The JGroups diagnostics service should be disabled by default.
This can be accomlished by removing the "diagnostics-socket-binding" attribute from the <transport> tags in the JGroups subsystem.
This is a security issue, because the diagnostics port enables many security-sensitive operations, with no authentication, including:
- full thread dump of the JVM
- add/remove JGroups protocols
- call any method on any JGroups protocol, passing in arbitrary arguments