3

This morning i received from the auditors a scanner result for our jboss server and we need to solve three important issues, but honestly i was googling for a while and nothing found. if any one know or have any clue how to solve, i will appreciate. We are running jboss 5.0.1 on (windows 2003 x64)

Scan vulnerability:

   .- JBoss HttpAdaptor JMXInvokerServlet is Accessible to Unauthenticated Remote Users
   .- JBoss EJBInvokerServlet is Accessible to Unauthenticated Remote Users.
   .- TLS Protocol Session Renegotiation Security Vulnerability

Thanks in advance.

rfders
  • 133
  • 1
  • 3

2 Answers2

3

http://yourservernamehere:8080/invoker/EJBInvokerServlet

If you've left your configuration as is, the above is available you have a problem.

The reason you don't want to do it is pretty clear, it allows anyone to invoke any servlet they want that is on your system.

The short answer is, find it in your web.xml and disable it.

A Tomcat Specific article about the why: http://www.astrahosting.com/blog/2009/09/16/chapter-14-tomcat-security-disabling-an-invoker-servlet/

Ori
  • 256
  • 1
  • 9
  • 2
    Mitigating the TLS Protocol Session Renegotiation Security Vulnerability depends on what you're using as your web front end. If you're running ssl on jboss, you'll need to upgrade your JVM to a version of java greater than or equal to 1.6.0_22 (if you need tls renegotiation support) or versions 1.6.0_19-1.6.0_21 (if disabling TLS renegotiation entirely is ok for your site). – mahnsc Jun 11 '11 at 17:38
1

JBoss has horrifically insecure defaults, and is a terrific pain in the ass to lock down (a lot of files to touch, and crummy documentation spread all over creation on a collection of sites). It's worse than the first versions of IIS were back in the mid-1990s.

IMHO it should never be exposed directly to the internet - it's just too easy to screw up, and you never know when an upgrade will introduce a new open-to-the-world "feature".

So, to lock it down, put a proxy in front of it and pass only the application URL patterns you know you want the world to see. We are using nginx as a proxy on Linux talking to JBoss servers on Windows x64, but there are a lot of options in this area. Even ARR on IIS7 works well in this scenario.

rmalayter
  • 3,762
  • 20
  • 28
  • more of a rant than an answer. – Mark W Jul 11 '14 at 09:06
  • The question was definitely answered. It was a rant AND an answer. Three years later and I stand by it too... JBoss should never be exposed directly to the internet. The attack able surface is huge, and many defaults are still woefully insecure. – rmalayter Jul 26 '14 at 01:53