Inquiry - Java JMX Server Security Vulnerability

[josephmcasey]

…We just connect to the JMX RMI server using Java APIs, ask it to load this MLet file we supply containing a pointer to a JAR, which the server happily loads and will invoke methods on when asked – just like Oracle told us it would. Pretty straightforward.

Source: https://www.optiv.com/blog/exploiting-jmx-rmi

I was reading the above article, and I noticed that it appears as if Seldon-Core has this vulnerability. Does anyone know if this is a concern. What is the rationale behind these option values?

[ukclivecox]

As discussed in Slack you can update the JAVA_OPS via an environment variable. https://docs.seldon.io/projects/seldon-core/en/v1.0.2/graph/annotations.html#service-orchestrator

However, we should remove this as the default.