I need help in resolving below vulnerability. We have this in our tomcat instance running version 7 and Java "1.8.0_242". It was detected in 1099 port. This RMI port is not configured in any configuration file as its default port and also I am not seeing any RMI related configuration in setenv.sh or server.xml or catalina.properties , I am clueless how to disable this RMI port
In Dev also we had this but after we removing the below entry from setenv.sh, 1099 port not listening and the vulnerability disappeared , But in our prod environment, we dont have this entry at all.
CATALINA_OPTS=-Dcom.sun.management.jmxremote.port=1098 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.password.file =/var/opt/vmware/vfabric-tc-server-standard/inst1/conf/jmxremote.password -Dcom.sun.management.jmxremote.access.file=/var/opt/vmware/vfabric-tc-server-standard/inst1/conf/jmxremote.access
Vulnerability:
Java JMX interface is accessible via following username/password pairs:
admin/password
admin/admin
admin/activemq
monitorRole/QED
controlRole/R%26D
controlrole/password
monitorrole/password
cassandra/cassandrapassword
monitorRole/tomcat
controlRole/tomcat
monitorRole/mrpasswd
controlRole/crpasswd
role1/role1passwd
role2/role2passwd
role3/role3passwd
admin/thisIsSupposedToBeAStrongPassword!
QID Detection Logic (Authenticated):
This QID tries to log into JMX RMI server using above credentials.
Note:if remote JMX RMI sever accessible without authentication. all of above credentials will post.