Aug 9, 2011
tom

JBOSS Vulnerability [PCI Scan]

Question

This morning i received from the auditors a scanner result for our jboss server and we need to solve three important issues, but honestly i was googling for a while and nothing found. if any one know or have any clue how to solve, i will appreciate. We are running jboss 5.0.1 on (windows 2003 x64)

Scan vulnerability:

   .- JBoss HttpAdaptor JMXInvokerServlet is Accessible to Unauthenticated Remote Users
   .- JBoss EJBInvokerServlet is Accessible to Unauthenticated Remote Users.
   .- TLS Protocol Session Renegotiation Security Vulnerability

Thanks in advance.

Answer

http://yourservernamehere:8080/invoker/EJBInvokerServlet

If you’ve left your configuration as is, the above is available you have a problem.

The reason you don’t want to do it is pretty clear, it allows anyone to invoke any servlet they want that is on your system.

The short answer is, find it in your web.xml and disable it.

A Tomcat Specific article about the why:
http://www.astrahosting.com/blog/2009/09/16/chapter-14-tomcat-security-disabling-an-invoker-servlet/

Related posts:

  1. iis vulnerability
  2. how to connect to mysql running remotely from the jboss
  3. Load Balancing JBoss App Server with Apache using mod_jk
  4. JBoss 4.2 Autodiscovery Failure (NoClassDefFoundError)
  5. How to use iptables to forward requests to a jBoss server running on a different machine?

Leave a comment