Uploaded image for project: 'Application Server 7'
  1. Application Server 7
  2. AS7-5220

tmp/auth/ challenge files are not deleted when access is via a remote client

    XMLWordPrintable

    Details

    • Steps to Reproduce:
      Hide

      1) Get the attached jmx client, it came originally from: http://code.google.com/p/jmxquery/downloads/detail?name=jmxquery-1.3-bin.zip&can=2&q=

      2) run a JBoss instance (we used domain mode) with its native management interface accessible to the outside

      3) On a remote server run the following command in a loop
      java -cp ./jmxquery.jar:/opt//jboss/jboss-eap-6-GA/bin/client/jboss-client.jar jmxquery.JMXQuery -U 'service:jmx:remoting-jmx://jbosshost:9999' -username admin -password admin123 -O java.lang:type=Memory -A HeapMemoryUsage -K used

      Change jboss host name, -username and -password as needed

      4) In the domain tmp/auth directory watch the *.challenge files increase

      Show
      1) Get the attached jmx client, it came originally from: http://code.google.com/p/jmxquery/downloads/detail?name=jmxquery-1.3-bin.zip&can=2&q= 2) run a JBoss instance (we used domain mode) with its native management interface accessible to the outside 3) On a remote server run the following command in a loop java -cp ./jmxquery.jar:/opt//jboss/jboss-eap-6-GA/bin/client/jboss-client.jar jmxquery.JMXQuery -U 'service:jmx:remoting-jmx://jbosshost:9999' -username admin -password admin123 -O java.lang:type=Memory -A HeapMemoryUsage -K used Change jboss host name, -username and -password as needed 4) In the domain tmp/auth directory watch the *.challenge files increase
    • Workaround Description:
      Hide

      manually/cronjob clean out the tmp/auth directory

      Show
      manually/cronjob clean out the tmp/auth directory

      Description

      the authentication process that creates temporary files in tmp/auth is not deleting them when a JMX client connects.

      At an extreme, this would be a DOS attack, as the disk could fill up.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              dlofthouse Darran Lofthouse
              Reporter:
              tfonteyn Tom Fonteyne (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: