HIGH Java JMX Agent Insecure Configuration

一身转战三千里，一剑曾当百万师。这篇文章主要讲述HIGH Java JMX Agent Insecure Configuration相关的知识，希望能为你提供帮助。
HIGH java JMX Agent Insecure Configuration
DescriptionA Java JMX agent running on the remote host is configured without SSL client and password authentication. An unauthenticated, remote attacker can connect to the JMX agent and monitor and manage the Java application that has enabled the agent.

Moreover, this insecure configuration could allow the attacker to create a javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs, at least if there is no security manager. In other words, the attacker could execute arbitrary code on the remote host under the security context of the remote Java VM.
SolutionEnable SSL client or password authentication for the JMX agent.
See Also??http://www.nessus.org/u?3d7065e0??
??http://www.nessus.org/u?ff9fe54?????a???
Output

ClassPath: /soft/activemq//bin/activemq.jarInputArguments: -Xms64M -Xmx1G -Djava.util.logging.config.file=logging.properties -Djava.security.auth.login.config=/soft/activemq//conf/login.config -Dcom.sun.management.jmxremote -Djava.awt.headless=true -Djava.io.tmpdir=/soft/activemq//tmp -Dactivemq.classpath=/soft/activemq//conf:/home/app/activemq//../lib/: -Dactivemq.home=/soft/activemq/ -Dactivemq.base=/soft/activemq/ -Dactivemq.conf=/soft/activemq//conf -Dactivemq.data=https://www.songbingjia.com/soft/activemq//data

大概意思就是说开启了Java JMX代理，但是没有配置SSL客户机和密码身份验证。未经身份验证的远程攻击者可以连接到JMX代理并监视和管理启用了该代理的Java应用程序。
【HIGH Java JMX Agent Insecure Configuration】解决：直接关闭java JMX 监控，编辑activemq.xml文件，重启服务。
?