66125 – JMProxy - enhance security restrictions

Bug 66125 - JMProxy - enhance security restrictions

Summary: JMProxy - enhance security restrictions

Status:	NEW

Alias:	None

Product:	Tomcat 10
Classification:	Unclassified
Component:	Manager (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P2 enhancement (vote)
Target Milestone:	------
Assignee:	Tomcat Developers Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-06-16 10:49 UTC by Tim Funk
Modified:	2022-06-16 12:41 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tim Funk 2022-06-16 10:49:02 UTC

Use case: Allow an admin to restrict the scope of available queries for finding beans. Also allow the scope to be restricted per operation.

Done by allowing for a servlet init parameter or a servlet context init param. Naming of the parameter is the same (except the context version has a "JMXProxyServlet." prefix to the name) By allowing servlet context init param, then the manager.xml context file can be updated instead of the more risky (when versions update) server admin change of web.xml

The value is a comma or whitespace separated list of allowable regex's to be checked against the query param before running the JMX query.

This can allow the effective disable of set or generic query while preserving get to a finite namespace and invoke to just garbage collection. (Per example in docs)

Patch preview for the basic concept (disclaimer: untested but up for ideas in renaming the param names or general approach)
https://github.com/apache/tomcat/compare/main...funkman:jmx_lockdown?expand=1

Comment 1 Remy Maucherat 2022-06-16 12:17:00 UTC

This enhancement is risky since if there's a problem somehow it will be an immediate RCE CVE (once people start assuming they can safely expose JMX to the world).

Comment 2 Tim Funk 2022-06-16 12:27:31 UTC

100% agreed. I definitely need to add more to the docs to call this out.

For example - in manager-howto.xml - one tweak was the say WARNING instead of NOTE.

I was hoping to hit the use case of people using JMXProxy for monitoring and this is a flexible way to limit usage to the "get' operations as well as limit the scope for what get can see. 

I wasn't sure if this was an OK approach to limit usage as compared to other possibilities. 

For example: another approach is to moving "op" query string to a path. In which case: Its easier to add different roles in each of those paths. (But this approach would have backwards compatibility challenges)

Comment 3 Mark Thomas 2022-06-16 12:32:39 UTC

If we want to support provision of metrics to unprivileged or minimally privileged users then I think we should consider a mechanism that doesn't involve those users providing the JMX query that gets executed.

For example, a new status servlet could be implemented that provides system admin selected metrics in a single page - possibly in JSON format. JMX is likely to be the underlying mechanism used to populate the results and a set of JMX queries could be used to configure it but all end users would be able to do is request the page.

Comment 4 Tim Funk 2022-06-16 12:41:15 UTC

True - if that is the case - there is this: /manager/status?XML=true which is xml, not JSON. 

I'd wonder what additional metrics users were interested that are missing. (As well as if its worth it to optionally exclude processes currently being requested)