0 Replies Latest reply on May 11, 2016 2:00 PM by joelradon

    WHD Vulnerability - Java JMX


      This is coming up during a vulnerability scan and pointing to the IP of our WHD Server. What can I do to fix this?


      The Java Management extensions (JMX) service on this host does not require any authentication. The JMX/RMI service is used to monitor the Java Virtual Machine (JVM), but can also be used to register a new managed bean (MBean) from a remote URL using the "javax.management.loading.MLet" function. Using this function, a remote, unauthenticated attacker can upload and run a JAR file containing arbitrary Java code of the attacker's choosing.
      An attacker can execute arbitrary Java code running with the same privileges as the JMX/RMI process.
      Solution If the JMX functionality is not required, it should be disabled. If it is required, ensure that the com.sun.management.jmxremote.authenticate and com.sun.management.jmxremote.ssl properties are both set to true. More information regarding configuration of the JMX service can be found in the external references section of this vulnerability.

      If the JMX service configuration is managed by software installed on this host and cannot be manually changed, consult with the vendor for an updated version of the software that doesn't use an insecure configuration for the JMX service.

      For any configuration changes made to the JMX service to take effect (either manually or via a software update from a vendor), the service will need to be restarted. If it's not clear which service needs to be restarted, restarting the host will make sure any relevant services are restarted.
      VMware only released a partial fix for this issue as it relates to vCenter Server (CVE-2015-2342). The following link provides a workaround if upgrading to a version of vCenter Server that contains the complete fix is not an option at this time: