[Engine-devel] JMX Console on oVirt engine
David Jorm
djorm at redhat.com
Thu Dec 8 02:12:25 UTC 2011
Hi All
I have followed the instructions on the wiki:
http://ovirt.org/wiki/Installing_ovirt-engine_from_rpm
And successfully installed oVirt engine. The instructions worked perfectly. I noticed that JBoss AS 5 came bundled in the ovirt-engine-jbossas package. I understand the reasoning for going out with AS 5 for now. However, the AS 5 default security configuration has not been changed. Once you install oVirt engine using the instructions above, the JMX Console will be running with no authentication. Worms exploiting this weakness are knowing to be circulating; people are likely to get compromised. For now, I have added instructions on securing the JMX Console to the aforementioned wiki page. In the long term, I think we should either disable or completely remove the JMX Console from JBoss AS as it is distributed with oVirt engine.
Thanks
--
David Jorm / Red Hat Security Response Team
More information about the Engine-devel
mailing list