Bug 216177 - JBossAS needs to be bound to localhost by default
Summary: JBossAS needs to be bound to localhost by default
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Web Application Stack
Classification: Retired
Component: jbossas
Version: v1
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Deepak Bhole
QA Contact: Len DiMaggio
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-11-17 17:01 UTC by Deepak Bhole
Modified: 2006-11-27 15:43 UTC (History)
1 user (show)

Fixed In Version: RHSA-2006-0743
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-11-27 15:43:12 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2006:0743 0 high SHIPPED_LIVE Critical: jbossas security update 2006-11-27 15:42:57 UTC

Description Deepak Bhole 2006-11-17 17:01:43 UTC
Description of problem:

By default, AS listens on the server address, not localhost. This means external
users can potentially access the jmx/web consoles, and jmx/rmi-http invoker
services. Since these services do not require authentication by default, this is
a security hazard.

Version-Release number of selected component (if applicable):
4.0.4-1.el4s1.20

How reproducible:
Always

Steps to Reproduce:
1. Start jboss
2. Connect to http://<address>:8080 and click on the jmx console link

Actual results:
One can connect to the console.

Expected results:
Either connection refused, or authentication required (with default rpm install)

Comment 1 Len DiMaggio 2006-11-21 00:51:00 UTC
An issue we have to consider with this bz is that if we replace config files to
resolve the problem, and customers have already customized those files, their
customizations will be lost. We'll have to be careful/clear in documenting this
for customers.


Comment 2 Marcel Holtmann 2006-11-21 07:47:33 UTC
In case we add JBOSS_IP="127.0.0.1" to /etc/sysconfig/jbossas all future
installations will listen to localhost only and the default installation will be
safe. This still requires documentation to secure the console when opening the
JBoss AS to the public. Which should be added anyway and since there exists
already a wiki page about securing the console it should be no big deal. It is
only a matter of putting that into the right places of the installation manual
so that customers are aware of it.

The case of already installed servers is different, because
/etc/sysconfig/jbossas is a noreplace config file from the RPM point of view.
Which is a good thing since the customers made have deployed a public server and
forcing it to localhost only with an update would break their setup. However
they are still vulnerable and this is the job of a kbase article and the errata
text to make them aware of the security issue.

So this is not a big deal. The case that we wanna make the console secure even
for public available installation by default, is another thing. I have not
enough internal insights into JBoss AS to give any advice for it. So this is up
to you to find a solution.


Comment 8 Mark J. Cox 2006-11-27 15:30:52 UTC
removing embargo.  See also http://kbase.redhat.com/faq/FAQ_107_9629.shtm 

Comment 9 Red Hat Bugzilla 2006-11-27 15:43:14 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0743.html



Note You need to log in before you can comment on or make changes to this bug.