3.4 The JMXInvokerServlet servlet must be secured against web attacks - 'http-method,'POST' = false'

Information

The httpha-invoker.sar found in the deploy directory is a service that provides RMI/HTTP access for EJBs and the JNDI Naming service. By default older JBoss versions ship with a default set of <http-method> that allow attackers to bypass the security policy for JMX Invoker.

Solution

Within the JBOSS_HOME/server/@[email protected]/deploy/httpha-invoker.sar/invoker.war/WEB-INF/web.xml file, the following lines must be removed from the web-app/security-constraint/web-resource-collection node:

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3, CAT|I

Plugin: Unix

Control ID: 86f569125dd003374fc9c4f00f46b63f6d8c200cf105cf30627ce8e0af223dbc