October 23, 2011

A new Internet worm has been reported that spreads via unpatched or unsecured JBoss Application Server and variant products. Infected hosts scan for and connect to unprotected JMX consoles then execute code on the target system. According to Red Hat, this worm affects users of JBoss Application Server who have not correctly secured their JMX consoles as well as users of older, unpatched versions of JBoss enterprise products.

Detailed information about the worm, including JBoss community instructions for detection and cleaning, is available here: http://community.jboss.org/blogs/mjc/2011/10/20/statement-regarding-security-threat-to-jboss-application-server.

This threat can be mitigated by following some basic security best practices. First, ensure that you are running the latest version of JBoss enterprise products by either installing the latest version from scratch or updating your existing version to the latest, as needed. Red Hat produced an update to JBoss enterprise products in April 2010 to address this issue (CVE-2010-0738), please see:https://access.redhat.com/kb/docs/DOC-30741.

Second, secure the JMX console of your JBoss enterprise product with authentication by using either a username / password file or your own Java Authentication and Authorization Service (JAAS) domain. Red Hat has provided an article with detailed instructions on how to secure the JMX console, please see: http://community.jboss.org/wiki/SecureTheJmxConsole.

The JMX console of your JBoss enterprise product may run on TCP port 8080 or alternatively, TCP port 8443 (if you have followed the above-mentioned instructions and secured the JMX console via SSL).

AWS recommends that you restrict inbound TCP port 8080 and / or 8443 (or whichever port you have chosen for your JMX console) to only those source IP addresses from which legitimate JMX console sessions should originate. These access restrictions can be applied by configuring your EC2 Security Groups accordingly. For information and examples on how to properly configure and apply Security Groups, please refer to the following documentation: http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/index.html?adding-security-group-rules.html.