[jboss-jira] [JBoss JIRA] Commented: (SECURITY-31) White Paper on JMX Security

Sunday, 3 April 2011

    [
https://issues.jboss.org/browse/SECURITY-31?page=com.atlassian.jira.plugi...
] 

Viacheslav Garmash commented on SECURITY-31:
--------------------------------------------

There is a community courtesy notification for a severe security issue affecting some of
the JBoss projects and products. Default security settings in web.xml protect only GET and
POST protocols leaving another ones open. Please refer to the following Red Hat KBase
article for more information:

JBoss Products & CVE-2010-0738

Only when you apply the solution you can be sure that your JMX Console is protected.
Please note that Web Console has the same issue, and you need to apply the solution to it
as well.

The attached PDF has web.xml example with the same issue. Please update it by removing
http-method tags.

...
 White Paper on JMX Security
 ---------------------------

                 Key: SECURITY-31
                 URL: https://issues.jboss.org/browse/SECURITY-31
             Project: PicketBox (JBoss Security and Identity Management)
          Issue Type: Task
      Security Level: Public(Everyone can see) 
          Components: White Papers
            Reporter: Anil Saldhana
            Assignee: Anil Saldhana
         Attachments: index.html, jboss-securejmx.pdf

 There is a need for a simple technical white paper that talks about the various scenarios
involved in security jmx in JBoss. This includes the jmx consoles as well as the invokers.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

[jboss-jira] [JBoss JIRA] Commented: (SECURITY-31) White Paper on JMX Security