7 Replies Latest reply: Aug 30, 2012 3:48 AM by Sam Halpa RSS

Security Concern?

Adam G Newbie

I am running jBoss AS 6.1.0 and am concerned with the jmx security threat:  http://community.jboss.org/blogs/mjc/2011/10/20/statement-regarding-security-threat-to-jboss-application-server

 

I went through the steps to secure the jmx-console that are found here: http://community.jboss.org/wiki/SecureTheJmxConsole

The insturctions metion a technical paper that gives details on securing the JMX Invokers. I couldn't find the location of the jmx-invoker-service.xml that the paper mentions within the server anywhere in the 6.1.0 server.

 

During every evening at 11:30pm I get the following 2 lines in the server output:

23:30:23,171 INFO  [org.jboss.web.tomcat.service.deployers.TomcatDeployment] deploy, ctxPath=/jmx-console

23:36:24,475 INFO  [com.arjuna.ats.arjuna] ARJUNA-12296 ExpiredEntryMonitor running at Wed, 26 Oct 2011 23:36:24

 

Does this output indicate that my jmx-console is getting compromised?

Is it because I can't locate the invoker authentication?

  • 1. Re: Security Concern?
    jaikiran pai Master

    So every day 11:30 you get a log message of jmx-console being deployed? That probably would mean that it was undeployed earlier. Do you see that log somewhere? Furthermore, do you need the jmx-console? It's present in JBOSS_HOME/common/deploy folder by the way.

  • 2. Re: Security Concern?
    Adam G Newbie

    Well it looks as though I was confusing this output statement with one I was receiving before I went through the tutorial on securing the JMX

    19:41:20,404 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/jmx-console].[HtmlAdaptor]] Servlet.service() for servlet HtmlAdaptor threw exception: javax.management.InstanceNotFoundException: jboss.admin:service=DeploymentFileRepository is not registered.

              at org.jboss.mx.server.registry.BasicMBeanRegistry.get(BasicMBeanRegistry.java:529) [:6.0.0.GA]

              at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:664) [:6.0.0.GA]

              at org.jboss.jmx.adaptor.control.Server.invokeOpByName(Server.java:258) [:]

              at org.jboss.jmx.adaptor.html.HtmlAdaptorServlet$4.run(HtmlAdaptorServlet.java:391) [:]

              at org.jboss.jmx.adaptor.html.HtmlAdaptorServlet$4.run(HtmlAdaptorServlet.java:388) [:]

              at java.security.AccessController.doPrivileged(Native Method) [:1.6.0_24]

              at org.jboss.jmx.adaptor.html.HtmlAdaptorServlet.invokeOpByName(HtmlAdaptorServlet.java:387) [:]

              at org.jboss.jmx.adaptor.html.HtmlAdaptorServlet.invokeOpByName(HtmlAdaptorServlet.java:312) [:]

              at org.jboss.jmx.adaptor.html.HtmlAdaptorServlet.processRequest(HtmlAdaptorServlet.java:106) [:]

              at org.jboss.jmx.adaptor.html.HtmlAdaptorServlet.doGet(HtmlAdaptorServlet.java:81) [:]

              at javax.servlet.http.HttpServlet.doHead(HttpServlet.java:310) [:1.0.0.Final]

              at javax.servlet.http.HttpServlet.service(HttpServlet.java:751) [:1.0.0.Final]

              at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [:1.0.0.Final]

              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:324) [:6.1.0.Final]

              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:242) [:6.1.0.Final]

              at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275) [:6.1.0.Final]

              at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) [:6.1.0.Final]

              at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:181) [:6.1.0.Final]

              at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:88) [:6.1.0.Final]

              at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:100) [:6.1.0.Final]

              at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:159) [:6.1.0.Final]

              at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [:6.1.0.Final]

              at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158) [:6.1.0.Final]

              at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [:6.1.0.Final]

              at org.jboss.web.tomcat.service.request.ActiveRequestResponseCacheValve.invoke(ActiveRequestResponseCacheValve.java:53) [:6.1.0.Final]

              at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:362) [:6.1.0.Final]

              at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [:6.1.0.Final]

              at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:654) [:6.1.0.Final]

              at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:951) [:6.1.0.Final]

              at java.lang.Thread.run(Thread.java:662) [:1.6.0_24]

     

     

    I did a more comprehensive search through my logs and found that the deploymet output was only in there once for every deployment.  The curious thing is that this output statement showed up over 12 hours after I deployed.  It is a little puzzling, but I am not too concerned.

     

    Furthermore, do you need the jmx-console? It's present in JBOSS_HOME/common/deploy folder by the way.

     

    I am pretty confident that I don't need the jmx-console running on the server.  Would I just remove the jmx-console.war folder to get rid of it?

  • 3. Re: Security Concern?
    Sam Halpa Newbie

    Hi jai,

     

    Could you please tell me how to remove / permenently disable the jmx-console in Jboss 6.1.0 Final?

  • 4. Re: Security Concern?
    Stefano Tortarolo Newbie

    Hi,

    if you're really sure that you don't need the jmx-console and you want to get rid of it, just remove its war directory under server/xxx/deploy.

     

    Cheers

  • 5. Re: Security Concern?
    Sam Halpa Newbie

    HI Stefano,

    Appreciate if you could tell me exactly what directory to be removed? Because i see several directories in JBOSS_HOME/server/xxx/deploy. Below are the directories i see there, so which one should be removed and are there any specific steps to be taken before delete that directory?

    1. hornetq -  What does this do anyway?
    2. http-invoker.sar
    3. jbossweb.sar
    4. jms-ra.rar
    5. mod_cluster.sar
    6. ROOT.war
    7. security
    8. uuid-key-generator.sar
    9. xnio-provider.jar

     

    Thanks

  • 6. Re: Security Concern?
    Stefano Tortarolo Newbie

    Hi Sam,

    sorry but I had read 5.1 instead of 6.1...

     

    In JBoss 6.1 the jmx-console.war directory is under common/deploy, but its deployment is on-demand and if you just remove/rename it you'll get a java.lang.IllegalStateException: Incompletely deployed.

     

    There are two ways:

    • if you want to remove jmx-console only for a single profile, simply remove/rename the file server/xxx/deploy/jmx-console-activator-jboss-beans.xml
    • if you want to remove it for every profile, remove/rename the directory common/deploy/jmx-console.war AND remove every server/xxx/deploy/jmx-console-activator-jboss-beans.xml file

     

    See also: https://community.jboss.org/message/734664#734664

     

    Cheers,

    Stefano

  • 7. Re: Security Concern?
    Sam Halpa Newbie

    Thanks a lot Stefano, It really helped me. Thanks again