JBoss Server Security in Spotlight at Conference
Cybersecurity
SHARE
Facebook X Pinterest WhatsApp

JBoss Server Security in Spotlight at Conference

Written By
Brian Prince
Brian Prince
Jun 2, 2010
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

A researcher from Trustwave will highlight JBoss server security at the inaugural AthCon security conference this week.

In a presentation, Trustwave security consultant Christian Papathanasiou will unveil a new tool for compromising JBoss servers and discuss best practices for protecting JBoss servers.

“In essence no vulnerabilities are being exploited per say, [but] due to the complexity of the JBoss AS [application server] suite, many admins perceive the threat to be low and do not follow best guidance regarding securing the JMX console,” Papathanasiou explained to eWEEK. “My talk shows that this laissez faire attitude toward this complex product results in systems being exposed on the Internet to compromise.”

JBoss servers are often viewed as inherently secure due to the difficulty of obtaining off-the-shelf equipment for compromising the server, but JBoss’ prevalence among enterprises gives attackers motive to get to work, Trustwave contends. Attackers are already performing such attacks; however, until recently the wider community was “blissfully unaware that JBoss and Tomcat instances when left in their default configuration could be compromised in such a way,” Papathanasiou said.

“We developed a tool that uses default functionality provided by JBoss which allows us to ultimately gain complete control of the machine in question, thereby demonstrating the real necessity going forward for admins to take great care in securing their exposed JBoss instances,” he said.

Mitigating the dangers involves password-protecting the JBoss instance as well as keeping the software up-to-date, he added.

“We must, however, be careful, as recently a [zero-day] vulnerability was discovered by a security consultancy called Minded Security, which in essence allows the password protection to be bypassed,” the researcher said. “Therefore, a combination of password protection and utilizing the latest releases of the JBoss platform and preferably the enterprise release rather than the community AS version for production environments.”

The AthCon conference will be held June 3 in Athens, Greece.
Brian Prince
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

facebook
linkedin
youtube
rss
x

Company

About us Contact us Advertise with us

Categories

Latest News Resources Artificial Intelligence Video Big Data & Analytics Cloud Networking

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information