JDA Connect CSRF / Command Execution / Exposed JMX Service

`Introduction  
============  
Multiple critical vulnerabilities were identified in JDA Connect.  
The vulnerabilities were discovered during a  
black box security assessment and therefore the vulnerability list  
should not be considered exhaustive.  
  
Affected Software and Versions  
==============================  
- Tested with JDA Connect (most recent version at the date of July 2017)  
- All vulnerabilities are fixed as of patch 2017.2  
  
CVE  
===  
No CVEs have been assigned yet.  
  
Author  
======  
The vulnerabilities were discovered by Xiaoran Wang from Google Security  
Team.  
  
Credit  
======  
The author would like to thank John Vrankovich from JDA for coordinating  
the security fixes promptly and diligently.  
  
Vulnerability Overview  
======================  
CNT-01 - Privileged remote command execution through open CORS policies  
CNT-02 - No CSRF protection on hawtio web portal  
CNT-03 - Unauthenticated JMX service listening on all interfaces  
  
  
Vulnerability Details  
=====================  
----------------------------------------------------------------------------  
CNT-01 - Privileged remote command execution through open CORS policies  
----------------------------------------------------------------------------  
Severity: CRITICAL  
  
The hawtio admin web portal running on port 8181 has a insecure wide open  
aAccess-Control-Allow-Origina setting and it allows any arbitrary origin to  
access its data by echoing back aAccess-Control-Allow-Origin:  
attacker-supplied-origina and aAccess-Control-Allow-Credentials: truea.  
This allows the attacker to communicate with the vulnerable website from an  
attackeras website as if they were on the same origin. This enables the  
attacker to take send and receive any request this website accepts because  
itas cookie authenticated. Example requests include dumping heap memory,  
reading/writing JVM options, reading/writing object values, installing  
arbitrary features/bundles, and the servlet handler runs as root.  
  
----------------------------------------------------------------------------  
CNT-02 - No CSRF protection on hawtio web portal  
----------------------------------------------------------------------------  
Severity: HIGH  
  
The hawtio admin web portal running on port 8181 does not have any CSRF  
protection, leading to the same results as the previous vulnerability, such  
as installing arbitrary packages, reading/writing JVM memory, etc.  
  
----------------------------------------------------------------------------  
CNT-03 - Unauthenticated JMX service listening on all interfaces  
----------------------------------------------------------------------------  
Severity: HIGH  
  
The JDA Connect Java daemon has a JMX server that listens on all interfaces  
without authentication. Using tools like jconsole, one could read and write  
the values of objects in the entire application, possibly leading to  
arbitrary command execution. For example, the Java process is started with  
the following options.  
-Dcom.sun.management.jmxremote.port=1616  
-Dcom.sun.management.jmxremote.authenticate=false  
-Dcom.sun.management.jmxremote.ssl=false  
  
  
`