This is an automated email from the ASF dual-hosted git repository.
btellier pushed a commit to branch 3.7.x
in repository https://gitbox.apache.org/repos/asf/james-project.git
The following commit(s) were added to refs/heads/3.7.x by this push:
new ab82c9104f JAMES-3881 -Djmx.remote.x.mlet.allow.getMBeansFromURL=false
(#1460)
ab82c9104f is described below
commit ab82c9104f0ad787d46dbff5e55d39e4c02fb5c3
Author: Benoit TELLIER <[email protected]>
AuthorDate: Sun Feb 26 20:40:04 2023 +0700
JAMES-3881 -Djmx.remote.x.mlet.allow.getMBeansFromURL=false (#1460)
This prevents the use of MLets for remote code executions and
make life of attackers harder.
---
server/apps/cassandra-app/sample-configuration/jvm.properties | 4 ++++
.../distributed-app/docs/modules/ROOT/pages/operate/security.adoc | 2 +-
server/apps/distributed-app/sample-configuration/jvm.properties | 6 +++++-
.../apps/distributed-pop3-app/sample-configuration/jvm.properties | 6 +++++-
server/apps/jpa-app/sample-configuration/jvm.properties | 4 ++++
server/apps/jpa-smtp-app/sample-configuration/jvm.properties | 6 +++++-
server/apps/memory-app/sample-configuration/jvm.properties | 4 ++++
server/apps/spring-app/pom.xml | 4 +++-
8 files changed, 31 insertions(+), 5 deletions(-)
diff --git a/server/apps/cassandra-app/sample-configuration/jvm.properties
b/server/apps/cassandra-app/sample-configuration/jvm.properties
index 0b68f80998..04613ace32 100644
--- a/server/apps/cassandra-app/sample-configuration/jvm.properties
+++ b/server/apps/cassandra-app/sample-configuration/jvm.properties
@@ -16,3 +16,7 @@
# Should MimeMessageWrapper use a copy of the message in memory? Or should
bigger message exceeding james.message.memory.threshold
# be copied to temporary files?
#james.message.usememorycopy=false
+
+# Disable Remote Code Execution feature from JMX
+# CF
https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/19fb8f93c59dfd791f62d41f332db9e306bc1422/src/java.management/share/classes/com/sun/jmx/remote/security/MBeanServerAccessController.java#L646
+jmx.remote.x.mlet.allow.getMBeansFromURL=false
\ No newline at end of file
diff --git
a/server/apps/distributed-app/docs/modules/ROOT/pages/operate/security.adoc
b/server/apps/distributed-app/docs/modules/ROOT/pages/operate/security.adoc
index 3170b360d8..de45b23e04 100644
--- a/server/apps/distributed-app/docs/modules/ROOT/pages/operate/security.adoc
+++ b/server/apps/distributed-app/docs/modules/ROOT/pages/operate/security.adoc
@@ -61,7 +61,7 @@ for your outgoing emails to be trusted.
- 8. Prevent access to JMX. This can be achieved through a strict firewalling
policy
(link:https://nickbloor.co.uk/2017/10/22/analysis-of-cve-2017-12628/[blocking
port 9999 is not enough])
or xref:configure/jmx.adoc[disabling JMX]. JMX is needed to use the existing
CLI application but webadmin do offer similar
-features.
+features. Set the `jmx.remote.x.mlet.allow.getMBeansFromURL` to `false` to
disable JMX remote code execution feature.
- 9. If JMAP is enabled, be sure that JMAP PUSH cannot be used for server
side request forgery. This can be
xref:configure/jmap.adoc[configured] using the
`push.prevent.server.side.request.forgery=true` property,
diff --git a/server/apps/distributed-app/sample-configuration/jvm.properties
b/server/apps/distributed-app/sample-configuration/jvm.properties
index a3ddab4185..04613ace32 100644
--- a/server/apps/distributed-app/sample-configuration/jvm.properties
+++ b/server/apps/distributed-app/sample-configuration/jvm.properties
@@ -15,4 +15,8 @@
# Optional. Boolean. Defaults to false. Recommended value is false.
# Should MimeMessageWrapper use a copy of the message in memory? Or should
bigger message exceeding james.message.memory.threshold
# be copied to temporary files?
-#james.message.usememorycopy=false
\ No newline at end of file
+#james.message.usememorycopy=false
+
+# Disable Remote Code Execution feature from JMX
+# CF
https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/19fb8f93c59dfd791f62d41f332db9e306bc1422/src/java.management/share/classes/com/sun/jmx/remote/security/MBeanServerAccessController.java#L646
+jmx.remote.x.mlet.allow.getMBeansFromURL=false
\ No newline at end of file
diff --git
a/server/apps/distributed-pop3-app/sample-configuration/jvm.properties
b/server/apps/distributed-pop3-app/sample-configuration/jvm.properties
index a3ddab4185..65e94f8a5a 100644
--- a/server/apps/distributed-pop3-app/sample-configuration/jvm.properties
+++ b/server/apps/distributed-pop3-app/sample-configuration/jvm.properties
@@ -15,4 +15,8 @@
# Optional. Boolean. Defaults to false. Recommended value is false.
# Should MimeMessageWrapper use a copy of the message in memory? Or should
bigger message exceeding james.message.memory.threshold
# be copied to temporary files?
-#james.message.usememorycopy=false
\ No newline at end of file
+#james.message.usememorycopy=false
+
+# Disable Remote Code Execution feature from JMX
+# CF
https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/19fb8f93c59dfd791f62d41f332db9e306bc1422/src/java.management/share/classes/com/sun/jmx/remote/security/MBeanServerAccessController.java#L646
+jmx.remote.x.mlet.allow.getMBeansFromURL=false
diff --git a/server/apps/jpa-app/sample-configuration/jvm.properties
b/server/apps/jpa-app/sample-configuration/jvm.properties
index 0b68f80998..04613ace32 100644
--- a/server/apps/jpa-app/sample-configuration/jvm.properties
+++ b/server/apps/jpa-app/sample-configuration/jvm.properties
@@ -16,3 +16,7 @@
# Should MimeMessageWrapper use a copy of the message in memory? Or should
bigger message exceeding james.message.memory.threshold
# be copied to temporary files?
#james.message.usememorycopy=false
+
+# Disable Remote Code Execution feature from JMX
+# CF
https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/19fb8f93c59dfd791f62d41f332db9e306bc1422/src/java.management/share/classes/com/sun/jmx/remote/security/MBeanServerAccessController.java#L646
+jmx.remote.x.mlet.allow.getMBeansFromURL=false
\ No newline at end of file
diff --git a/server/apps/jpa-smtp-app/sample-configuration/jvm.properties
b/server/apps/jpa-smtp-app/sample-configuration/jvm.properties
index a3ddab4185..65e94f8a5a 100644
--- a/server/apps/jpa-smtp-app/sample-configuration/jvm.properties
+++ b/server/apps/jpa-smtp-app/sample-configuration/jvm.properties
@@ -15,4 +15,8 @@
# Optional. Boolean. Defaults to false. Recommended value is false.
# Should MimeMessageWrapper use a copy of the message in memory? Or should
bigger message exceeding james.message.memory.threshold
# be copied to temporary files?
-#james.message.usememorycopy=false
\ No newline at end of file
+#james.message.usememorycopy=false
+
+# Disable Remote Code Execution feature from JMX
+# CF
https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/19fb8f93c59dfd791f62d41f332db9e306bc1422/src/java.management/share/classes/com/sun/jmx/remote/security/MBeanServerAccessController.java#L646
+jmx.remote.x.mlet.allow.getMBeansFromURL=false
diff --git a/server/apps/memory-app/sample-configuration/jvm.properties
b/server/apps/memory-app/sample-configuration/jvm.properties
index 0b68f80998..65e94f8a5a 100644
--- a/server/apps/memory-app/sample-configuration/jvm.properties
+++ b/server/apps/memory-app/sample-configuration/jvm.properties
@@ -16,3 +16,7 @@
# Should MimeMessageWrapper use a copy of the message in memory? Or should
bigger message exceeding james.message.memory.threshold
# be copied to temporary files?
#james.message.usememorycopy=false
+
+# Disable Remote Code Execution feature from JMX
+# CF
https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/19fb8f93c59dfd791f62d41f332db9e306bc1422/src/java.management/share/classes/com/sun/jmx/remote/security/MBeanServerAccessController.java#L646
+jmx.remote.x.mlet.allow.getMBeansFromURL=false
diff --git a/server/apps/spring-app/pom.xml b/server/apps/spring-app/pom.xml
index 390ace06b6..f82cd65365 100644
--- a/server/apps/spring-app/pom.xml
+++ b/server/apps/spring-app/pom.xml
@@ -49,10 +49,12 @@
<javamail.system-property9>-Dmail.mime.decodeparameters=true</javamail.system-property9>
<javamail.system-property10>-Dmail.mime.address.strict=false</javamail.system-property10>
<javamail.system-property11>-Djames.jmx.unregister.log4j.mbeans=true</javamail.system-property11>
+
<javamail.system-property12>-Djmx.remote.x.mlet.allow.getMBeansFromURL=false</javamail.system-property12>
<javamail.system-properties>${javamail.system-property1}
${javamail.system-property2}
${javamail.system-property3} ${javamail.system-property4}
${javamail.system-property5}
${javamail.system-property6} ${javamail.system-property7}
${javamail.system-property8}
- ${javamail.system-property9} ${javamail.system-property10}
${javamail.system-property11}</javamail.system-properties>
+ ${javamail.system-property9} ${javamail.system-property10}
${javamail.system-property11}
+ ${javamail.system-property12} </javamail.system-properties>
<!-- JMX system properties -->
<!-- For more details see -->
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
