From 65b92f43d09037f81c80384276c60d66b7d6dd74 Mon Sep 17 00:00:00 2001 From: "rick.parker" Date: Thu, 13 Apr 2023 13:23:22 +0100 Subject: [PATCH] Turns out HTTP server used by Jolokia --- tools/cliutils/src/main/resources/mods.properties | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/tools/cliutils/src/main/resources/mods.properties b/tools/cliutils/src/main/resources/mods.properties index a779ce8a28..c9f1e19983 100644 --- a/tools/cliutils/src/main/resources/mods.properties +++ b/tools/cliutils/src/main/resources/mods.properties @@ -23,11 +23,11 @@ RMI.java.rmi.server.RemoteObject.RemoteObject=throw new java.lang.RuntimeExcepti # JDK HTTP Server # --------------- # The JDK HTTP server is intended for quick testing, especially for platform beginners. It is rarely (if -# ever) used in production, so we can eliminate this little bit of attack surface. -HTTPSERVER.com.sun.net.httpserver.HttpServer.HttpServer=throw new java.lang.RuntimeException("HTTP server creation blocked by aegis4j"); -HTTPSERVER.com.sun.net.httpserver.HttpsServer.HttpsServer=throw new java.lang.RuntimeException("HTTPS server creation blocked by aegis4j"); -HTTPSERVER.com.sun.net.httpserver.spi.HttpServerProvider.HttpServerProvider=throw new java.lang.RuntimeException("HTTP server provider creation blocked by aegis4j"); -HTTPSERVER.com.sun.net.httpserver.spi.HttpServerProvider.provider=throw new java.lang.RuntimeException("HTTP server provider lookup blocked by aegis4j"); +# ever) used in production, so we can eliminate this little bit of attack surface. Turns out used by Jolokia. +#HTTPSERVER.com.sun.net.httpserver.HttpServer.HttpServer=throw new java.lang.RuntimeException("HTTP server creation blocked by aegis4j"); +#HTTPSERVER.com.sun.net.httpserver.HttpsServer.HttpsServer=throw new java.lang.RuntimeException("HTTPS server creation blocked by aegis4j"); +#HTTPSERVER.com.sun.net.httpserver.spi.HttpServerProvider.HttpServerProvider=throw new java.lang.RuntimeException("HTTP server provider creation blocked by aegis4j"); +#HTTPSERVER.com.sun.net.httpserver.spi.HttpServerProvider.provider=throw new java.lang.RuntimeException("HTTP server provider lookup blocked by aegis4j"); # Java Serialization # ------------------ # Probably a bit more commonly used than most of the other features on this list, but a huge security @@ -68,3 +68,5 @@ NETTYHTTP.org.jboss.netty.handler.codec.http.HttpMessageDecoder.HttpMessageDecod H2.org.h2.server.web.WebServlet.WebServlet=throw new java.lang.RuntimeException("H2 Console blocked by aegis4j"); # CVE-2021-23463 H2.org.h2.jdbc.JdbcSQLXML.getSource=throw new java.lang.RuntimeException("H2 SQL XML blocked by aegis4j"); +# CVE-2022-0839 +#LIQUIBASE.liquibase.parser.core.xml.XMLChangeLogSAXParser.parseToNode=saxParserFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); \ No newline at end of file