Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Blocker
Fix Version/s: 7.1.3.Final (EAP), EAP 6.1.0.Alpha (7.2.0.Final)
Affects Version/s: 7.1.2.Final (EAP)
Component/s: Clustering
Labels:
- eap6_need_triage
- pickFor7.1.3.Final

Affects:

Release Notes
Git Pull Request:
https://github.com/jbossas/jboss-as/pull/3070, https://github.com/jbossas/jboss-as/pull/3071

Description

The JGroups diagnostics service should be disabled by default.

This can be accomlished by removing the "diagnostics-socket-binding" attribute from the <transport> tags in the JGroups subsystem.

This is a security issue, because the diagnostics port enables many security-sensitive operations, with no authentication, including:

full thread dump of the JVM
add/remove JGroups protocols
call any method on any JGroups protocol, passing in arbitrary arguments

Attachments

Activity

People

Assignee:: Radoslav Husar

Reporter:: Dennis Reed

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2012/09/18 7:53 AM

Updated:: 2022/09/09 6:12 AM

Resolved:: 2012/09/19 3:18 PM