Java JMX Agent Insecure Configuration
High Nessus Plugin ID 118039
SynopsisA remote Java JMX agent is configured without SSL client and password authentication.
DescriptionA Java JMX agent running on the remote host is configured without SSL client and password authentication. An unauthenticated, remote attacker can connect to the JMX agent and monitor and manage the Java application that has enabled the agent.
Moreover, this insecure configuration could allow the attacker to create a javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs, at least if there is no security manager. In other words, the attacker could execute arbitrary code on the remote host under the security context of the remote Java VM.
SolutionEnable SSL client or password authentication for the JMX agent.