||
Skip to end of metadata
Go to start of metadata

Reported Products

WSO2 API Manager

WSO2 Clarification

"ZDI-CAN-13449" [1] discusses Java management Extensions(JMX) and Remote Method Invocation (RMI) Services available with WSO2 products. Java Management Extensions (JMX) is a technology that lets you implement management interfaces for Java applications [2]. The services in question have authentication and authorization enforcements to prevent any unauthorized access. As also documented in [2], JMX services can only be accessed after properly authenticating with the services using the credentials of a user having "Server Admin" permission.

Even though ZDI-CAN-13449  states "Authentication is not required to exploit this vulnerability", this statement is made only based on the fact that the administrator credential (admin/admin) shipped with the product can be used to connect to the JMX port. 

Even though WSO2 products are shipped with a default administrator user credential, we highly recommend changing the default administrator credential. This is further detailed in the Security Guidelines for Production Deployments [3]. 

Once the default administrator credentials are changed, JMX service authentication will also adopt the newly changed credentials. The service can be accessed only after providing a valid user credential having Server Admin permission. Therefore, considering the above facts, the reported security issue  ZDI-CAN-13449 [2] has no impact when the default admin credentials have been changed as per the Security Guidelines for Production Deployments [3]. In case you have a deployment with default credentials, we strongly suggest that you change them by following the Security Guidelines for Production Deployments [3].

If JMX services are not required, you can disable JMX completely by following the WSO2 documentation [4]. In addition, as an additional security measure, you can also prevent untrusted networks from accessing the rmi_registry_port (defaults to: 9999) and rmi_server_port (defaults to: 11111). 


References

[1] https://www.zerodayinitiative.com/advisories/ZDI-21-879/ 

[2] https://apim.docs.wso2.com/en/4.0.0/administer/logging-and-monitoring/monitoring/jmx-based-monitoring/ 

[3] https://apim.docs.wso2.com/en/4.0.0/install-and-setup/setup/deployment-best-practices/security-guidelines-for-production-deployment/

[4] https://apim.docs.wso2.com/en/4.0.0/administer/logging-and-monitoring/monitoring/jmx-based-monitoring/#disabling-jmx-for-the-server

  • No labels