Peer Knowledge Base

Mitigate the Java JMX Agent Insecure Configuration vulnerability in Nessus


Applies to PeerGFS v4.6.0 and earlier.  PeerGFS v4.7.0 and later are not affected by this vulnerability.

When using Nessus Scanner to search for vulnerabilities on a server hosting Peer Management Center, it may detect a "Java JMX Agent Insecure Configuration" vulnerability.  Details on the vulnerability may look like this:

image2021-3-3_11-12-14.png

This alert is related to the Peer Management Broker Service and is configured to affect only the loopback address (127.0.0.1) on the server where the PMC is installed.  Unfortunately, an issue in ActiveMQ (the broker technology used by PeerGFS) prevents this JMX Agent connection from binding to specific interfaces.

Step-by-step guide

There are two options to mitigate this vulnerability.  One involves setting up a firewall rule to fully block remote access to port 1099, while the other involves disabling a diagnostic tool for the Peer Management Broker.  The firewall rule is our recommended method.

Option 1:  Set up a Windows Firewall rule

Create a new rule in Windows Firewall to prevent access to port 1099 from all IP addresses except the loopback (127.0.0.1) address.

Option 2:  Disable the diagnostic tool in the Peer Management Broker

  1. Use Remote Desktop Protocol (RDP) to access the server where the Peer Management Center is installed.

  2. Stop all running jobs in the PMC client and stop all Peer Management services.

  3. Navigate to <PMC Installation Directory>\Broker\conf in Windows Explorer.

  4. Edit the activemq.xml file in a text editor.

  5. Look for the following line in the xml file:

    <managementContext createConnector="true" connectorHost="127.0.0.1"/>
    


  6. Replace this line with the following:

    <managementContext createConnector="false" connectorHost="127.0.0.1"/>
    


  7. Restart the Peer Management services, open the PMC client, and start your jobs.

  8. Re-run the Nessus scan against the server where the PMC is installed.

Note: Disabling this diagnostic tool will not affect the core functionality of PeerGFS but it will disable the ability to perform some troubleshooting steps with the Peer Management Broker.

Page: Advisories Page: Disable TLS 1.0 and 1.1 in PeerGFS Page: Does PeerGFS support HSTS for the PMC web interface? Page: Does PeerGFS support Perfect Forward Secrecy (PFS)? Page: Edge Caching does not hydrate PDF files opened with Adobe Acrobat Reader Page: Generate a CSR (Certificate Signing Request) in PeerIQ Page: HSTS blocks access to the PMC's web interface Page: Import a self-signed certificate into a Peer Linux appliance Page: Is enabling a Management LIF on a NetApp a security violation Page: Issues with CIFS security permissions Page: Java JMX agent insecure configuration Page: Mitigate the Java JMX Agent Insecure Configuration vulnerability in Nessus Page: PeerGFS Security Hardening Guide Page: Upload a custom web certificate for PeerIQ Page: What cipher suite does PeerGFS use for data replication?