Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: 7.1.3.Final (EAP), EAP 6.1.0.Alpha (7.2.0.Final)
Affects Version/s: 7.1.2.Final (EAP)
Component/s: Domain Management, Security
Labels:
- as713tracking

Steps to Reproduce:

Hide

1) Get the attached jmx client, it came originally from: http://code.google.com/p/jmxquery/downloads/detail?name=jmxquery-1.3-bin.zip&can=2&q=

2) run a JBoss instance (we used domain mode) with its native management interface accessible to the outside

3) On a remote server run the following command in a loop
java -cp ./jmxquery.jar:/opt//jboss/jboss-eap-6-GA/bin/client/jboss-client.jar jmxquery.JMXQuery -U 'service:jmx:remoting-jmx://jbosshost:9999' -username admin -password admin123 -O java.lang:type=Memory -A HeapMemoryUsage -K used

Change jboss host name, -username and -password as needed

4) In the domain tmp/auth directory watch the *.challenge files increase

Show
1) Get the attached jmx client, it came originally from: http://code.google.com/p/jmxquery/downloads/detail?name=jmxquery-1.3-bin.zip&can=2&q= 2) run a JBoss instance (we used domain mode) with its native management interface accessible to the outside 3) On a remote server run the following command in a loop java -cp ./jmxquery.jar:/opt//jboss/jboss-eap-6-GA/bin/client/jboss-client.jar jmxquery.JMXQuery -U 'service:jmx:remoting-jmx://jbosshost:9999' -username admin -password admin123 -O java.lang:type=Memory -A HeapMemoryUsage -K used Change jboss host name, -username and -password as needed 4) In the domain tmp/auth directory watch the *.challenge files increase
Workaround Description:

Hide

manually/cronjob clean out the tmp/auth directory

Show
manually/cronjob clean out the tmp/auth directory

the authentication process that creates temporary files in tmp/auth is not deleting them when a JMX client connects.

At an extreme, this would be a DOS attack, as the disk could fill up.

blocks

AS7-5423 Upgrade to Remoting 3.2.8.SP1 or 3.2.11

Resolved

is blocked by

REM3-156 If a SaslServer or SaslClient is being abandoned dispose should be called to allow clean up.

Resolved

AS7-5326 Upgrade to JBoss SASL 1.0.2.Final

Resolved

Assignee:: Darran Lofthouse

Reporter:: Tom Fonteyne (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2012/07/19 4:47 AM

Updated:: 2020/09/14 5:42 AM

Resolved:: 2012/09/14 4:07 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates