[JRASERVER-71074] Filter sensitive information leaked through JMX monitoring

Type: Suggestion
Resolution: Unresolved
Fix Version/s: None
Component/s: Security
Labels:

Feedback Policy:

We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

There are cases where system accounts and passwords (in clear text) are reported via JMX beans. One example is in the database connector bean. Accessing JMX does require a password, but we did not realize that read-only JMX access may be exposing system-level accounts.

Access to the JMX metrics might be allowed to both monitoring tools and custom plugin developers for debugging. Some beans contain passwords that shouldn't be distributed, for example, the DB Connector Bean shows the database username/password as a "metric" in the bean

Form Name

There are no comments yet on this issue.

Assignee:: Unassigned

Reporter:: Brad Bressler

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 21/May/2020 5:32 PM

Updated:: 06/Dec/2024 8:23 PM

Details

Description

Attachments

Forms

Activity

People

Dates