JBoss JMX Console Unrestricted Access
Description
JBoss Application Server ships with a default configuration that leaves the JMX Console and Web Console accessible without authentication at /web-console and /jmx-console. These administrative interfaces provide full control over the application server, including the ability to view system information, manage deployments, execute code, and shutdown services. Without proper access controls, these consoles are exposed to unauthorized users, including remote attackers.
Remediation
Restrict access to the JMX Console and Web Console by implementing authentication and authorization controls. Follow these steps:
1. Edit the web.xml file located in JBOSS_HOME/server/[config]/deploy/jmx-console.war/WEB-INF/ and JBOSS_HOME/server/[config]/deploy/management/console-mgr.sar/web-console.war/WEB-INF/
2. Uncomment the security-constraint section to enable authentication:
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>3. Configure user credentials in
JBOSS_HOME/server/[config]/conf/props/jmx-console-users.properties4. Alternatively, remove the console applications entirely if they are not required, or restrict access by IP address using firewall rules or web server configurations.