This is an automated email from the ASF dual-hosted git repository. brandonwilliams pushed a commit to branch cassandra-5.0 in repository https://gitbox.apache.org/repos/asf/cassandra.git
commit 88a5ea76cf39fb3d3a527eb1053fa06aa16dfaf2 Author: Brandon Williams <[email protected]> AuthorDate: Wed Nov 13 12:44:20 2024 -0600 Update RMI object marshalling restrictions Patch by brandonwilliams; reviewed by paulo for CASSANDRA-20076 --- src/java/org/apache/cassandra/utils/JMXServerUtils.java | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/java/org/apache/cassandra/utils/JMXServerUtils.java b/src/java/org/apache/cassandra/utils/JMXServerUtils.java index 3f26d59e6e..78c8ced8d2 100644 --- a/src/java/org/apache/cassandra/utils/JMXServerUtils.java +++ b/src/java/org/apache/cassandra/utils/JMXServerUtils.java @@ -104,6 +104,8 @@ public class JMXServerUtils // via a JAAS configuration entry, or one which delegates to the standard file based authenticator. // Authn is disabled if com.sun.management.jmxremote.authenticate=false env.putAll(configureJmxAuthentication()); + // Secure credential passing to avoid deserialization attacks + env.putAll(configureSecureCredentials()); // Configure authz - if a custom proxy class is specified an instance will be returned. // If not, but a location for the standard access file is set in system properties, the @@ -154,6 +156,13 @@ public class JMXServerUtils return createJMXServer(port, null, local); } + private static Map<String, Object> configureSecureCredentials() + { + Map<String, Object> env = new HashMap<>(); + env.put("jmx.remote.rmi.server.credentials.filter.pattern", String.class.getName() + ";!*"); + return env; + } + private static Map<String, Object> configureJmxAuthentication() { Map<String, Object> env = new HashMap<>(); @@ -187,8 +196,6 @@ public class JMXServerUtils env.put(JMXConnectorServer.AUTHENTICATOR, new JMXPluggableAuthenticatorWrapper(env)); } - env.put("jmx.remote.rmi.server.credential.types", - new String[] { String[].class.getName(), String.class.getName() }); return env; } --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
