[jboss-jira] [JBoss JIRA] Commented: (SECURITY-31) White Paper on JMX Security
Viacheslav Garmash (JIRA)
jira-events at lists.jboss.org
Sat Apr 2 23:57:38 EDT 2011
[ https://issues.jboss.org/browse/SECURITY-31?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12593386#comment-12593386 ]
Viacheslav Garmash commented on SECURITY-31:
--------------------------------------------
There is a community courtesy notification for a severe security issue affecting some of the JBoss projects and products. Default security settings in web.xml protect only GET and POST protocols leaving another ones open. Please refer to the following Red Hat KBase article for more information:
JBoss Products & CVE-2010-0738
Only when you apply the solution you can be sure that your JMX Console is protected.
Please note that Web Console has the same issue, and you need to apply the solution to it as well.
The attached PDF has web.xml example with the same issue. Please update it by removing http-method tags.
> White Paper on JMX Security
> ---------------------------
>
> Key: SECURITY-31
> URL: https://issues.jboss.org/browse/SECURITY-31
> Project: PicketBox (JBoss Security and Identity Management)
> Issue Type: Task
> Security Level: Public(Everyone can see)
> Components: White Papers
> Reporter: Anil Saldhana
> Assignee: Anil Saldhana
> Attachments: index.html, jboss-securejmx.pdf
>
>
> There is a need for a simple technical white paper that talks about the various scenarios involved in security jmx in JBoss. This includes the jmx consoles as well as the invokers.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list