Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve proxy denylist #543

Merged
merged 2 commits into from Feb 14, 2023
Merged

Improve proxy denylist #543

merged 2 commits into from Feb 14, 2023

Conversation

qtc-de
Copy link
Contributor

@qtc-de qtc-de commented Feb 6, 2023
edited

Changes

Jolokia attempts to prevent LDAP based JNDI injection attacks by applying a default denylist to JMX service URLs that are supplied in proxy-mode. However, the pattern matching that is done with this list is case sensitive. This allows for an easy bypass of the protection. The following JMX service URL passes the filter and causes an outbound LDAP connection:

service:jmx:Rmi:///jndi/ldap://bypassed/ups

I hope you don't mind the public disclosure, but I estimate the impact of this issue quite low.

/kind enhancement

Release Note

The white and blacklist that user supplied JMX service URLs are matched against when running Jolokia in proxy mode are now treated case insensitive. This could cause different behavior for already existing configurations. If you use Jolokia in proxy mode and rely on specific white or blacklist settings, you should review your configuration.

@qtc-de
Improve proxy denylist
217260d 
Jolokia attempts to prevent LDAP based JNDI injection attacks by
applying a default denylist to JMX service URLs. However, the pattern
matching that is done with this list is case sensitive. This allows for
an easy bypass of the protection.
@qtc-de
Update proxy documentation
4636ed2 
Updated the Jolokia proxy documentation to mention that whitelists are
matched case insensitive.
rhuss
rhuss approved these changes Feb 14, 2023
View reviewed changes
Copy link
Member

@rhuss rhuss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch, thanks!

@rhuss rhuss merged commit a7e5de2 into jolokia:master Feb 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rhuss rhuss rhuss approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@qtc-de @rhuss