If a JBOSS server is using HTTP Basic Authentication to access its
jmx-console, how safe it is?
If the above JBOSS is configured in a way, that it supports only HTTPS, how
safe HTTP Basic Authentication is?
If the above jboss is configured in a way that it uses HTTPS to access
jmx-console on one port e.g. 21017 BUT then there is another port 21018 on
which jmx-console is available on HTTP and using the same user-credentials
for HTTP Basic Authentication? How safe that is?
Depends on a few factors:
a) Do they have CPU or audit logging to detect and escalate a response to
an in progress brute force attack? Usually, no
b) Depends if they have removed or disabled all default accounts for
jmx-console. Usually, no
c) Depends on the complexity of the passwords chosen. We can brute force
about 1000-2000 tests per second on a locally situated JBoss server that is
doing nothing else using Hydra or similar. If you have chosen a 16
character random password or a long passphrase, brute forcing will never
find the password in a reasonable time
d) Can an attacker intercept the communications between a valid
administrator of jmx-console or other sensitive traffic? If so, password
complexity does not matter, the issue relates to encrypted or interceptable
traffic. If jmx-console is not available outside of the management network,
I believe the risk to be relatively low. Just consider all those SuperMicro
IPMI vulnerabilities - folks can and are pwned by this issue, but for the
most part, if the management ports are properly protected as AS 4444 / BS
7799 / 17799 / 27002 has required since I don't know, 20 years now, then
... is this an issue that needs further tightening.
Honestly, considering that it took me longer to type this up than it would
take a system administrator to close these issues down, I would say "just
fix it". Attack surface reduction is always a great idea, just in case we
found out more later.
And it would be great if Red Hat would no enable JMX Console etc by default
for new installs. Those who need it, know it. They can turn it on after
thinking about how best to secure it for their specific business
requirements.
thanks
Andrew
On Fri, Feb 14, 2014 at 6:41 AM, RDX Guy rdx.guy@gmail.com wrote:
If a JBOSS server is using HTTP Basic Authentication to access its
jmx-console, how safe it is?
If the above JBOSS is configured in a way, that it supports only HTTPS,
how safe HTTP Basic Authentication is?
If the above jboss is configured in a way that it uses HTTPS to access
jmx-console on one port e.g. 21017 BUT then there is another port 21018 on
which jmx-console is available on HTTP and using the same user-credentials
for HTTP Basic Authentication? How safe that is?
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org