tenable:118039 · Java JMX Agent Insecure Configuration

01 · The Real Story

This is leaving a server’s maintenance hatch unlocked, not discovering a crack in the engine block

Tenable plugin 118039 is not a classic product bug with a clean patched version. It flags a Java remote JMX agent that was started with security disabled, typically -Dcom.sun.management.jmxremote.authenticate=false and -Dcom.sun.management.jmxremote.ssl=false, while a remote JMX port is exposed. In that state, any host that can reach the JMX/RMI service can connect and manage the JVM with no credentials. On older and still-common Java releases, Oracle also documents an MLet-based path that can lead to arbitrary code execution; OpenJDK later removed m-lets in Java 23, which narrows the worst-case impact on the newest runtimes.

Tenable’s HIGH label is technically defensible if the service is internet-facing or broadly reachable on a flat internal network, because the attacker needs no auth and can land in the JVM’s security context. But for enterprise fleet prioritization, the real friction is huge: JMX remote must be explicitly enabled, reachable over the network, and often exists only for ops tooling on a narrow management path. That makes this more of an exposure-management and hardening issue than a universal emergency patch issue, so I’d downgrade the generic finding to MEDIUM unless exposure data shows public or cross-segment reachability.

"Bad when reachable, but this is usually an exposed admin socket problem, not a universal patch-now event."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Find a reachable JMX/RMI listener

An attacker first identifies a Java management endpoint, commonly via nmap service discovery or Rapid7's auxiliary/scanner/misc/java_jmx_server. Default RMI/JMX deployments often surface on TCP 1099, but custom ports are common, so discovery is mostly about finding a reachable management socket rather than matching one fixed banner.

Conditions required:

A Java process has remote JMX enabled
A network path exists from the attacker to the JMX/RMI port
Firewall rules permit the connection

Where this breaks in practice:

Most enterprises do not expose JMX to the public internet on purpose
Many deployments pin JMX to management VLANs, localhost, or bastion-only paths
Custom java.rmi.server.hostname and split RMI port behavior can break remote reachability

Detection/coverage: Tenable plugin 118039 can detect the insecure condition remotely; Rapid7's java_jmx_scanner can identify JMX and report whether auth is required.

STEP 02

Connect without credentials

If com.sun.management.jmxremote.authenticate=false is set and SSL protections are off, the attacker can connect directly with standard JMX tooling such as jconsole, custom RMI clients, or Metasploit scanner code. At this point the attacker has management-plane access to the JVM, not merely passive visibility.

Conditions required:

JMX authentication is disabled
The target accepts remote JMX sessions
No network ACL blocks the source host

Where this breaks in practice:

Credentialed or mTLS-backed JMX deployments stop this dead
Source-IP allowlists on the JMX port cut exposure sharply
Some scanners over-report when they can see the listener but cannot complete the full management flow

Detection/coverage: Network telemetry can show inbound RMI/JMX handshakes; exposure scanners usually have good coverage for the unauthenticated state.

STEP 03

Abuse management privileges

With unauthenticated JMX access, the attacker can enumerate MBeans, inspect runtime state, change operational settings, trigger diagnostics, and interact with management functions that were meant for trusted operators. That alone can expose sensitive information or destabilize the service even if full code execution is not achieved.

Conditions required:

The JVM exposes useful MBeans or operational controls
The application account has access to sensitive runtime data
The JMX interface is not wrapped by additional app-layer auth

Where this breaks in practice:

Impact varies widely by application and what MBeans are actually registered
Some actions are noisy and can trigger app logs or EDR if they spawn subprocesses or dumps
Heavily sandboxed containerized JVMs may limit blast radius even when the JMX plane is open

Detection/coverage: JMX operation logging is inconsistent; many orgs have weak visibility into MBean activity unless JVM audit hooks or app logs were intentionally enabled.

STEP 04

Turn management access into code execution on older runtimes

Public exploit tooling such as Rapid7's exploit/multi/misc/java_jmx_server targets insecure JMX services by abusing MBean loading behavior. Oracle documentation explicitly warns that, when all security is disabled, a remote client can create an MLet MBean and load new MBeans from arbitrary URLs; OpenJDK later removed m-lets in Java 23, so this exact RCE path is strongest on Java <=22 and older long-lived enterprise builds.

Conditions required:

The target runtime still supports the relevant MLet behavior
The JVM runs without an effective Security Manager restriction
Outbound connectivity or reachable attacker-controlled content supports the payload flow

Where this breaks in practice:

Java 23 removed m-lets, reducing confidence in this exact technique on newest runtimes
Security Manager use was historically rare, but JDK changes also altered the old RCE assumptions
EDR often catches second-stage payloads, child processes, or suspicious outbound fetches from java

Detection/coverage: Exploit coverage exists in Metasploit and offensive docs, but defenders should validate runtime version before assuming RCE is still practical.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	I found no authoritative evidence that this exact Tenable configuration finding is in CISA KEV or tied to a named active campaign. That said, CISA has documented attacker tooling such as JexBoss that includes remote JMX exploitation capability, so the technique is not hypothetical.
Proof-of-concept availability	Public tooling exists: Rapid7 ships `auxiliary/scanner/misc/java_jmx_server` for discovery and `exploit/multi/misc/java_jmx_server` for exploitation; Exploit-DB also documents JMX/RMI RCE patterns across multiple products.
EPSS	N/A. EPSS is CVE-based, and this Tenable item is a configuration exposure, not a mapped CVE.
KEV status	Not KEV-listed as this issue has no CVE identifier in the Tenable record. Treat any KEV comparison as indirect only.
CVSS baseline	Tenable scores it 7.3 / HIGH with `CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L`. That baseline captures the no-auth network reachability, but it does not model the real-world friction that JMX remote must already be enabled and exposed.
Affected versions	Potentially any Oracle/OpenJDK-based Java application where remote JMX is enabled and both authentication and SSL are disabled. The strongest documented MLet-based RCE path applies to older releases and remains clearly documented in Oracle guidance through Java 21/22-era docs.
Fixed versions	There is no universal patched application version because this is a deployment/configuration flaw. The direct fix is to enable JMX auth and transport security or remove remote JMX exposure; separately, OpenJDK removed m-lets in Java 23, which narrows one RCE avenue but does not make unauthenticated remote management acceptable.
Scanning and exposure data	Internet search engines can hunt these services via RMI/JMX traits and common ports like `1099`; Shodan query syntax and Censys search support that workflow. I did not find a trustworthy current population count for exposed insecure JMX endpoints, so don't assume rarity or ubiquity without your own exposure telemetry.
Disclosure timeline	Tenable published plugin `118039` on 2018-10-10 and updated it on 2022-04-11. Oracle has long documented the `authenticate=false` plus `ssl=false` mode as insecure and unsuitable for production.
Primary reporting / source	This is best understood as a vendor-documented insecure operating mode surfaced by Tenable, with public offensive validation from Rapid7 and related JMX/RMI exploit research.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (6.1/10)

The decisive friction is attacker reachability: remote JMX must already be enabled and reachable, which sharply reduces the exposed population compared with a normal unauthenticated internet bug. The second big reality check is that the strongest documented RCE path is weaker on the newest Java releases, so the vendor's generic HIGH overstates fleet-wide urgency.

HIGH This is a **real security problem** when JMX is reachable without auth

MEDIUM The exact **RCE practicality** varies materially by Java version and runtime behavior

HIGH The generic **fleet-wide priority should be below vendor HIGH** absent external exposure

Why this verdict

Downward pressure: requires exposed management plane — the attacker does not get value unless remote JMX was explicitly enabled and left reachable. That is a substantial narrowing compared with bugs in default, externally reachable services.
Downward pressure: often post-initial-access — in many enterprises, JMX lives on internal or restricted monitoring networks. If an attacker must already be inside the network or on a management path, this is lateral-movement fuel, not an initial foothold at scale.
Downward pressure: blast radius is JVM-account scoped — even in the worst case the code runs as the Java process owner, not as automatic domain admin. That still matters, but it is not universally catastrophic.
Upward pressure: no authentication — if the service is reachable, the attacker needs no creds, no user interaction, and no exploit chain gymnastics to gain management access.
Upward pressure: public tooling exists — scanner and exploit modules are readily available, lowering operator skill requirements.
Upward pressure: east-west value is high — once an adversary lands on one subnet, an insecure JMX endpoint can hand them app insight, secrets exposure, or JVM-context execution.

Why not higher?

I am not calling this HIGH or CRITICAL by default because the vulnerability is not in the codebase by default; it depends on a deliberate insecure deployment choice plus network exposure. Also, the strongest documented arbitrary-code path is less portable across modern Java versions than Tenable's 2018-era scoring implies.

Why not lower?

I am not dropping this to LOW because once reachable, the interface is effectively an unauthenticated remote admin channel. Even without guaranteed code execution, attackers can still monitor, manipulate, and often materially abuse the JVM in ways that support lateral movement and service disruption.

05 · Compensating Control

What to do — in priority order.

Block JMX at the network edge — Restrict the JMX/RMI port to only approved monitoring hosts and admin jump boxes. For a MEDIUM finding there is no mitigation SLA, but this is the cleanest risk reducer and should be completed inside the 365-day remediation window; if any instance is internet-facing, do it immediately as an exception.
Turn on JMX authentication — Set com.sun.management.jmxremote.authenticate=true and back it with a controlled password file or JAAS/LDAP auth. For this MEDIUM verdict there is no mitigation SLA — go straight to the 365-day remediation window, but unauthenticated remote management should not survive your next configuration cycle.
Enable transport protection — Use com.sun.management.jmxremote.ssl=true and preferably client authentication where operationally feasible. This does not replace network restriction, but it prevents trivial clear unauthenticated access and belongs in the same 365-day remediation window.
Remove remote JMX where nobody truly needs it — A surprising number of servers keep JMX because 'monitoring once needed it' rather than because current tooling does. If there is no active dependency, disable remote JMX entirely during the normal hardening cycle and finish within the 365-day remediation window.
Prioritize by exposure path — Split findings into internet-facing, cross-segment internal, and bastion-only. The formal verdict here is MEDIUM, but any instance reachable from untrusted or broad user segments deserves out-of-band treatment before the rest of the backlog.

What doesn't work

A WAF does not help; this is not an HTTP attack surface.
General 'latest JDK' patching alone does not fix the exposure; even if Java 23 removed m-lets, an unauthenticated remote management plane is still bad.
Relying on obscurity of a nonstandard port does not help; JMX/RMI is easy to discover with routine internal scanning.
EDR is not a primary control here; it may catch second-stage payloads, but it does not stop unauthenticated management access itself.

06 · Verification

Crowdsourced verification payload.

Run this on the target Linux host as root or as the same account that owns the JVMs, so it can read /proc/<pid>/cmdline for all Java processes. Save as check_jmx_118039.sh and run sudo bash check_jmx_118039.sh; it inspects running Java command lines and listener state, then prints VULNERABLE, PATCHED, or UNKNOWN.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check_jmx_118039.sh
# Detect insecure remote Java JMX configuration matching Tenable plugin 118039.
# Outputs: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

unknown=0
vuln=0
found_java=0
have_proc=0

if [[ ! -d /proc ]]; then
  echo "UNKNOWN - /proc not available"
  exit 2
fi

if command -v ss >/dev/null 2>&1; then
  HAVE_SS=1
else
  HAVE_SS=0
fi

check_listener() {
  local port="$1"
  if [[ "$HAVE_SS" -eq 1 ]]; then
    ss -ltn 2>/dev/null | awk '{print $4}' | grep -Eq "(^|:)${port}$"
    return $?
  fi
  return 0
}

for pid in /proc/[0-9]*; do
  [[ -r "$pid/comm" ]] || continue
  procname=$(tr -d '\0' < "$pid/comm" 2>/dev/null || true)
  [[ "$procname" == "java" || "$procname" == "javaw" ]] || continue

  found_java=1
  have_proc=1

  if [[ ! -r "$pid/cmdline" ]]; then
    unknown=1
    continue
  fi

  cmd=$(tr '\0' ' ' < "$pid/cmdline" 2>/dev/null || true)
  if [[ -z "$cmd" ]]; then
    unknown=1
    continue
  fi

  jmx_enabled=0
  jmx_port=""
  auth_false=0
  ssl_false=0

  [[ "$cmd" == *"-Dcom.sun.management.jmxremote"* ]] && jmx_enabled=1

  if [[ "$cmd" =~ -Dcom\.sun\.management\.jmxremote\.port=([0-9]+) ]]; then
    jmx_port="${BASH_REMATCH[1]}"
    jmx_enabled=1
  fi

  [[ "$cmd" == *"-Dcom.sun.management.jmxremote.authenticate=false"* ]] && auth_false=1
  [[ "$cmd" == *"-Dcom.sun.management.jmxremote.ssl=false"* ]] && ssl_false=1

  if [[ "$jmx_enabled" -eq 1 && "$auth_false" -eq 1 && "$ssl_false" -eq 1 ]]; then
    if [[ -n "$jmx_port" ]]; then
      if check_listener "$jmx_port"; then
        echo "VULNERABLE - pid=$(basename "$pid") port=$jmx_port cmd=$cmd"
        vuln=1
      else
        echo "VULNERABLE - pid=$(basename "$pid") configured_jmx_port=$jmx_port cmd=$cmd"
        vuln=1
      fi
    else
      echo "VULNERABLE - pid=$(basename "$pid") remote JMX enabled with auth=false and ssl=false cmd=$cmd"
      vuln=1
    fi
  fi
done

if [[ "$found_java" -eq 0 ]]; then
  echo "PATCHED - no running Java processes found"
  exit 0
fi

if [[ "$vuln" -eq 1 ]]; then
  exit 1
fi

if [[ "$unknown" -eq 1 ]]; then
  echo "UNKNOWN - at least one Java process could not be fully inspected"
  exit 2
fi

echo "PATCHED - no insecure remote JMX configuration detected in inspected Java processes"
exit 0

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, treat this as an exposure cleanup exercise, not a blind fleet-wide emergency patch. Use your scanner plus CMDB/runtime inventory to identify every host with plugin 118039, separate internet-facing or broad internal exposure from bastion-only management paths, and fix the reachable ones first by restricting access or re-enabling JMX security; for this MEDIUM verdict there is no noisgate mitigation SLA — go straight to the 365-day remediation window for standard internal findings, while any externally reachable instance should be escalated out of band the same day. Then complete the actual hardening change — disable remote JMX where unnecessary or enforce auth/SSL where it is needed — within the noisgate remediation SLA of ≤365 days.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.