Automic Workload Automation

Expand all | Collapse all

RMI Server Insecure Default Configuration

Jump to Best Answer
  • 1.  RMI Server Insecure Default Configuration

    Posted 17 days ago
    Edited by John Vance 17 days ago
    Our security scan popped up this message against our production Appworx V9 server:

    Java RMI Server Insecure Default Configuration Remote Code Execution Vulnerability

    "To mitigate this vulnerability, disable class loading by setting the system property -Djava.rmi.server.useCodebaseOnly=true option, and/or set JAVA_OPTS or process file to include this system property, or contact your vendor for support"

    We are running Automic Applications Manager 9.2.1_28679_28815 and java version 1.8.0_144

    I can't find what java options are set when the RMI server is started.  I can't find a properties file to set this as a system property.  I have no idea where to add this startup option.  I have no idea whether Appworx V9 relies on this security hole and whether the RMI server will function properly with it set.

    I would post this to support, but wolkenservicedesk.com has been "authenticating the user" for the past 20 minutes.

    Any help would be very much appreciated.


  • 2.  RE: RMI Server Insecure Default Configuration

    Posted 12 days ago
    I'm guessing this is not something anyone else here has encountered.  I have some information to share then, because this is an actual and severe vulnerability of Appworx 9's RMI server.

    Broadcom support is still down.  I guess I should find a phone number and call?

    Anyway, here is how the RMI server is started.

    The startup file is <appworx root directory>/data/inst.pl <--- yes it's a perl script

    Look for sub start_rmi

    Line 5721 of our version of inst.pl is the following, which is the start command:

    $command = "$spawn -p $pidfile \"$java -DAGENT=$OPER $Xrs -Xmx$java_mb $START_OPTION_RMI -DAW_HOME=$AW_HOME -DOsType=$OSTYPE $rmidebug com.appworx.server.data.AxRmiServer\" 1>$logfile 2>&1";

    None of the options above appear to be setting any RMI specific settings.  the environment variable $START_OPTION_RMI is not set on our system.  It appears that Appworx/CA/Broadcom wrote their own wrapper around RMI - AxRmiServer - which might set some options by default.

    Now the question is, what is a clean way to add on -Djava.rmi.server.useCodebaseOnly=true to that command line.  I'm thinking just jam it in there - it's perl, nothing is "clean."

    # -Djava.rmi.server.useCodebaseOnly=true added to resolve CVE "Java RMI Server Insecure Default Configuration Remote Code Execution Vulnerability"
    $command = "$spawn -p $pidfile \"$java -DAGENT=$OPER $Xrs -Xmx$java_mb $START_OPTION_RMI -DAW_HOME=$AW_HOME -DOsType=$OSTYPE $rmidebug -Djava.rmi.server.useCodebaseOnly=true com.appworx.server.data.AxRmiServer\" 1>$logfile 2>&1";

    Unless someone has a better idea I'm going to test this out right now.​


  • 3.  RE: RMI Server Insecure Default Configuration
    Best Answer

    Posted 12 days ago
    I don't see anything wrong with your approach, it's a JVM option like the -DAGENT and -Xmx options​ already present. So yeah, I'd jam that in there too at least for testing.

    The only consideration is: will it vanish with successive product updates if this perl script gets overwritten? I don't know anything about Appworx, but that's probably how it goes. In that case, you could try the environment variables JAVA_TOOL_OPTIONS or _JAVA_OPTIONS. One of those should work.

    https://docs.oracle.com/javase/7/docs/webnotes/tsg/TSG-VM/html/envvars.html
    https://stackoverflow.com/questions/417152/how-do-i-set-javas-min-and-max-heap-size-through-environment-variables

    Hth,

    ------------------------------
    These contain very good advise on asking questions and describing supposed bugs (no, you do not need to go to StackExchange for Automic questions, but yes, the parts on asking detailed, useful questions ARE usually relevant):

    http://www.catb.org/~esr/faqs/smart-questions.html

    https://www.chiark.greenend.org.uk/~sgtatham/bugs.html

    I will not respond to PM asking for help unless there's an actual reason to keep the discussion off of the public forums.
    ------------------------------