Skip to main content
ExLibris
Ex Libris Knowledge Center

Securing JBoss Web Console JMX Invoker in Digitool

Overview

A remote unauthenticated attacker can use the Web Console's JMX Invoker to perform management tasks using the MBean interfaces that are available in the underlying JBoss installation. A zip file is attached to the article with the instructions necessary to mitigate this vulnerability, and includes configuration files which need to be added.

Goal - Secure the JBOSS (JMX) web console invoker in Digitool

The JBOSS deploy path can be located on the Digitool server
At the console type:
>jb_deploy
This will change to the deploy directory. Eg.:
/exlibris/dtl/j3_1/digitool/home/system/thirdparty/openserver/server/default/deploy
You will need to adjust this path if it differs from these instructions.

 

Implement the fix

Step 1 - Remove http-invoker.sar

Remove http-invoker.sar/ from the deploy path.

It is not sufficient to change the name it must be either deleted or moved outside the deploy path, eg. to /tmp

Step 2 - Download this file from the Digitool server to your PC

/exlibris/dtl/j3_1/digitool/home/system/thirdparty/openserver/server/default/deploy/management/web-console.war
Extract the following two files from web-console.war (using Total Commander for example or other archive extractor) and edit as follows:
 
WEB-INF/web.xml
Uncomment the security-constraint block and add a <login-config> block after the end of the <security-constraint> block (if not already present).
  <security-constraint>
   <web-resource-collection>
   <web-resource-name>HtmlAdaptor</web-resource-name>
   <description>An example security config that only allows users with the
   role JBossAdmin to access the HTML JMX console web application
   </description>
   <url-pattern>/*</url-pattern>
   <http-method>GET</http-method>
   <http-method>POST</http-method>
   </web-resource-collection>
   <auth-constraint>
   <role-name>JBossAdmin</role-name>
   </auth-constraint>
   </security-constraint>
 
 
   <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>JBoss WEB Console</realm-name>
   </login-config>

(Find example of this file in secure_web-invoker.zip attached to article)
 
WEB-INF/jboss-web.xml
Uncomment the security-domain block. Make sure the JNDI name maps to the realm name (e.g. JMXConsole)
  
   <security-domain>java:/jaas/web-console</security-domain>
(Find example of this file in secure_web-invoker.zip attached to article)
 
Replace the files in  web-console.war on the Digitool server with the edited versions.

Step 3 - Copy directory

In secure_web-invoker.zip you will find a directory “props”.
Copy it to this path on the Digitool server:
/exlibris/dtl/j3_1/digitool/home/system/thirdparty/openserver/server/default/conf/props

Step 4 - Edit this file

/exlibris/dtl/j3_1/digitool/home/system/thirdparty/openserver/server/default/conf/login-config.xml
Change the path in these sections to the versions in the new “props” directory by adding “props/” to the front of the path:
<application-policy name = "jmx-console">
              <authentication>
                     <login-module 
                           code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = 
                           "required">
                           <module-option name="usersProperties">
                                  props/jmx-console-users.properties</module-option>
                           <module-option name="rolesProperties">
                                  props/web-console-roles.properties</module-option>
                     </login-module>
              </authentication>
       </application-policy>
 
 
       <application-policy name = "web-console">
              <authentication>
                     <login-module 
                           code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = 
                           "required">
                           <module-option name="usersProperties">
                                  props/web-console-users.properties</module-option>
                           <module-option name="rolesProperties">
                                  props/web-console-roles.properties</module-option>
                     </login-module>
              </authentication>
       </application-policy>

(Find example of this file in secure_web-invoker.zip attached to article)

Step 5 – Stop and start JBOSS

$jdtlh_bin/jboss_shutdown.sh
$jdtlh_bin/jboss_startup.sh

Attachment

Download secure_web-invoker.zip from this link:

//Feedback