[
https://issues.apache.org/jira/browse/KARAF-4057?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14952692#comment-14952692
]
Achim Nierbeck commented on KARAF-4057:
---------------------------------------
I can't recall that karaf opens this port, how is your configuration of the
system?
There are various application which can be installed optionally that might be
addressed with this port.
So you need to give us a bit more details on your system.
Is it a vanilla Apache Karaf, is it a custom one?
Is your system altered, what kind of features/bundles have been installed.
Might it be that this port is opened by your own application?
> karaf2.4.0 of rmiServerPort = 2098 is not secure, will get attacked by
> BIAS, BEAST, NO_PFS.
> ---------------------------------------------------------------------------------------------
>
> Key: KARAF-4057
> URL: https://issues.apache.org/jira/browse/KARAF-4057
> Project: Karaf
> Issue Type: Bug
> Components: karaf-security
> Affects Versions: 2.4.3
> Environment: OS:centos6.7
> jdk:1.8
> Reporter: holmovie
> Priority: Critical
> Attachments: uc2.7_result.txt
>
>
> We use script “ssl-cipher-suite-enum.pl ” (version1.0.0) scanning our RMI
> server which port is 2098, please check attachment for details.
> I have several questions to consult:
> 1. How these attack(BEAST, BIAS...) can be avoided in the karaf2.4.3?
> if yes, what is the solution?
> 2. if we use the latest karaf version, could these loopholes be solved or
> not?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
