8.1 JMX Security Exposures | Javaв„ў and JMX: Building Manageable Systems

Security is in large part about risk management. Because it is impossible to defend against every potential threat, one of the first steps taken in any security design is to assess which attacks are most likely or most costly or both. On the basis of that threat assessment, a solution is designed to reduce to a manageable level, or optimally eliminate, the risk associated with those threats. Table 8.1 summarizes the security exposures associated with JMX.

Table 8.1. JMX Security Exposures and Consequences

Exposure	Consequence
Unauthorized `MBeanServerFactory` Access	`MBeanServerFactory` creates new MBeanServers, and it looks up and releases existing ones. Access to each of these capabilities needs to be controlled. For example, a malicious management application could look up and release a system's MBeanServer and replace it with one populated with bogus MBeans.
Untrusted MBean Registration	The MBeans that instrument new applications and devices will ship with those applications and devices. Updated instrumentation may also be made available over the Web. An obvious attack on these JMX-enabled systems is to create MBeans that "spoof" the system's actual MBeans. If the attacker's MBeans are registered instead of the legitimate MBeans, the system is compromised. Therefore we need a way to ensure that only "trusted" MBeans become registered in the MBeanServer.
Unauthorized MBean Access	MBeans represent managed resources to management applications (e.g., a Web server or a router). The management interface that an MBean presents enables those applications to get and set attributes, like the open ports on a router, or invoke operations, like starting or stopping a service or server. Clearly, administrators need the ability to control which management applications and users can perform these actions.