A customer was flagged during a security audit for CVE-2015-0225, "Java JMX RMI Accessible with Common Credentials". To remediate this audit item, the customer had to make sure that either the JMX was password protected or not accessible to anyone.
The way to set this up is not straightforward. The customer thinks it would be better if the JMX configurations were read from a file. In the end, they decided to block the remote JMX access on the server to pass security code scan.
One issue in coming up with a solution is to make sure that each of the JAVA processes is using a unique port. One way to do that is to use $AGENT_ID and pass to $XAP_COMPONENT_OPTIONS. Perhaps a solution would be better documentation. Is XAP_COMPONENT_OPTIONS going away? We don't document this environment variable.
Solution should work for securing JMX on .NET installations too.
.NET is not fixed, another Jira issue must be opened for it
This is example of setenv-overrides.sh script for enabling this feature:
export EXT_JAVA_OPTIONS="-Dcom.sun.management.jmxremote.authenticate=true
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.access.file=/home/evgeny/dev/jmx/jmxremote.access
-Dcom.sun.management.jmxremote.password.file=/home/evgeny/dev/jmx/jmxremote.password"
export GS_JMX_REMOTE_BASE_PORT=8400
Which customer needs this fix as part of .NET? How many of these 7 tickets are .NET?
12818 and FD 5206 are .NET. I have sent you an email.
I’ve opened for this.