Title

Remote access to JMX subsystem must be disabled. (Cat II impact)

Discussion

The JMX subsystem allows you to trigger JDK and application management operations remotely. In a managed domain configuration, the JMX subsystem is removed by default. For a standalone configuration, it is enabled by default and must be removed.

Check Content

Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder. Run the jboss-cli script to start the Command Line Interface (CLI). Connect to the server and authenticate. For a Managed Domain configuration, you must check each profile name: For each PROFILE NAME, run the command: "ls /profile=<PROFILE NAME>/subsystem=jmx/remoting-connector" For a Standalone configuration: "ls /subsystem=jmx/remoting-connector" If "jmx" is returned, this is a finding.

Fix Text

Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder. Run the jboss-cli script to start the Command Line Interface (CLI). Connect to the server and authenticate. For a Managed Domain configuration you must check each profile name: For each PROFILE NAME, run the command: "/profile=<PROFILE NAME>/subsystem=jmx/remoting-connector=jmx:remove" For a Standalone configuration: "/subsystem=jmx/remoting-connector=jmx:remove"

Additional Identifiers

Rule ID: SV-213522r954822_rule

Vulnerability ID: V-213522

Group Title: SRG-APP-000141-AS-000095

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.