View Issue Details

IDProjectCategoryView StatusLast Update
0004263SymmetricDSBugpublic2020-07-22 17:42
Reportergreendog Assigned Toelong  
Status closedResolutionfixed 
Product Version3.11.4 
Target Version3.12.0Fixed in Version3.12.0 
Summary0004263: mx4j without auth
DescriptionSymmetric DS uses mx4j to provide access to JMX over http. mx4j, by default, has no auth and available on all interfaces (
Therefore, an attacker can interact with JMX: get system info, invoke MBean methods. Moreover, it's possible to install additional MBeans from a remote host using MLet that leads to arbitrary code execution.

TagsNo tags attached.


related to 0004279 closedelong Remove JAR files that are not used as often to download separately 



2020-05-21 16:45

developer   ~0001720

Removing mx4j for now. We will re-evaluate it and consider adding it back as an add-in module.


2020-05-31 20:06

reporter   ~0001722

I'd like to know if you are going to request a CVE for this issue? If not, could you make this issue public so I can do it myself?


2020-06-02 17:28

developer   ~0001723

Making issue public. We haven't participated in CVE requests before, so that is up to you. I can bring up the topic with the team, and maybe it's something we start doing in future.

Issue History

Date Modified Username Field Change
2020-01-27 11:43 greendog New Issue
2020-05-21 16:43 elong Relationship added related to 0004279
2020-05-21 16:45 elong Assigned To => elong
2020-05-21 16:45 elong Status new => resolved
2020-05-21 16:45 elong Resolution open => fixed
2020-05-21 16:45 elong Fixed in Version => 3.12.0
2020-05-21 16:45 elong Target Version => 3.12.0
2020-05-21 16:45 elong Note Added: 0001720
2020-05-26 18:48 elong Status resolved => closed
2020-05-31 20:06 greendog Status closed => feedback
2020-05-31 20:06 greendog Resolution fixed => reopened
2020-05-31 20:06 greendog Note Added: 0001722
2020-06-02 17:28 elong View Status private => public
2020-06-02 17:28 elong Note Added: 0001723
2020-07-22 17:42 elong Status feedback => closed
2020-07-22 17:42 elong Resolution reopened => fixed