The default JBoss install enables the jmx-console, and does not protect
it in any way, which can be used by an attacker to deploy their own
applications to your JBoss server, like:

http://blog.9bplus.com/analysis-of-j...umented-attack

https://www.trustwave.com/downloads/...ve-SpiderLabs-
Abusing-Jboss-Papathanasiou.pdf

Novell have a TID (#3024921) on securing JBoss / jmx-console, but it is
out of date (feedback already posted, so hopefully that will be corrected
soon). It plugs only the GET and POST holes, but there is a current
exploit targeting HEAD operations and it misses that entirely.

The jboss.org document on security has been updated to tighten up
security and prevent this attack.


References:
http://community.jboss.org/wiki/SecureTheJmxConsole

http://java.dzone.com/articles/jboss-jmx-console


For UserApp / RBPM, you must go further. Search for all jboss-web.xml and
web.xml files, and make these changes to all of them, not just the ones
in the .../server/default directory structure.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Novell Knowledge Partner http://forums.novell.com

Please post questions in the forums. No support provided via email.