Questions about the presence of the Jolokia library in GeoNetwork code

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Questions about the presence of the Jolokia library in GeoNetwork code

THEETEN Franck
Dear all

A few days ago, I noticed that our Ubuntu machine with GeoNetwork (version 3.10) was performing outgoing connections to an IRC channel.
The following command :
netstat -putw
...was returning :
tcp6       0      0 geocatalogue.afric:http irc.efnet.nl:ircd       SYN_RECV    -

By checking the WEB-INF/lib folder of GeoNetwork I noticed that GeoNetwork uses the jolokia library (jolokia-core-1.6.0.jar).
This library sends a message to the logs when GeoNetwork is started :
Sep 24 20:09:17 geocatalogue.africamuseum.be tomcat9[15427]: Deploying web application archive [/var/lib/tomcat9/webapps/geonetwork.war]
Sep 24 20:09:43 geocatalogue.africamuseum.be tomcat9[15427]: No Spring WebApplicationInitializer types detected on classpath
Sep 24 20:16:52 geocatalogue.africamuseum.be tomcat9[15427]: jolokia-agent: Using policy access restrictor classpath:/jolokia-access.xml
Sep 24 20:17:06 geocatalogue.africamuseum.be tomcat9[15427]: Initializing Spring FramewrkServlet 'spring'

I'm not familiar with Jolokia and Java, but this is apparently a service exposing the JMX interface as a REST API running on HTTP ports (80 or 443), without authentication.
https://jolokia.org/features-nb.html
But this link from SolarWinds states that Java services exposing their JMX interface publicly have an important security breach, allowing external user to register remotely runnable Java application  :
https://support.solarwinds.com/SuccessCenter/s/article/JAVA-JMX-interface-vulnerability?language=en_US
There is also an IRC server that can be registered as a MBean component, such as described in the SolarWinds link :
http://j-ircd.sourceforge.net/
If I understand well, Jolokia can then be used to upload any runnable Java program to the GN Java context directly on the port 80, giving the possibility to bypass firewall rules described in the Solarwind link (blocking ports 1099 and 9004). Isn't that a major security risk ? What's the purpose of having Jolokia enabled in GeoNetwork and how is it supposed to work ?

Best regards,

Franck Theeten

Royal Museum for Central Africa
Support services, ICT
Project manager, databases and web applications






_______________________________________________
GeoNetwork-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork
Reply | Threaded
Open this post in threaded view
|

Re: Questions about the presence of the Jolokia library in GeoNetwork code

jody.garnett
Franck:

Please not that open source projects generally have a responsible disclosure policy to avoid discussions of this nature in public. 

Please contact a member of the Project steering committee to proceed with this discussion. 

Open source thrives on transparency with two exceptions: security vulnerabilities and harassment.

Thank you for taking part in our community. 

Jody 

On Fri, Sep 25, 2020 at 5:57 AM Franck Theeten <[hidden email]> wrote:














Dear all






A few days ago, I noticed that our Ubuntu machine with GeoNetwork (version 3.10) was performing outgoing connections to an IRC channel.


The following command :


netstat -putw


...was returning :


tcp6       0      0 geocatalogue.afric:http irc.efnet.nl:ircd       SYN_RECV    -







By checking the WEB-INF/lib folder of GeoNetwork I noticed that GeoNetwork uses the jolokia library (jolokia-core-1.6.0.jar).


This library sends a message to the logs when GeoNetwork is started :


Sep 24 20:09:17 geocatalogue.africamuseum.be tomcat9[15427]: Deploying web application archive [/var/lib/tomcat9/webapps/geonetwork.war]


Sep 24 20:09:43 geocatalogue.africamuseum.be tomcat9[15427]: No Spring WebApplicationInitializer types detected on classpath


Sep 24 20:16:52 geocatalogue.africamuseum.be tomcat9[15427]: jolokia-agent: Using policy access restrictor classpath:/jolokia-access.xml


Sep 24 20:17:06 geocatalogue.africamuseum.be tomcat9[15427]: Initializing Spring FramewrkServlet 'spring'







I'm not familiar with Jolokia and Java, but this is apparently a service exposing the JMX interface as a REST API running on HTTP ports (80 or 443), without authentication.




But this link from SolarWinds states that Java services exposing their JMX interface publicly have an important security breach, allowing external user to register remotely runnable Java application  :




There is also an IRC server that can be registered as a MBean component, such as described in the SolarWinds link :






If I understand well, Jolokia can then be used to upload any runnable Java program to the GN Java context directly on the port 80, giving the possibility to bypass firewall rules described in the Solarwind link (blocking ports 1099 and 9004). Isn't that

a major security risk ? What's the purpose of having Jolokia enabled in GeoNetwork and how is it supposed to work ?







Best regards,







Franck Theeten









Royal Museum for Central Africa








Support services, ICT



Project manager, databases and web applications




























_______________________________________________

GeoNetwork-devel mailing list

[hidden email]

https://lists.sourceforge.net/lists/listinfo/geonetwork-devel

GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork
--
--
Jody Garnett


_______________________________________________
GeoNetwork-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork
Reply | Threaded
Open this post in threaded view
|

Re: Questions about the presence of the Jolokia library in GeoNetwork code

Christophe Mangeat

On Fri, Sep 25, 2020 at 4:17 PM Jody Garnett <[hidden email]> wrote:
Franck:

Please not that open source projects generally have a responsible disclosure policy to avoid discussions of this nature in public. 

Please contact a member of the Project steering committee to proceed with this discussion. 

Open source thrives on transparency with two exceptions: security vulnerabilities and harassment.

Thank you for taking part in our community. 

Jody 

On Fri, Sep 25, 2020 at 5:57 AM Franck Theeten <[hidden email]> wrote:














Dear all






A few days ago, I noticed that our Ubuntu machine with GeoNetwork (version 3.10) was performing outgoing connections to an IRC channel.


The following command :


netstat -putw


...was returning :


tcp6       0      0 geocatalogue.afric:http irc.efnet.nl:ircd       SYN_RECV    -







By checking the WEB-INF/lib folder of GeoNetwork I noticed that GeoNetwork uses the jolokia library (jolokia-core-1.6.0.jar).


This library sends a message to the logs when GeoNetwork is started :


Sep 24 20:09:17 geocatalogue.africamuseum.be tomcat9[15427]: Deploying web application archive [/var/lib/tomcat9/webapps/geonetwork.war]


Sep 24 20:09:43 geocatalogue.africamuseum.be tomcat9[15427]: No Spring WebApplicationInitializer types detected on classpath


Sep 24 20:16:52 geocatalogue.africamuseum.be tomcat9[15427]: jolokia-agent: Using policy access restrictor classpath:/jolokia-access.xml


Sep 24 20:17:06 geocatalogue.africamuseum.be tomcat9[15427]: Initializing Spring FramewrkServlet 'spring'







I'm not familiar with Jolokia and Java, but this is apparently a service exposing the JMX interface as a REST API running on HTTP ports (80 or 443), without authentication.




But this link from SolarWinds states that Java services exposing their JMX interface publicly have an important security breach, allowing external user to register remotely runnable Java application  :




There is also an IRC server that can be registered as a MBean component, such as described in the SolarWinds link :






If I understand well, Jolokia can then be used to upload any runnable Java program to the GN Java context directly on the port 80, giving the possibility to bypass firewall rules described in the Solarwind link (blocking ports 1099 and 9004). Isn't that

a major security risk ? What's the purpose of having Jolokia enabled in GeoNetwork and how is it supposed to work ?







Best regards,







Franck Theeten









Royal Museum for Central Africa








Support services, ICT



Project manager, databases and web applications




























_______________________________________________

GeoNetwork-devel mailing list

[hidden email]

https://lists.sourceforge.net/lists/listinfo/geonetwork-devel

GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork
--
--
Jody Garnett
_______________________________________________
GeoNetwork-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork


_______________________________________________
GeoNetwork-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork
Reply | Threaded
Open this post in threaded view
|

Re: Questions about the presence of the Jolokia library in GeoNetwork code

THEETEN Franck
In reply to this post by jody.garnett
Dear Jody,

I understand your point, but I place myself in the perspective of an user having colleagues asking whether the data they store  in GeoNetwork are safe or not. How can we expect any vulnerability present in Open-Source applications be removed or fixed if they aren't discussed ? There should be at least a channel to communicate them.
There are actually open-source initiatives dealing with security and best practices, like OWASP : https://owasp.org/

Best,

Franck

De : Jody Garnett <[hidden email]>
Envoyé : vendredi 25 septembre 2020 16:16
À : Franck Theeten <[hidden email]>
Cc : André De Mûelenaere <[hidden email]>; Francois Kervyn de Meerendré <[hidden email]>; Roel Paesen <[hidden email]>; [hidden email] <[hidden email]>
Objet : Re: [GeoNetwork-devel] Questions about the presence of the Jolokia library in GeoNetwork code
 
Franck:

Please not that open source projects generally have a responsible disclosure policy to avoid discussions of this nature in public. 

Please contact a member of the Project steering committee to proceed with this discussion. 

Open source thrives on transparency with two exceptions: security vulnerabilities and harassment.

Thank you for taking part in our community. 

Jody 

On Fri, Sep 25, 2020 at 5:57 AM Franck Theeten <[hidden email]> wrote:














Dear all






A few days ago, I noticed that our Ubuntu machine with GeoNetwork (version 3.10) was performing outgoing connections to an IRC channel.


The following command :


netstat -putw


...was returning :


tcp6       0      0 geocatalogue.afric:http irc.efnet.nl:ircd       SYN_RECV    -







By checking the WEB-INF/lib folder of GeoNetwork I noticed that GeoNetwork uses the jolokia library (jolokia-core-1.6.0.jar).


This library sends a message to the logs when GeoNetwork is started :


Sep 24 20:09:17 geocatalogue.africamuseum.be tomcat9[15427]: Deploying web application archive [/var/lib/tomcat9/webapps/geonetwork.war]


Sep 24 20:09:43 geocatalogue.africamuseum.be tomcat9[15427]: No Spring WebApplicationInitializer types detected on classpath


Sep 24 20:16:52 geocatalogue.africamuseum.be tomcat9[15427]: jolokia-agent: Using policy access restrictor classpath:/jolokia-access.xml


Sep 24 20:17:06 geocatalogue.africamuseum.be tomcat9[15427]: Initializing Spring FramewrkServlet 'spring'







I'm not familiar with Jolokia and Java, but this is apparently a service exposing the JMX interface as a REST API running on HTTP ports (80 or 443), without authentication.




But this link from SolarWinds states that Java services exposing their JMX interface publicly have an important security breach, allowing external user to register remotely runnable Java application  :




There is also an IRC server that can be registered as a MBean component, such as described in the SolarWinds link :






If I understand well, Jolokia can then be used to upload any runnable Java program to the GN Java context directly on the port 80, giving the possibility to bypass firewall rules described in the Solarwind link (blocking ports 1099 and 9004). Isn't that

a major security risk ? What's the purpose of having Jolokia enabled in GeoNetwork and how is it supposed to work ?







Best regards,







Franck Theeten









Royal Museum for Central Africa








Support services, ICT



Project manager, databases and web applications




























_______________________________________________

GeoNetwork-devel mailing list

[hidden email]

https://lists.sourceforge.net/lists/listinfo/geonetwork-devel

GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork
--
--
Jody Garnett


_______________________________________________
GeoNetwork-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork