KB178327665: Automation Engine - JMX Security

Summary

Following a recent security audit on our applications, we encountered a security issue with our Automation Engine server on PORT 9997.

Symptoms

Java can expose a process management and monitoring interface through the Java Management extension or JMX. This interface can be accessed from the network and the communication can be authenticated or even encrypted.

If the JMX interface is not authenticated, an attacker can create a Java object from an arbitrary URL, thus deploying Java code on the server. The attacker is then able to run system commands on the server.

Solution

Edit this file: C:\Esko\bg_prog_fastserver_v141\com_win\do_websrv_install.bat.
Change the line that reads:
%SERVICE_EXECUTABLE%" //US//%WEBSRV_SERVICE_NAME% ++JvmOptions "%JPDA_OPTS%-Djava.io.tmpdir=%CATALINA_HOME%\temp;-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager;-Djava.util.logging.config.file=%CATALINA_HOME%\conf\logging.properties;-Dcom.sun.management.jmxremote.port=9997;-Dcom.sun.management.jmxremote.ssl=false;-Dcom.sun.management.jmxremote.authenticate=false" --JvmMs 128 --JvmMx 256
to
%SERVICE_EXECUTABLE%" //US//%WEBSRV_SERVICE_NAME% ++JvmOptions "%JPDA_OPTS%-Djava.io.tmpdir=%CATALINA_HOME%\temp;-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager;-Djava.util.logging.config.file=%CATALINA_HOME%\conf\logging.properties" --JvmMs 128 --JvmMx 256
and then execute that batch file:
C:\Esko\bg_prog_fastserver_v141\com_win\do_websrv_install.bat

Workaround

The following KB article (95783448) also offered a fix, but this was for 14.0 and earlier. Automation Engine 14.1 and newer changed some of the files mentioned in that KB article:

Page:

KB95783448: Automation Engine - Can the JBoss version be upgraded to version 6

Article information
Applies to	Automation Engine 14.1 and newer
Created	01-Mar-16
Last revised
Author	IMY
Case Number	597489

Contents