Insecure Java JMX Configuration
Table of Contents
- Option 1: Disable JMX
- Option 2: Configure a Whitelist Firewall
- Option 3: Configure User Authentication on the JMX Server
Option 1: Disable JMX
JMX is only required if you need remote management and monitoring of a Java-based application or the Java Virtual Machine (JVM) running the application. If this isn’t required, disable it in your start-up options of the JVM or in the configuration of the application exposing the JMX port.
Option 2: Configure a Whitelist Firewall
Look for an option similar to
-Dcom.sun.management.jmxremote.port=9999 in your application configuration or JVM command line arguments. In this instance, port 9999 is the port JMX is utilizing. Restrict access to your local machine on port 9999 to hosts you trust and need access to the JMX port for remote management and monitoring.
Option 3: Configure User Authentication on the JMX Server
This will help prevent unauthorized users from accessing the JMX port and installing their own exploit payloads. 1. Create a password file jmxremote.password which should look similar to the following: NOTE: File name can be anything you want, but must match the argument provided in step 2 and 3). Use strong passwords.
##Defining two "roles", each with its own password monitorRole YourStrongPassword1 controlRole YourStrongPassword2
- The security of the password file relies on your file system’s access control mechanisms. The file must be readable by the user running the Java application exposing JMX. To do this on Windows, use a command like the following:
cacls jmxremote.password /P username:R
- When starting up your JVM, ensure the option below is added to the startup command:
Configure SSL on the JMX server. This will help prevent possible leakage of usernames and passwords in clear text over your network.- Add the following to configure SSL for your JMX instance. Ensure your keystore password used when you created your certificate matches the appropriate options below.
-Dcom.sun.management.jmxremote.ssl=true -Djavax.net.ssl.keyStore=/home/user/.keystore -Djavax.net.ssl.keyStorePassword=myKeyStorePassword -Dcom.sun.management.jmxremote.ssl.need.client.auth=true -Djavax.net.ssl.trustStore=/home/user/.truststore -Djavax.net.ssl.trustStorePassword=myTrustStorePassword -Dcom.sun.management.jmxremote.registry.ssl=true