Insecure Java JMX Configuration

Table of Contents

• Option 1: Disable JMX
• Option 2: Configure a Whitelist Firewall
• Option 3: Configure User Authentication on the JMX Server

Option 1: Disable JMX

JMX is only required if you need remote management and monitoring of a Java-based application or the Java Virtual Machine (JVM) running the application. If this isn’t required, disable it in your start-up options of the JVM or in the configuration of the application exposing the JMX port.

Option 2: Configure a Whitelist Firewall

Look for an option similar to -Dcom.sun.management.jmxremote.port=9999 in your application configuration or JVM command line arguments.

In this instance, port 9999 is the port JMX is utilizing. Restrict access to your local machine on port 9999 to hosts you trust and need access to the JMX port for remote management and monitoring.

Option 3: Configure User Authentication on the JMX Server

This will help prevent unauthorized users from accessing the JMX port and installing their own exploit payloads.

1. Create a password file jmxremote.password which should look similar to the following:NOTE: File name can be anything you want, but must match the argument provided in step 2 and 3). Use strong passwords.

##Defining two "roles", each with its own password
monitorRole  YourStrongPassword1
controlRole  YourStrongPassword2

1. The security of the password file relies on your file system’s access control mechanisms. The file must be readable by the user running the Java application exposing JMX. To do this on Windows, use a command like the following:cacls jmxremote.password /P username:R
2. When starting up your JVM, ensure the option below is added to the startup command:-Dcom.sun.management.jmxremote.password.file=jmxremote.password

Configure SSL on the JMX server. This will help prevent possible leakage of usernames and passwords in clear text over your network.

• Add the following to configure SSL for your JMX instance. Ensure your keystore password used when you created your certificate matches the appropriate options below.

  -Dcom.sun.management.jmxremote.ssl=true
  -Djavax.net.ssl.keyStore=/home/user/.keystore 
  -Djavax.net.ssl.keyStorePassword=myKeyStorePassword 
  -Dcom.sun.management.jmxremote.ssl.need.client.auth=true 
  -Djavax.net.ssl.trustStore=/home/user/.truststore 
  -Djavax.net.ssl.trustStorePassword=myTrustStorePassword 
  -Dcom.sun.management.jmxremote.registry.ssl=true