- WSO2 API Manager
ZDI-CAN-134491 discusses Java management Extensions(JMX) and Remote Method Invocation (RMI) Services available with WSO2 products. Java Management Extensions (JMX) is a technology that lets you implement management interfaces for Java applications2. The services in question have authentication and authorization enforcements to prevent any unauthorized access. As also documented in2, JMX services can only be accessed after properly authenticating with the services using the credentials of a user having Server Admin permission.
Even though ZDI-CAN-13449 states Authentication is not required to exploit this vulnerability, this statement is made only based on the fact that the administrator credential (admin/admin) shipped with the product can be used to connect to the JMX port.
Even though WSO2 products are shipped with a default administrator user credential, we highly recommend changing the default administrator credential. This is further detailed in the Security Guidelines for Production Deployments3.
Once the default administrator credentials are changed, JMX service authentication will also adopt the newly changed credentials. The service can be accessed only after providing a valid user credential having Server Admin permission. Therefore, considering the above facts, the reported security issue ZDI-CAN-134492 has no impact when the default admin credentials have been changed as per the Security Guidelines for Production Deployments3. In case you have a deployment with default credentials, we strongly suggest that you change them by following the Security Guidelines for Production Deployments3.
If JMX services are not required, you can disable JMX completely by following the WSO2 documentation4. In addition, as an additional security measure, you can also prevent untrusted networks from accessing the rmi_registry_port (defaults to: 9999) and rmi_server_port (defaults to: 11111).