Securing Hawtio
Hawtio is an awesome management tool for Java and JVM applications built on top of JMX. Hawtio utilises Jolokia at its core, a library that opens up JMX with JSON over HTTP. Jolokia is a fantasitc library that makes JMX really easy and pleasant to use, but at the risk of unsolicited manipulations of MBeans from outside.
You might not need to be too nervous about security on Hawtio under development, but it is very important to make sure Hawtio is secured in your production system.
Just recently, two CVEs (XSS and CSRF) were reported against Hawtio:
- CVE-2017–2589 hawtio: Proxy is sharing cookies among all the clients
- CVE-2017–7556 Hawtio: CSRF flaw via jolokia
Good news is that solutions for both vulnerabilities are already built-in and available since Hawtio 1.5.0. In this blog post, I’d like to explain what you need to do to protect Hawtio from those two security vulnerabilities in production.
In summary, the following two things are mandatory to secure Hawtio before putting it into production:
- Review and (as necessary) configure the
hawtio.proxyWhitelistsystem property - Set up
jolokia-access.xmlto limit allowed hosts and enable<strict-checking />for CORS
Secure Hawtio proxy servlet by proxy whitelist
To protect it from XSS (CVE-2017–2589), Hawtio 1.5.0 introduced the whitelist for accessing Hawtio proxy servlet. By default only the IP addresses bound to the local machine (including localhost / 127.0.0.1) are whitelisted. So, out of the box Hawtio is safe against CVE-2017–2589! However, in turn you cannot connect to a remote Jolokia unless you explicitly add its hostname / IP address to the whitelist.
If you don’t connect to a remote node from Hawtio, the default settings should be sufficient and you are already secured.
If you need to connect to a remote node, then the whitelist has to be configured via the hawtio.proxyWhitelist system property. For Karaf container, you can declare the system property in $KARAF_HOME/etc/system.properties like this:
hawtio.proxyWhitelist = myserver1, myserver2, myserver3Note since Hawtio 1.5.1 you can also use regular expressions for the whitelist by prefixing them with r: like this:
hawtio.proxyWhitelist = r:.+[.]example[.]com, r:192[.]168[.]1[.].+Protect Jolokia from CSRF attacks
The second thing to do is tighten up Jolokia. By default, Jolokia is open to CORS requests from every remote host for maximum availability. It is because Hawtio/Jolokia cannot know in advance which hostnames/IP addresses an user is going to use in their setup. However, this leaves out-of-the-box Hawtio vulnerable to CORS accesses from an unknown site and even CSRF attacks (CVE-2017–7556)!
What you need to do is to define your own CORS policy with jolokia-access.xml and allow only trusted sites to send requests to and get responses from MBeans via Jolokia.
The jolokia-access.xml file should look something like this:
<restrict>
[...]
<cors>
<allow-origin>http*://localhost:*</allow-origin>
<allow-origin>http*://127.0.0.1:*</allow-origin>
<allow-origin>http*://*.example.com</allow-origin>
<allow-origin>http*://*.example.com:*</allow-origin>
<strict-checking />
</cors>
</restrict>Note the <strict-checking /> setting is really important for protecting from CSRF, as otherwise a malicious request to invoke a MBean operation may still be executed.
Once the jolokia-access.xml file is defined, you can use the jolokia.policyLocation system property to apply the policy to Hawtio’s Jolokia servlet. Again, for Karaf container, you can declare the system property in $KARAF_HOME/etc/system.properties like this:
jolokia.policyLocation=file:///opt/hawtio/jolokia-access.xmlNow your Hawtio is secured and ready for production!
