OSGi Management Console Default Credentials
Description
OSGi (Open Service Gateway Initiative) is a Java framework for developing and deploying modular software programs and libraries. This vulnerability occurs when the OSGi Management Console is accessible using default credentials that have not been changed from their factory settings:
- Username: admin
- Password: admin
Default credentials are commonly targeted by attackers as they provide immediate administrative access without requiring exploitation of complex vulnerabilities.
Remediation
Immediately change the default credentials for the OSGi Management Console to prevent unauthorized access. Follow these steps:
- Change the default password: Access the OSGi console configuration and set a strong password that is at least 16 characters long, combining uppercase and lowercase letters, numbers, and special characters.
- Restrict network access: Configure firewall rules or network ACLs to limit console access to trusted IP addresses or networks only. The console should never be exposed to the public internet.
- Disable the console if not needed: If the management console is not required for production operations, disable it entirely to eliminate the attack surface.
- Implement authentication controls: Consider implementing additional authentication mechanisms such as client certificates or integration with enterprise authentication systems (LDAP, Active Directory).
- Enable audit logging: Configure comprehensive logging for all console access attempts and administrative actions to detect potential unauthorized access.
For Apache Felix, credentials can be configured in the
conf/users.properties file or through the OSGi Configuration Admin service. Consult your specific OSGi implementation's documentation for exact configuration procedures.