43 posts categorized "jboss"


OMG! A *JBoss* Worm!!

I nearly fell out of my chair when I came across this post at the Internet Storm Center:  JBoss Worm.  JBoss certainly has come a long way--now it's got a worm!  The JBoss Community article "Statement Regarding Security Threat to JBoss Application Server" has some additional information but both the ISC and JBoss Community articles are a bit short on information--for example, I'm kind of interested what kind of code gets executed once infection as occurred.  (Update:  OK, I take that last sentence back.  The first comment descibes what the worm does in very nice detail)

The worm spreads by connecting to unsecured jmx consoles and then executes code as the user jboss runs as.  If you hadn't followed the instructions in "Securing the JMX and Web Console" to restrict access to the jmx console, placed your app servers in your DMZs, and figured running them on port 80 as root was fine because "it's *just* jboss...who hacks jboss?" then you're in for a rough night and/or weekend.

If you are front-ending your jboss servers with Apache and figured setting a ProxyPass and ProxyPassReverse for "/" to your app servers was fine, it wasn't.  The same applies to those mod_jk JkMount's for "/*".


JBoss Application Server 7 Released

I saw the announcement over on Rich Sharples' blog that JBoss Application Server 7 is out.  The blog post covers some of the interesting new features and changes.  I also received an email from Redhat with 7 reasons to love about the new release:

  1. Blazing fast start-up time - up to 10X faster!
  2. Java EE 6 - leading the pack. again.
  3. Very lightweight - exceptionally small footprint and aggressive memory management mean you can run it practically everywhere.
  4. Modular core - delivers true application isolation.
  5. Elegant management - simplified console and APIs.
  6. Domain management - manage servers as groups.
  7. Testable by design - simplified in-container testing via the Arquillian project speeds development. 

The JBoss community site has binaries available so we can all start playing right away.  Congratulations to the JBoss App Server team on this new release!  The countdown to JBoss EAP6 has now started.


Suppressing the X-Powered-By Header in JBoss

Back before PCI, we used to be able to display things like the type and version of the web server software we were running on our sites.  We wanted everyone to know that we were using Apache or IIS or Netscape Enterprise Server.  We wanted to make sure that NetCraft could view that information, too.  Software writers, both commercial and open-source, easily accomodated our wishes, setting version information up right in the header.  For some, outputting this information in a Server header and footer page was not enough, so a new HTTP Header was introduced called "X-Powered-By".  Unfortunately, displaying the OS, Web, or App Server information is considered an information disclosure vulnerability now so we all need to now configure our servers so this information is not provided.

JBoss inserts an X-Powered-By header in every HTTP response header; typically providing juicy bits of information like the Servlet specification that JBoss complies with, the JBoss app server version number, a build number, and the version of tomcat or jboss web that the app server utilizes.  If you need to know how to suppress the X-Powered-By header in JBoss, read on and note that the technique varies depending upon the version of JBoss you are running.

JBoss 4.2.X

Suppressing the X-Powered-By header in JBoss 4.2.x can be done by modifying the web.xml file located in ${jboss.home}/server/${server.instance.name}/deploy/jboss-web.deployer/conf/.  For example, if you are using the 'default' instance and running jboss 4.2.3 from /usr/local, the path to the configuration file would be /usr/local/jboss-4.2.3.GA/server/default/deploy/jboss-web.deployer/conf/.  Locate the Common Filter Configuration line (line 25 on a stock 'default' server instance configuration file) and comment out the lines for the init-param, param-name, and param-value entries.  Example below

  <!-- ================== Common filter Configuration ==================== -->
    <!--   <init-param> -->
    <!--      <param-name>X-Powered-By</param-name>  -->
    <!--      <param-value>Servlet 2.4; JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807     181439)/JBossWeb-2.0</param-value>  -->
    <!--   </init-param>  -->

Restart JBoss and the header will no longer show up.

JBoss 5.0

The web.xml file that needs to be updated is located in a different location than with JBoss 4,2 but the technique is the same. To suppress the X-Powered-By header under JBoss 5.0, comment out the init-param, param-name, and param-value line entries from the web.xml located in ${jboss.home}server/${server.instance.name}/deployers/jbossweb.deployer/.

  <!-- ================== Common filter Configuration ==================== -->
    <!--   <init-param>  -->
    <!--      <param-name>X-Powered-By</param-name>  -->
    <!--      <param-value>Servlet 2.5; JBoss-5.0/JBossWeb-2.1</param-value>  -->
    <!--   </init-param>  -->

Once you have made the configuration changes, restart JBoss so they can take effect.

JBoss 6.0

In order to suppress the X-Powered-By header in JBoss 6, you no longer make changes to web.xml files but instead modify the catalina.properties file included with your server instance.  Edit the catalina.properties file located in ${jboss.home}/server/${server.instance.name}/deploy/jbossweb.sar/.  Locate the property named: org.apache.catalina.connector.X_POWERED_BY and set its value to false.  Restart the server and you're all set.

Related Content
Tomcat/JBoss: Suppressing Server Identity - Part One
Tomcat/JBoss: Suppressing Server Identity - Part Two