Details

      Description

      The JGroups diagnostics service should be disabled by default.

      This can be accomlished by removing the "diagnostics-socket-binding" attribute from the <transport> tags in the JGroups subsystem.

      This is a security issue, because the diagnostics port enables many security-sensitive operations, with no authentication, including:

      • full thread dump of the JVM
      • add/remove JGroups protocols
      • call any method on any JGroups protocol, passing in arbitrary arguments

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                rhusar Radoslav Husar
                Reporter:
                dereed Dennis Reed
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: