Dear all
A few days ago, I noticed that our Ubuntu machine with GeoNetwork (version 3.10) was performing outgoing connections to an IRC channel.
The following command :
netstat -putw
…was returning :
tcp6 0 0 geocatalogue.afric:http irc.efnet.nl:ircd SYN_RECV -
By checking the WEB-INF/lib folder of GeoNetwork I noticed that GeoNetwork uses the jolokia library (jolokia-core-1.6.0.jar).
This library sends a message to the logs when GeoNetwork is started :
Sep 24 20:09:17 geocatalogue.africamuseum.be tomcat9[15427]: Deploying web application archive [/var/lib/tomcat9/webapps/geonetwork.war]
Sep 24 20:09:43 geocatalogue.africamuseum.be tomcat9[15427]: No Spring WebApplicationInitializer types detected on classpath
Sep 24 20:16:52 geocatalogue.africamuseum.be tomcat9[15427]: jolokia-agent: Using policy access restrictor classpath:/jolokia-access.xml
Sep 24 20:17:06 geocatalogue.africamuseum.be tomcat9[15427]: Initializing Spring FramewrkServlet ‘spring’
I’m not familiar with Jolokia and Java, but this is apparently a service exposing the JMX interface as a REST API running on HTTP ports (80 or 443), without authentication.
https://jolokia.org/features-nb.html
But this link from SolarWinds states that Java services exposing their JMX interface publicly have an important security breach, allowing external user to register remotely runnable Java application :
https://support.solarwinds.com/SuccessCenter/s/article/JAVA-JMX-interface-vulnerability?language=en_US
There is also an IRC server that can be registered as a MBean component, such as described in the SolarWinds link :
http://j-ircd.sourceforge.net/
If I understand well, Jolokia can then be used to upload any runnable Java program to the GN Java context directly on the port 80, giving the possibility to bypass firewall rules described in the Solarwind link (blocking ports 1099 and 9004). Isn’t that a major security risk ? What’s the purpose of having Jolokia enabled in GeoNetwork and how is it supposed to work ?
Best regards,
Franck Theeten
Royal Museum for Central Africa
Support services**, ICT**
Project manager, databases and web applications