3.4 The JMXInvokerServlet servlet must be secured against web attacks - 'http-method,GET = false'

Information

The httpha-invoker.sar found in the deploy directory is a service that provides RMI/HTTP access for EJBs and the JNDI Naming service. By default older JBoss versions ship with a default set of <http-method> that allow attackers to bypass the security policy for JMX Invoker.

Solution

Within the JBOSS_HOME/server/@[email protected]/deploy/httpha-invoker.sar/invoker.war/WEB-INF/web.xml file, the following lines must be removed from the web-app/security-constraint/web-resource-collection node:

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3, CAT|I

Plugin: Unix

Control ID: 4806f69710352e41386c8be33db44967142ef9d0668986ad7791f63b57d20b2b