This is an automated email from the ASF dual-hosted git repository. btellier pushed a commit to branch 3.7.x in repository https://gitbox.apache.org/repos/asf/james-project.git
commit 3d221561761a0ab7c86896cc0028f21b65cc2b4d Author: Benoit TELLIER <btell...@linagora.com> AuthorDate: Tue Dec 19 16:55:52 2023 +0100 [FIX] Set up JMX auth filter for Guice This prevents un-authenticated user from triggering deserialization exploits which could be exploited for privilege escalation. --- .../jmx/src/main/java/org/apache/james/modules/server/JMXServer.java | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/server/container/guice/jmx/src/main/java/org/apache/james/modules/server/JMXServer.java b/server/container/guice/jmx/src/main/java/org/apache/james/modules/server/JMXServer.java index 901926dad2..d880208f35 100644 --- a/server/container/guice/jmx/src/main/java/org/apache/james/modules/server/JMXServer.java +++ b/server/container/guice/jmx/src/main/java/org/apache/james/modules/server/JMXServer.java @@ -129,8 +129,9 @@ public class JMXServer implements Startable { Map<String, String> environment = Optional.of(existJmxPasswordFile()) .filter(FunctionalUtils.identityPredicate()) .map(hasJmxPasswordFile -> ImmutableMap.of("jmx.remote.x.password.file", jmxPasswordFilePath, - "jmx.remote.x.access.file", jmxAccessFilePath)) - .orElse(ImmutableMap.of()); + "jmx.remote.x.access.file", jmxAccessFilePath, + "jmx.remote.rmi.server.credentials.filter.pattern", "java.lang.String;!*")) + .orElse(ImmutableMap.of("jmx.remote.rmi.server.credentials.filter.pattern", "java.lang.String;!*")); jmxConnectorServer = JMXConnectorServerFactory.newJMXConnectorServer(new JMXServiceURL(serviceURL), environment, --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@james.apache.org For additional commands, e-mail: notifications-h...@james.apache.org