JBoss ServerInfo MBean
Description
JBoss Application Server exposes a JMX (Java Management Extensions) console at /jmx-console by default, which provides administrative access to server management functions. In default installations, this console lacks authentication controls, allowing unauthorized users to access sensitive MBeans such as ServerInfo. The ServerInfo MBean exposes detailed system information including server configuration, Java runtime details, operating system properties, and deployment paths. This information disclosure vulnerability can be exploited remotely by unauthenticated attackers to gather reconnaissance data for further attacks.
Remediation
Secure the JMX console by implementing authentication and access controls. Follow these steps:
1. Enable authentication for the JMX console:
Edit jmx-console.war/WEB-INF/web.xml and uncomment the security-constraint section to require authentication.
2. Configure authorized users:
Add authorized users to jmx-console.war/WEB-INF/jboss-web.xml and define credentials in conf/props/jmx-console-users.properties:
admin=securepassword
3. Restrict network access:
Configure firewall rules or use JBoss bind address settings to limit JMX console access to trusted IP addresses only.
4. Consider disabling if unused:
If the JMX console is not required for operations, remove or undeploy the jmx-console.war application entirely.
5. Verify the fix:
After implementing changes, attempt to access the JMX console without credentials to confirm authentication is enforced.