[
https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17136377#comment-17136377
]
Richard Zowalla commented on TOMEE-2294:
----------------------------------------
Thanks for the details and insights [~Henskens]
I think the relevant part for this on TomEE side is located in
[https://github.com/apache/tomee/blob/master/container/openejb-core/src/main/java/org/apache/openejb/resource/activemq/ActiveMQ5Factory.java]
(respectivley in
[https://github.com/apache/tomee/blob/master/container/openejb-core/src/test/java/org/apache/openejb/resource/activemq/ActiveMQ5FactoryTest.java]).
[~jgallimore] has added a call "setCreateConnector(false)" per default. See
also the related CVE: [https://nvd.nist.gov/vuln/detail/CVE-2020-11969]
But we might need to parse the content of ?useJmx=<VALUE> instead and set this
value inside the factory.
The question is:
* ?useJmx=false -> no unauthenticated JMX port on 1099 should be opened?
Current impl does call "setCreateConnector(false)".
* ?useJmx=true -> *what do we expect in this case?* Current impl -> no port is
opened (see CVE)
WDYT?
> Can't disable unauthenticated JMX on 1099
> -----------------------------------------
>
> Key: TOMEE-2294
> URL: https://issues.apache.org/jira/browse/TOMEE-2294
> Project: TomEE
> Issue Type: Bug
> Components: TomEE Core Server
> Reporter: Frans
> Priority: Major
> Fix For: 8.0.3
>
>
> ActiveMQ comes bundled with a JMX host that is default on unauthenticated on
> port 1099.
> {code:java}
> <Resource id="JmsResourceAdapter" type="ActiveMQResourceAdapter">
> BrokerXmlConfig = broker:(vm://broker)?useJmx=false
> ServerUrl = vm://broker
> </Resource>{code}
> Tomee's resource configuration doesn't allow this to be disabled. The above
> doesn't work.
> This can be disabled by inspecting an activemq jar's manifest, pulling down
> the same version of activemq-all, and putting that in the tomee/lib
> directory, at which point this works:
> {code:java}
> <Resource id="JmsResourceAdapter" type="ActiveMQResourceAdapter">
> BrokerXmlConfig = xbean:file:activemq.xml
> ServerUrl = vm://broker
> </Resource>
> {code}
> {code:java}
> <broker xmlns="http://activemq.apache.org/schema/core";
> useJmx="false"
> brokerName="broker"
> useShutdownHook="false"
> persistent="true"
> start="true"
> schedulerSupport="false"
> enableStatistics="false"
> offlineDurableSubscriberTimeout="259200000"
> offlineDurableSubscriberTaskSchedule="3600000">
> {code}
> However, convincing the guy hosting the server to inspect JAR manifests, pull
> down specific jars, and maintain a second configuration file seems like a lot
> of effort to go to just to have the ability to disable unauthenticated access
> to every MBean in the VM
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
