[GeoNetwork-devel] Questions about the presence of the Jolokia library in GeoNetwork code

Dear all

A few days ago, I noticed that our Ubuntu machine with GeoNetwork (version 3.10) was performing outgoing connections to an IRC channel.
The following command :
netstat -putw
…was returning :
tcp6 0 0 geocatalogue.afric:http irc.efnet.nl:ircd SYN_RECV -

By checking the WEB-INF/lib folder of GeoNetwork I noticed that GeoNetwork uses the jolokia library (jolokia-core-1.6.0.jar).
This library sends a message to the logs when GeoNetwork is started :
Sep 24 20:09:17 geocatalogue.africamuseum.be tomcat9[15427]: Deploying web application archive [/var/lib/tomcat9/webapps/geonetwork.war]
Sep 24 20:09:43 geocatalogue.africamuseum.be tomcat9[15427]: No Spring WebApplicationInitializer types detected on classpath
Sep 24 20:16:52 geocatalogue.africamuseum.be tomcat9[15427]: jolokia-agent: Using policy access restrictor classpath:/jolokia-access.xml
Sep 24 20:17:06 geocatalogue.africamuseum.be tomcat9[15427]: Initializing Spring FramewrkServlet ‘spring’

I’m not familiar with Jolokia and Java, but this is apparently a service exposing the JMX interface as a REST API running on HTTP ports (80 or 443), without authentication.
https://jolokia.org/features-nb.html
But this link from SolarWinds states that Java services exposing their JMX interface publicly have an important security breach, allowing external user to register remotely runnable Java application :
https://support.solarwinds.com/SuccessCenter/s/article/JAVA-JMX-interface-vulnerability?language=en_US
There is also an IRC server that can be registered as a MBean component, such as described in the SolarWinds link :

http://j-ircd.sourceforge.net/
If I understand well, Jolokia can then be used to upload any runnable Java program to the GN Java context directly on the port 80, giving the possibility to bypass firewall rules described in the Solarwind link (blocking ports 1099 and 9004). Isn’t that a major security risk ? What’s the purpose of having Jolokia enabled in GeoNetwork and how is it supposed to work ?

Best regards,

Franck Theeten

Royal Museum for Central Africa

Support services**, ICT**
Project manager, databases and web applications

Franck:

Please not that open source projects generally have a responsible disclosure policy to avoid discussions of this nature in public.

Please contact a member of the Project steering committee to proceed with this discussion.

Open source thrives on transparency with two exceptions: security vulnerabilities and harassment.

Thank you for taking part in our community.

Jody

···


Jody Garnett

Jolokia is configured / supposed not to allow every operations:

https://github.com/geonetwork/core-geonetwork/blob/master/web/src/main/resources/jolokia-access.xml
https://github.com/geonetwork/core-geonetwork/blob/master/web/src/main/webResources/WEB-INF/web.xml#L468

am I wrong ?

On Fri, Sep 25, 2020 at 4:17 PM Jody Garnett <jody.garnett@anonymised.com> wrote:

Franck:

Please not that open source projects generally have a responsible disclosure policy to avoid discussions of this nature in public.

Please contact a member of the Project steering committee to proceed with this discussion.

Open source thrives on transparency with two exceptions: security vulnerabilities and harassment.

Thank you for taking part in our community.

Jody

On Fri, Sep 25, 2020 at 5:57 AM Franck Theeten <franck.theeten@anonymised.com> wrote:

Dear all

A few days ago, I noticed that our Ubuntu machine with GeoNetwork (version 3.10) was performing outgoing connections to an IRC channel.

The following command :

netstat -putw

…was returning :

tcp6 0 0 geocatalogue.afric:http irc.efnet.nl:ircd SYN_RECV -

By checking the WEB-INF/lib folder of GeoNetwork I noticed that GeoNetwork uses the jolokia library (jolokia-core-1.6.0.jar).

This library sends a message to the logs when GeoNetwork is started :

Sep 24 20:09:17 geocatalogue.africamuseum.be tomcat9[15427]: Deploying web application archive [/var/lib/tomcat9/webapps/geonetwork.war]

Sep 24 20:09:43 geocatalogue.africamuseum.be tomcat9[15427]: No Spring WebApplicationInitializer types detected on classpath

Sep 24 20:16:52 geocatalogue.africamuseum.be tomcat9[15427]: jolokia-agent: Using policy access restrictor classpath:/jolokia-access.xml

Sep 24 20:17:06 geocatalogue.africamuseum.be tomcat9[15427]: Initializing Spring FramewrkServlet ‘spring’

I’m not familiar with Jolokia and Java, but this is apparently a service exposing the JMX interface as a REST API running on HTTP ports (80 or 443), without authentication.

https://jolokia.org/features-nb.html

But this link from SolarWinds states that Java services exposing their JMX interface publicly have an important security breach, allowing external user to register remotely runnable Java application :

https://support.solarwinds.com/SuccessCenter/s/article/JAVA-JMX-interface-vulnerability?language=en_US

There is also an IRC server that can be registered as a MBean component, such as described in the SolarWinds link :

http://j-ircd.sourceforge.net/

If I understand well, Jolokia can then be used to upload any runnable Java program to the GN Java context directly on the port 80, giving the possibility to bypass firewall rules described in the Solarwind link (blocking ports 1099 and 9004). Isn’t that

a major security risk ? What’s the purpose of having Jolokia enabled in GeoNetwork and how is it supposed to work ?

Best regards,

Franck Theeten

Royal Museum for Central Africa

Support services**, ICT**

Project manager, databases and web applications


GeoNetwork-devel mailing list

GeoNetwork-devel@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/geonetwork-devel

GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork


Jody Garnett


GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork

Dear Jody,

I understand your point, but I place myself in the perspective of an user having colleagues asking whether the data they store in GeoNetwork are safe or not. How can we expect any vulnerability present in Open-Source applications be removed or fixed if they aren’t discussed ? There should be at least a channel to communicate them.
There are actually open-source initiatives dealing with security and best practices, like OWASP : https://owasp.org/

Best,

Franck

···

De : Jody Garnett jody.garnett@anonymised.com
Envoyé : vendredi 25 septembre 2020 16:16
À : Franck Theeten franck.theeten@anonymised.com
Cc : André De Mûelenaere andre.de.muelenaere@anonymised.com; Francois Kervyn de Meerendré francois.kervyn@anonymised.com; Roel Paesen roel.paesen@anonymised.com; geonetwork-devel@anonymised.come.net geonetwork-devel@lists.sourceforge.net
Objet : Re: [GeoNetwork-devel] Questions about the presence of the Jolokia library in GeoNetwork code

Franck:

Please not that open source projects generally have a responsible disclosure policy to avoid discussions of this nature in public.

Please contact a member of the Project steering committee to proceed with this discussion.

Open source thrives on transparency with two exceptions: security vulnerabilities and harassment.

Thank you for taking part in our community.

Jody

On Fri, Sep 25, 2020 at 5:57 AM Franck Theeten <franck.theeten@anonymised.com> wrote:

Dear all

A few days ago, I noticed that our Ubuntu machine with GeoNetwork (version 3.10) was performing outgoing connections to an IRC channel.

The following command :

netstat -putw

…was returning :

tcp6 0 0 geocatalogue.afric:http irc.efnet.nl:ircd SYN_RECV -

By checking the WEB-INF/lib folder of GeoNetwork I noticed that GeoNetwork uses the jolokia library (jolokia-core-1.6.0.jar).

This library sends a message to the logs when GeoNetwork is started :

Sep 24 20:09:17 geocatalogue.africamuseum.be tomcat9[15427]: Deploying web application archive [/var/lib/tomcat9/webapps/geonetwork.war]

Sep 24 20:09:43 geocatalogue.africamuseum.be tomcat9[15427]: No Spring WebApplicationInitializer types detected on classpath

Sep 24 20:16:52 geocatalogue.africamuseum.be tomcat9[15427]: jolokia-agent: Using policy access restrictor classpath:/jolokia-access.xml

Sep 24 20:17:06 geocatalogue.africamuseum.be tomcat9[15427]: Initializing Spring FramewrkServlet ‘spring’

I’m not familiar with Jolokia and Java, but this is apparently a service exposing the JMX interface as a REST API running on HTTP ports (80 or 443), without authentication.

https://jolokia.org/features-nb.html

But this link from SolarWinds states that Java services exposing their JMX interface publicly have an important security breach, allowing external user to register remotely runnable Java application :

https://support.solarwinds.com/SuccessCenter/s/article/JAVA-JMX-interface-vulnerability?language=en_US

There is also an IRC server that can be registered as a MBean component, such as described in the SolarWinds link :

http://j-ircd.sourceforge.net/

If I understand well, Jolokia can then be used to upload any runnable Java program to the GN Java context directly on the port 80, giving the possibility to bypass firewall rules described in the Solarwind link (blocking ports 1099 and 9004). Isn’t that

a major security risk ? What’s the purpose of having Jolokia enabled in GeoNetwork and how is it supposed to work ?

Best regards,

Franck Theeten

Royal Museum for Central Africa

Support services**, ICT**

Project manager, databases and web applications


GeoNetwork-devel mailing list

GeoNetwork-devel@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/geonetwork-devel

GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork


Jody Garnett