I'm guessing this is not something anyone else here has encountered. I have some information to share then, because this is an actual and severe vulnerability of Appworx 9's RMI server.
Broadcom support is still down. I guess I should find a phone number and call?
Anyway, here is how the RMI server is started.
The startup file is <appworx root directory>/data/inst.pl <--- yes it's a perl script
Look for sub start_rmi
Line 5721 of our version of inst.pl is the following, which is the start command:
$command = "$spawn -p $pidfile \"$java -DAGENT=$OPER $Xrs -Xmx$java_mb $START_OPTION_RMI -DAW_HOME=$AW_HOME -DOsType=$OSTYPE $rmidebug com.appworx.server.data.AxRmiServer\" 1>$logfile 2>&1";
None of the options above appear to be setting any RMI specific settings. the environment variable $START_OPTION_RMI is not set on our system. It appears that Appworx/CA/Broadcom wrote their own wrapper around RMI - AxRmiServer - which might set some options by default.
Now the question is, what is a clean way to add on -Djava.rmi.server.useCodebaseOnly=true to that command line. I'm thinking just jam it in there - it's perl, nothing is "clean."
# -Djava.rmi.server.useCodebaseOnly=true added to resolve CVE "Java RMI Server Insecure Default Configuration Remote Code Execution Vulnerability"
$command = "$spawn -p $pidfile \"$java -DAGENT=$OPER $Xrs -Xmx$java_mb $START_OPTION_RMI -DAW_HOME=$AW_HOME -DOsType=$OSTYPE $rmidebug -Djava.rmi.server.useCodebaseOnly=true com.appworx.server.data.AxRmiServer\" 1>$logfile 2>&1";
Unless someone has a better idea I'm going to test this out right now.
Original Message:
Sent: 02-07-2020 11:58 AM
From: John Vance
Subject: RMI Server Insecure Default Configuration
Our security scan popped up this message against our production Appworx V9 server:
Java RMI Server Insecure Default Configuration Remote Code Execution Vulnerability
"To mitigate this vulnerability, disable class loading by setting the system property -Djava.rmi.server.useCodebaseOnly=true option, and/or set JAVA_OPTS or process file to include this system property, or contact your vendor for support"
We are running Automic Applications Manager 9.2.1_28679_28815 and java version 1.8.0_144
I can't find what java options are set when the RMI server is started. I can't find a properties file to set this as a system property. I have no idea where to add this startup option. I have no idea whether Appworx V9 relies on this security hole and whether the RMI server will function properly with it set.
I would post this to support, but wolkenservicedesk.com has been "authenticating the user" for the past 20 minutes.
Any help would be very much appreciated.