[
https://issues.apache.org/jira/browse/KARAF-7312?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17683693#comment-17683693
]
Serge Shikov commented on KARAF-7312:
-------------------------------------
[~jbonofre]
Is it possible to give recommendation for 4.2.x users how to prevent exploits
using this JMX vulnerability? For example, mTLS setup for JMX connection?
> Add support for JMX RMI credentials filter pattern
> --------------------------------------------------
>
> Key: KARAF-7312
> URL: https://issues.apache.org/jira/browse/KARAF-7312
> Project: Karaf
> Issue Type: Improvement
> Components: karaf
> Reporter: Jean-Baptiste Onofré
> Assignee: Jean-Baptiste Onofré
> Priority: Major
> Fix For: 4.4.0, 4.3.6
>
>
> We should configure an ObjectInputFilter for the JMX service.
> This can be done by setting a suitable filter configuration for the
> {{jmx.remote.rmi.server.credentials.filter.pattern}} key that can be
> specified within the environment variables when creating a new JMX server
> instance.
> For Karaf, it should be done in the connector factory.
> An example can be found here:
> [https://github.com/openjdk/jdk/blob/master/src/jd]k.management.agent/share/classes/sun/management/jmxremote/ConnectorBootstrap.java#L525
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
