You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@james.apache.org by bt...@apache.org on 2023/02/26 13:40:11 UTC

[james-project] branch 3.7.x updated: JAMES-3881 -Djmx.remote.x.mlet.allow.getMBeansFromURL=false (#1460)

This is an automated email from the ASF dual-hosted git repository.

btellier pushed a commit to branch 3.7.x
in repository https://gitbox.apache.org/repos/asf/james-project.git


The following commit(s) were added to refs/heads/3.7.x by this push:
     new ab82c9104f JAMES-3881 -Djmx.remote.x.mlet.allow.getMBeansFromURL=false (#1460)
ab82c9104f is described below

commit ab82c9104f0ad787d46dbff5e55d39e4c02fb5c3
Author: Benoit TELLIER <bt...@linagora.com>
AuthorDate: Sun Feb 26 20:40:04 2023 +0700

    JAMES-3881 -Djmx.remote.x.mlet.allow.getMBeansFromURL=false (#1460)
    
    This prevents the use of MLets for remote code executions and
    make life of attackers harder.
---
 server/apps/cassandra-app/sample-configuration/jvm.properties       | 4 ++++
 .../distributed-app/docs/modules/ROOT/pages/operate/security.adoc   | 2 +-
 server/apps/distributed-app/sample-configuration/jvm.properties     | 6 +++++-
 .../apps/distributed-pop3-app/sample-configuration/jvm.properties   | 6 +++++-
 server/apps/jpa-app/sample-configuration/jvm.properties             | 4 ++++
 server/apps/jpa-smtp-app/sample-configuration/jvm.properties        | 6 +++++-
 server/apps/memory-app/sample-configuration/jvm.properties          | 4 ++++
 server/apps/spring-app/pom.xml                                      | 4 +++-
 8 files changed, 31 insertions(+), 5 deletions(-)

diff --git a/server/apps/cassandra-app/sample-configuration/jvm.properties b/server/apps/cassandra-app/sample-configuration/jvm.properties
index 0b68f80998..04613ace32 100644
--- a/server/apps/cassandra-app/sample-configuration/jvm.properties
+++ b/server/apps/cassandra-app/sample-configuration/jvm.properties
@@ -16,3 +16,7 @@
 # Should MimeMessageWrapper use a copy of the message in memory? Or should bigger message exceeding james.message.memory.threshold
 # be copied to temporary files?
 #james.message.usememorycopy=false
+
+# Disable Remote Code Execution feature from JMX
+# CF https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/19fb8f93c59dfd791f62d41f332db9e306bc1422/src/java.management/share/classes/com/sun/jmx/remote/security/MBeanServerAccessController.java#L646
+jmx.remote.x.mlet.allow.getMBeansFromURL=false
\ No newline at end of file
diff --git a/server/apps/distributed-app/docs/modules/ROOT/pages/operate/security.adoc b/server/apps/distributed-app/docs/modules/ROOT/pages/operate/security.adoc
index 3170b360d8..de45b23e04 100644
--- a/server/apps/distributed-app/docs/modules/ROOT/pages/operate/security.adoc
+++ b/server/apps/distributed-app/docs/modules/ROOT/pages/operate/security.adoc
@@ -61,7 +61,7 @@ for your outgoing emails to be trusted.
  - 8. Prevent access to JMX. This can be achieved through a strict firewalling policy
 (link:https://nickbloor.co.uk/2017/10/22/analysis-of-cve-2017-12628/[blocking port 9999 is not enough])
 or xref:configure/jmx.adoc[disabling JMX]. JMX is needed to use the existing CLI application but webadmin do offer similar
-features.
+features. Set the `jmx.remote.x.mlet.allow.getMBeansFromURL` to `false` to disable JMX remote code execution feature.
 
  - 9. If JMAP is enabled, be sure that JMAP PUSH cannot be used for server side request forgery. This can be
 xref:configure/jmap.adoc[configured] using the `push.prevent.server.side.request.forgery=true` property,
diff --git a/server/apps/distributed-app/sample-configuration/jvm.properties b/server/apps/distributed-app/sample-configuration/jvm.properties
index a3ddab4185..04613ace32 100644
--- a/server/apps/distributed-app/sample-configuration/jvm.properties
+++ b/server/apps/distributed-app/sample-configuration/jvm.properties
@@ -15,4 +15,8 @@
 # Optional. Boolean. Defaults to false. Recommended value is false.
 # Should MimeMessageWrapper use a copy of the message in memory? Or should bigger message exceeding james.message.memory.threshold
 # be copied to temporary files?
-#james.message.usememorycopy=false
\ No newline at end of file
+#james.message.usememorycopy=false
+
+# Disable Remote Code Execution feature from JMX
+# CF https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/19fb8f93c59dfd791f62d41f332db9e306bc1422/src/java.management/share/classes/com/sun/jmx/remote/security/MBeanServerAccessController.java#L646
+jmx.remote.x.mlet.allow.getMBeansFromURL=false
\ No newline at end of file
diff --git a/server/apps/distributed-pop3-app/sample-configuration/jvm.properties b/server/apps/distributed-pop3-app/sample-configuration/jvm.properties
index a3ddab4185..65e94f8a5a 100644
--- a/server/apps/distributed-pop3-app/sample-configuration/jvm.properties
+++ b/server/apps/distributed-pop3-app/sample-configuration/jvm.properties
@@ -15,4 +15,8 @@
 # Optional. Boolean. Defaults to false. Recommended value is false.
 # Should MimeMessageWrapper use a copy of the message in memory? Or should bigger message exceeding james.message.memory.threshold
 # be copied to temporary files?
-#james.message.usememorycopy=false
\ No newline at end of file
+#james.message.usememorycopy=false
+
+# Disable Remote Code Execution feature from JMX
+# CF https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/19fb8f93c59dfd791f62d41f332db9e306bc1422/src/java.management/share/classes/com/sun/jmx/remote/security/MBeanServerAccessController.java#L646
+jmx.remote.x.mlet.allow.getMBeansFromURL=false
diff --git a/server/apps/jpa-app/sample-configuration/jvm.properties b/server/apps/jpa-app/sample-configuration/jvm.properties
index 0b68f80998..04613ace32 100644
--- a/server/apps/jpa-app/sample-configuration/jvm.properties
+++ b/server/apps/jpa-app/sample-configuration/jvm.properties
@@ -16,3 +16,7 @@
 # Should MimeMessageWrapper use a copy of the message in memory? Or should bigger message exceeding james.message.memory.threshold
 # be copied to temporary files?
 #james.message.usememorycopy=false
+
+# Disable Remote Code Execution feature from JMX
+# CF https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/19fb8f93c59dfd791f62d41f332db9e306bc1422/src/java.management/share/classes/com/sun/jmx/remote/security/MBeanServerAccessController.java#L646
+jmx.remote.x.mlet.allow.getMBeansFromURL=false
\ No newline at end of file
diff --git a/server/apps/jpa-smtp-app/sample-configuration/jvm.properties b/server/apps/jpa-smtp-app/sample-configuration/jvm.properties
index a3ddab4185..65e94f8a5a 100644
--- a/server/apps/jpa-smtp-app/sample-configuration/jvm.properties
+++ b/server/apps/jpa-smtp-app/sample-configuration/jvm.properties
@@ -15,4 +15,8 @@
 # Optional. Boolean. Defaults to false. Recommended value is false.
 # Should MimeMessageWrapper use a copy of the message in memory? Or should bigger message exceeding james.message.memory.threshold
 # be copied to temporary files?
-#james.message.usememorycopy=false
\ No newline at end of file
+#james.message.usememorycopy=false
+
+# Disable Remote Code Execution feature from JMX
+# CF https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/19fb8f93c59dfd791f62d41f332db9e306bc1422/src/java.management/share/classes/com/sun/jmx/remote/security/MBeanServerAccessController.java#L646
+jmx.remote.x.mlet.allow.getMBeansFromURL=false
diff --git a/server/apps/memory-app/sample-configuration/jvm.properties b/server/apps/memory-app/sample-configuration/jvm.properties
index 0b68f80998..65e94f8a5a 100644
--- a/server/apps/memory-app/sample-configuration/jvm.properties
+++ b/server/apps/memory-app/sample-configuration/jvm.properties
@@ -16,3 +16,7 @@
 # Should MimeMessageWrapper use a copy of the message in memory? Or should bigger message exceeding james.message.memory.threshold
 # be copied to temporary files?
 #james.message.usememorycopy=false
+
+# Disable Remote Code Execution feature from JMX
+# CF https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/19fb8f93c59dfd791f62d41f332db9e306bc1422/src/java.management/share/classes/com/sun/jmx/remote/security/MBeanServerAccessController.java#L646
+jmx.remote.x.mlet.allow.getMBeansFromURL=false
diff --git a/server/apps/spring-app/pom.xml b/server/apps/spring-app/pom.xml
index 390ace06b6..f82cd65365 100644
--- a/server/apps/spring-app/pom.xml
+++ b/server/apps/spring-app/pom.xml
@@ -49,10 +49,12 @@
         <javamail.system-property9>-Dmail.mime.decodeparameters=true</javamail.system-property9>
         <javamail.system-property10>-Dmail.mime.address.strict=false</javamail.system-property10>
         <javamail.system-property11>-Djames.jmx.unregister.log4j.mbeans=true</javamail.system-property11>
+        <javamail.system-property12>-Djmx.remote.x.mlet.allow.getMBeansFromURL=false</javamail.system-property12>
         <javamail.system-properties>${javamail.system-property1} ${javamail.system-property2}
             ${javamail.system-property3} ${javamail.system-property4} ${javamail.system-property5}
             ${javamail.system-property6} ${javamail.system-property7} ${javamail.system-property8}
-            ${javamail.system-property9} ${javamail.system-property10} ${javamail.system-property11}</javamail.system-properties>
+            ${javamail.system-property9} ${javamail.system-property10} ${javamail.system-property11}
+            ${javamail.system-property12} </javamail.system-properties>
 
         <!-- JMX system properties -->
         <!-- For more details see -->


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org