[jboss-jira] [JBoss JIRA] (AS7-5577) CLONE - Disable JGroups diagnostics service by default
[
https://issues.jboss.org/browse/AS7-5577?page=com.atlassian.jira.plugin.s...
]
Brian Stansberry updated AS7-5577:
----------------------------------
Fix Version/s: 7.1.3.Final (EAP)
(was: 7.1.4.Final (EAP))
Git Pull Request: https://github.com/jbossas/jboss-as/pull/3070,
https://github.com/jbossas/jboss-as/pull/3071 (was:
https://github.com/jbossas/jboss-as/pull/3070,
https://github.com/jbossas/jboss-as/pull/3071)
Affects Version/s: (was: 7.1.3.Final (EAP))
This will be cherry-picked into the 7.1.3.Final tag, as it was in EAP 6.0.0.GA.
CLONE - Disable JGroups diagnostics service by default
------------------------------------------------------
Key: AS7-5577
URL: https://issues.jboss.org/browse/AS7-5577
Project: Application Server 7
Issue Type: Bug
Components: Clustering
Affects Versions: 7.1.2.Final (EAP)
Reporter: Dennis Reed
Assignee: Radoslav Husar
Priority: Blocker
Labels: eap6_need_triage
Fix For: 7.1.3.Final (EAP), 7.2.0.Alpha1
The JGroups diagnostics service should be disabled by default.
This can be accomlished by removing the "diagnostics-socket-binding" attribute
from the <transport> tags in the JGroups subsystem.
This is a security issue, because the diagnostics port enables many security-sensitive
operations, with no authentication, including:
- full thread dump of the JVM
- add/remove JGroups protocols
- call any method on any JGroups protocol, passing in arbitrary arguments
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira