JBoss Application Server has been a popular (let us call it premiere) open source Java EE compliant application server for a long long time. Naturally, there are tons of users.
Over the years, the developers (the guys writing JBAS) of the community JBoss AS have debated about enabling security in JBAS. We have had heated debates on whether we ship the community version of JBoss AS in secure mode (everything - jmx console, twiddle, invokers secure secure secure secure secure) or in a development mode.
We have over the years had the understanding that JBoss AS will be primarily used by Java EE developers on their desktop to develop business applications. When they are ready to deploy those applications in production, they will have the practical sense to follow guidelines on securing jboss (which has been available in multiple forms in our wiki).
There are no reasonable defaults in security to secure the shipped community version of JBoss AS.
Now, let us talk about the product JBoss Enterprise Application Platform (EAP) that is shipped by Red Hat. Everything in the platform is secured by default. This is the version that customers (including Governments, Financial institutions, Universities, Companies of varying size) use to develop and deploy business applications. The system administrators have to configure the security of EAP to get it working. You cannot just unzip and run your applications.
Why am I writing this blog post?
The reason I am writing this blog post is because increasingly we are seeing multiple security companies that want a leg hold in the industry, using the community version of JBoss AS, to spread FUD. An example is the presentation by Christian Papathanasiou of Trust Wave called Abusing JBoss. Honestly, I find the title offensive. JBoss is a brand. You cannot abuse it.
Let us talk about ethics now. If you are security researcher or vendor, it is ethical to first contact the company or project whose exploits you are going to make public. Before this presentation, neither Christian nor Trust Wave has contacted the JBoss Security Response Team (http://jboss.org/security) or the Red Hat Security Response Team (http://www.redhat.com/security/).
At JBoss, what do we do?
Every time, we find someone with an unsecured JMX Console on the web, our response team folks try to contact the owner of that site to educate them about securing the console. But this is a daunting task. Every developer who wants to have his own website, just uses the community version of JBAS without applying the proper security fixes.
Additionally, the fans of JBoss also try to contact the website owners. We do have a fan following over the years. At JBoss World, they tell us about the same.
I seriously doubt any high profile company has a JMX console that is open to the world. There may be a few but we are actively locating and telling them about security. If you find one, inform them about securing community version of JBoss AS.
Additionally US-CERT has an advisory on this here.
Which JBoss AS should I choose: Community JBoss AS or JBoss EAP?
* JBoss EAP is a product that is officially supported by Red Hat. You get patches, updates, security fixes etc. It is shipped secure.
* If you are using the community version of JBAS, then please please follow the security steps for your instance. If not, you are just giving fodder to the millions of new security companies popping on the block.
If I find a vulnerability in any of JBoss projects and products, where do I report?
Please pass that information to the Red Hat Security response team in any way you choose. The methods are listed at http://www.redhat.com/security. Quick, confidential treatment of your queries and reports will be provided.