How to disable the Pooled Invoker in JBoss EAP 4.x/5.x

Solution Verified - Updated -

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP)
    • 5.x

Issue

  • How do we prevent the deserialization attack described in CVE-2016-3690?

  • We are moving from JBoss EAP 5.1.2. We found that port 4445 was now open and We would like to disable this port.

  • How to disable the Pooled Invoker in JBoss EAP 5.x ?

  • Red Hat have responded to CVE 2016-3690 with advice to remove the pooled invoker mbean. It is noted that this vulnerability also affects JBoss 4 EAP will the same solution be suitable against 4.3 instances?

  • How to disable the Legacy Invoker Servlet in JBoss EAP 5.x?

Resolution

Open $JBOSS_HOME/server/$PROFILE/deploy/legacy-invokers-service.xml and remove the PooledInvoker MBean which will disable port 4445.

   <mbean code="org.jboss.invocation.pooled.server.PooledInvoker"
   ...
   </mbean>

Diagnostic Steps

This netstat command will show if the port 4445 is listening or not:

netstat -anp | grep :4445

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.