[jboss-user] [Installation, Configuration & DEPLOYMENT] - Default installations are unsecured
xmedeko
do-not-reply at jboss.com
Tue Mar 24 08:59:42 EDT 2009
Hi,
http://goohackle.com/jboss-security-vulnerability-jmx-management-console/
http://www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf
Just try to google for "jboss jmx management console" or "MBean inspector" and you can hack or shutdown lot of JBoss instalations.
I know that it is fault of the admins, but there are techniques how to prevent it. Maybe collegues from RedHat security can advise. Something like:
- the console is secured and random password for admin is generated during the installation process (or maybe during the first run of the server? or anytime a password is null a random password is generated?)
- the console is not configured by default. instead, the localhost:8080 points to a static web page, which tell the user how to start secured (or unsecured) jmx-console
View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4220569#4220569
Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4220569
More information about the jboss-user
mailing list