SA#: JBoss Consoles    01‐14‐14  Security Alert – JBoss JMX, Admin and Web Consoles/Invokers

 SA#: JBoss Consoles 01‐14‐14 Security Alert – JBoss JMX, Admin and Web Consoles/Invokers
For security purposes, MICROS Systems, Inc. (MICROS) strongly recommends that users of its mymicros.net and iCare products perform the steps outlined herein, to remove the JBoss JMX, Admin and web consoles, and for certain older versions, to also remove the JMX and RMI Invokers. These JBoss consoles/Invokers are not required by these products, and could contain certain security vulnerabilities which could potentially permit unauthorized access. Users of MICROS 9700 HMS versions 3.6 or below, and MICROS Simphony versions 2.6 or below and Simphony V 1.7 and below are also strongly encouraged to visit the MICROS Information Security web site at the link below and check to ensure that these products are properly configured with these JBoss consoles removed as per the instructions shown in the PA‐DSS Implementation Guides for those products. http://www.micros.com/ServicesAndSupport/InformationSecurity/BestPracticesImplementationGuides/ Please contact your MICROS sales associate if you wish to engage MICROS to check your systems for proper configuration or to implement these configuration instructions for your myMICROS, iCare, 9700 or Simphony systems. MICROS Systems Inc. Page 1 of 4 January 14, 2014 Recommended JBoss Console Configurations for myMICROS.net and iCare Products For users of mymicros.net versions 8.1.0 and higher, it is highly recommended that the following steps be taken after deployment: Remove the JMX‐Console, Admin‐Console, Web‐Console 1. Ensure that Micros Portal service is off 2. Navigate to \mymicros\myPortal\server\default\deploy a. Delete the admin‐console.war and jmx‐console.war folders from the deploy folder 3. Navigate to \mymicros\myPortal\server\default\deploy\management\console‐mgr.sar a. Delete the web‐console.war folder from the console‐mgr.sar folder 4. Navigate to \mymicros\myportal\server\default folder a. Delete the tmp and work folders located in the default folder 5. Restart Micros Portal service. For users of mymicros.net versions 6.2.0 through 8.0.1, it is highly recommended that the following steps be taken after deployment: 1. Ensure that the Micros Portal service is off 2. Navigate to \mymicros\myPortal\server\default\deploy a. Delete the admin‐console.war and jmx‐console.war folders from the deploy folder 3. Navigate to \mymicros\myPortal\server\default\deploy\management\console‐mgr.sar a. Delete the web‐console.war folder from the console‐mgr.sar folder 4. Navigate to \mymicros\myPortal\server\default a. Delete the tmp and work folders located in the default folder 5. Navigate to \mymicros\myPortal\server\default\deploy\http‐invoker.sar\invoker.war\WEB‐INF 6. Open the web.xml 7. Search for the following xml element in the web.xml : <servlet‐mapping> <servlet‐name>JMXInvokerServlet</servlet‐name> <url‐pattern>/JMXInvokerServlet/*</url‐pattern> </servlet‐mapping> Then comment it out like this : <!‐‐<servlet‐mapping> <servlet‐name>JMXInvokerServlet</servlet‐name> <url‐pattern>/JMXInvokerServlet/*</url‐pattern> </servlet‐mapping>‐‐> 8. Search for the following xml element in the web.xml : <servlet‐mapping> <servlet‐name>JMXInvokerServlet</servlet‐name> <url‐pattern>/readonly/JMXInvokerServlet/*</url‐pattern> </servlet‐mapping> Then comment it out like this :‐ <!‐‐ MICROS Systems Inc. Page 2 of 4 January 14, 2014 9.
10.
11.
12.
13.
14.
<servlet‐mapping> <servlet‐name>JMXInvokerServlet</servlet‐name> <url‐pattern>/readonly/JMXInvokerServlet/*</url‐pattern> </servlet‐mapping>‐‐> Save the web.xml and close the file. Navigate to \mymicros\myPortal\server\default\deploy Open jmx‐invoker‐service.xml Search for the following XML element : <interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor" securityDomain="java:/jaas/jmx‐console"/> You will find that it is commented out and a comment has been kept just above this element which reads “Uncomment to require authenticated users”. Uncomment the xml element like the following:‐ <!‐‐ Uncomment to require authenticated users‐‐> <interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor" securityDomain="java:/jaas/jmx‐console"/> Save the jmx‐invoker‐service.xml Restart Micros Portal service For users of iCare versions 8.1.0 and higher, it is highly recommended that the following steps be taken after deployment: Remove the JMX‐Console, Admin‐Console, Web‐Console 1. Ensure that Micros Stored Value Card service is off 2. Navigate to \mymicros\iCare\server\default\deploy a. Delete the admin‐console.war and jmx‐console.war folders from the deploy folder 3. Navigate to \mymicros\iCare\server\default\deploy\management\console‐mgr.sar b. Delete the web‐console.war folder from the console‐mgr.sar folder 4. Navigate to \mymicros\iCare\server\default folder a. Delete the tmp and work folders located in the default folder 5. Restart Micros Stored Value Card service. For users of iCare versions 6.2.0 through 8.0.1, it is highly recommended that the following steps be taken after deployment: 1. Ensure that the Micros Stored Value Card service is off 2. Navigate to \mymicros\iCare\server\default\deploy a. Delete the admin‐console.war and jmx‐console.war folders from the deploy folder 3. Navigate to \mymicros\iCare\server\default\deploy\management\console‐mgr.sar a. Delete the web‐console.war folder from the console‐mgr.sar folder 4. Navigate to \mymicros\iCare\server\default a. Delete the tmp and work folders located in the default folder 5. Navigate to \mymicros\iCare\server\default\deploy\http‐invoker.sar\invoker.war\WEB‐INF MICROS Systems Inc. Page 3 of 4 January 14, 2014 6. Open the web.xml 7. Search for the following xml element in the web.xml : <servlet‐mapping> <servlet‐name>JMXInvokerServlet</servlet‐name> <url‐pattern>/JMXInvokerServlet/*</url‐pattern> </servlet‐mapping> Then comment it out like this : <!‐‐<servlet‐mapping> <servlet‐name>JMXInvokerServlet</servlet‐name> <url‐pattern>/JMXInvokerServlet/*</url‐pattern> </servlet‐mapping>‐‐> 8. Search for the following xml element in the web.xml : <servlet‐mapping> <servlet‐name>JMXInvokerServlet</servlet‐name> <url‐pattern>/readonly/JMXInvokerServlet/*</url‐pattern> </servlet‐mapping> Then comment it out like this :‐ <!‐‐ <servlet‐mapping> <servlet‐name>JMXInvokerServlet</servlet‐name> <url‐pattern>/readonly/JMXInvokerServlet/*</url‐pattern> </servlet‐mapping>‐‐> 9. Save the web.xml and close the file. 10. Navigate to \mymicros\iCare\server\default\deploy 11. Open jmx‐invoker‐service.xml 12. Search for the following XML element : <interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor" securityDomain="java:/jaas/jmx‐console"/> You will find that it is commented out and a comment has been kept just above this element which reads “Uncomment to require authenticated users”. Uncomment the xml element like the following:‐ <!‐‐ Uncomment to require authenticated users‐‐> <interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor" securityDomain="java:/jaas/jmx‐console"/> 13. Save the jmx‐invoker‐service.xml 14. Restart Micros Stored Value Card service For users of mymicros.net and iCare versions prior to 6.2.0, it is highly recommended to upgrade to a contemporary version as soon as reasonably possible. MICROS Systems Inc. Page 4 of 4 January 14, 2014