JBoss JMX Console Unrestricted Access

Description

In the default configuration, after JBoss is installed, the web console is available at http://localhost:8080/web-console. The Web console can be used to display the JNDI tree, dump the list of threads, redeploy an application or even shutdown the application server. By default, the console is not secured and can be used by remote attackers. Check References for detailed information.

Remediation

Restrict access to JBoss Web Console.

References
Severity
Classification
Tags
  • Information Disclosure  Configuration