Automic Workload Automation

 View Only
  • 1.  RMI Server Insecure Default Configuration

    Posted Feb 07, 2020 12:25 PM
    Edited by Christopher Hackett Feb 07, 2020 03:11 PM
    Our security scan popped up this message against our production Appworx V9 server:

    Java RMI Server Insecure Default Configuration Remote Code Execution Vulnerability

    "To mitigate this vulnerability, disable class loading by setting the system property -Djava.rmi.server.useCodebaseOnly=true option, and/or set JAVA_OPTS or process file to include this system property, or contact your vendor for support"

    We are running Automic Applications Manager 9.2.1_28679_28815 and java version 1.8.0_144

    I can't find what java options are set when the RMI server is started.  I can't find a properties file to set this as a system property.  I have no idea where to add this startup option.  I have no idea whether Appworx V9 relies on this security hole and whether the RMI server will function properly with it set.

    I would post this to support, but wolkenservicedesk.com has been "authenticating the user" for the past 20 minutes.

    Any help would be very much appreciated.


  • 2.  RE: RMI Server Insecure Default Configuration

    Posted Feb 12, 2020 12:10 PM
    I'm guessing this is not something anyone else here has encountered.  I have some information to share then, because this is an actual and severe vulnerability of Appworx 9's RMI server.

    Broadcom support is still down.  I guess I should find a phone number and call?

    Anyway, here is how the RMI server is started.

    The startup file is <appworx root directory>/data/inst.pl <--- yes it's a perl script

    Look for sub start_rmi

    Line 5721 of our version of inst.pl is the following, which is the start command:

    $command = "$spawn -p $pidfile \"$java -DAGENT=$OPER $Xrs -Xmx$java_mb $START_OPTION_RMI -DAW_HOME=$AW_HOME -DOsType=$OSTYPE $rmidebug com.appworx.server.data.AxRmiServer\" 1>$logfile 2>&1";

    None of the options above appear to be setting any RMI specific settings.  the environment variable $START_OPTION_RMI is not set on our system.  It appears that Appworx/CA/Broadcom wrote their own wrapper around RMI - AxRmiServer - which might set some options by default.

    Now the question is, what is a clean way to add on -Djava.rmi.server.useCodebaseOnly=true to that command line.  I'm thinking just jam it in there - it's perl, nothing is "clean."

    # -Djava.rmi.server.useCodebaseOnly=true added to resolve CVE "Java RMI Server Insecure Default Configuration Remote Code Execution Vulnerability"
    $command = "$spawn -p $pidfile \"$java -DAGENT=$OPER $Xrs -Xmx$java_mb $START_OPTION_RMI -DAW_HOME=$AW_HOME -DOsType=$OSTYPE $rmidebug -Djava.rmi.server.useCodebaseOnly=true com.appworx.server.data.AxRmiServer\" 1>$logfile 2>&1";

    Unless someone has a better idea I'm going to test this out right now.​


  • 3.  RE: RMI Server Insecure Default Configuration
    Best Answer

    Posted Feb 12, 2020 12:18 PM
    I don't see anything wrong with your approach, it's a JVM option like the -DAGENT and -Xmx options​ already present. So yeah, I'd jam that in there too at least for testing.

    The only consideration is: will it vanish with successive product updates if this perl script gets overwritten? I don't know anything about Appworx, but that's probably how it goes. In that case, you could try the environment variables JAVA_TOOL_OPTIONS or _JAVA_OPTIONS. One of those should work.

    https://docs.oracle.com/javase/7/docs/webnotes/tsg/TSG-VM/html/envvars.html
    https://stackoverflow.com/questions/417152/how-do-i-set-javas-min-and-max-heap-size-through-environment-variables

    Hth,