jo0QEkx1/TZFWNZ3xC1Kua5KNMYWRC0NI5Cb1rr44VRMJCoj1GI= =oyfp -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
