Java JMX Agent Insecure Configuration | High Vulnerabilities Detected In Dev Environment (Doc ID 2820507.1)

Last updated on AUGUST 15, 2022

Applies to:

Oracle Utilities Customer Care and Billing - Version 2.6.0.1.0 and later
Information in this document applies to any platform.

Symptoms

On : 2.6.0.1.0 version, IP - Installation Upgrade Proc

ACTUAL BEHAVIOR
---------------
Java JMX Agent Insecure Configuration | High Vulnerabilities detected in dev environment

Below is the defect analysis done by Tenable security scan.

Please share how to enable password authentication for JMX agent.

A remote Java JMX agent is configured without SSL client and password authentication.

Description

A Java JMX agent running on the remote host is configured without SSL client and password authentication. An unauthenticated, remote attacker can connect to the JMX agent and monitor and manage the Java application that has enabled the agent.

Moreover, this insecure configuration could allow the attacker to create a javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs, at least if there is no security manager. In other words, the attacker could execute arbitrary code on the remote host under the security context of the remote Java VM.

Cause

	To view full details, sign in with your My Oracle Support account.
	Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.

Java JMX Agent Insecure Configuration | High Vulnerabilities Detected In Dev Environment (Doc ID 2820507.1)

Applies to:

Symptoms

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!