Java JMX Agent Insecure Configuration | High Vulnerabilities Detected In Dev Environment
(Doc ID 2820507.1)
Last updated on AUGUST 15, 2022
Applies to:Oracle Utilities Customer Care and Billing - Version 220.127.116.11.0 and later
Information in this document applies to any platform.
On : 18.104.22.168.0 version, IP - Installation Upgrade Proc
Java JMX Agent Insecure Configuration | High Vulnerabilities detected in dev environment
Below is the defect analysis done by Tenable security scan.
Please share how to enable password authentication for JMX agent.
A remote Java JMX agent is configured without SSL client and password authentication.
A Java JMX agent running on the remote host is configured without SSL client and password authentication. An unauthenticated, remote attacker can connect to the JMX agent and monitor and manage the Java application that has enabled the agent.
Moreover, this insecure configuration could allow the attacker to create a javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs, at least if there is no security manager. In other words, the attacker could execute arbitrary code on the remote host under the security context of the remote Java VM.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document