Mercurial > hg > release > thermostat-1.2
view distribution/config/commands/service.properties @ 1639:b5b33a85d78b
Remove RMI from Thermostat Agent
It was discovered that, in certain configurations, the Thermostat agent
disclosed JMX management URLs of all local Java virtual machines to any
local user. A local, unprivileged user could use this flaw to escalate
their privileges on the system.
This patch removes RMI communication between the agent and agent proxy,
and converts the agent proxy into a non-interactive process. Given the
process ID, the agent proxy will attach to the VM, retrieve the JMX
service URL, and detach from the VM. The agent proxy then prints the JMX
service URL to stdout, which is consumed by the agent. This simpler
approach fulfills the current requirements for the agent proxy and does
so without any insecure RMI communication.
Reviewed-by: vanaltj
Review-thread: http://icedtea.classpath.org/pipermail/thermostat/2014-December/012320.html
CVE-2014-8120
PR2155
| author | Elliott Baron <ebaron@redhat.com> |
|---|---|
| date | Tue, 16 Dec 2014 16:00:40 -0500 |
| parents | 0d017ca68ba2 |
| children |
line wrap: on
line source
bundles = com.redhat.thermostat.agent.core=${project.version}, \ com.redhat.thermostat.storage.mongodb=${project.version}, \ org.mongodb.mongo-java-driver=${mongo-driver.osgi-version}, \ org.apache.commons.beanutils=${commons-beanutils.version}, \ org.apache.commons.collections=${commons-collections.version}, \ org.apache.commons.logging=${commons-logging.version}, \ org.apache.commons.codec=${commons-codec.osgi-version}, \ com.redhat.thermostat.process=${project.version}, \ com.redhat.thermostat.common.command=${project.version}, \ com.redhat.thermostat.agent.command=${project.version}, \ com.redhat.thermostat.storage.cli=${project.version}, \ com.redhat.thermostat.agent.cli=${project.version}, \ org.jboss.netty=${netty.version} description = starts and stops the thermostat storage and agent usage = service [-l <level>] options = AUTO_LOG_OPTION environments = cli