Remote Java JMX agent is configured without SSL client and password authentication in RSA Governance & Lifecycle
Article Number
Applies To
- RSA Governance & Lifecycle 8.0.0 P03 HF01 and later
Article Summary
A security vulnerability was identified in the AFX module related to the insecure configuration of the Java JMX agent. Specifically, the JMX agent was running without SSL and password authentication, potentially allowing unauthenticated remote access for monitoring or management, and posing a risk of remote code execution.
Link to Advisories
Alert Impact
Not Applicable
Alert Impact Explanation
In RSA Governance & Lifecycle 8.0.0 GA through 8.0.0 P03:
- The JMX and broker services within ActiveMQ were originally configured without secure authentication.
- In earlier implementation, the files jmx.access and jmx.password were used for JMX authentication, but these stored credentials in clear text, which posed a security risk.
In RSA Governance & Lifecycle 8.0.0 P03 HF01 and later:
As part of the resolution:
- ActiveMQ has been upgraded to version 5.16.x, eliminating the insecure configuration of both the broker and JMX services.
- SSL-based communication has been enabled for all JMX connections, replacing username/password-based authentication.
- The files jmx.access and jmx.password remain on the system for internal technical reasons, but:
- They are non-functional dummy files.
- The application does not use or rely on them in any way.
- Their presence does not pose a security risk.
Resolution
Any vulnerability scans that flag the presence of jmx.access or jmx.password in RSA Governance & Lifecycle 8.0.0 P03 HF01 or later, can be safely considered false positives. These files are inert and retained solely for compatibility purposes.
Disclaimer
Related Articles
Deep Linking 43Number of Views Collections fail with NullPointerException on Remote Agent in SecurID Governance & Lifecycle 309Number of Views Root (Server) and Client Certificates are RFC-5280 compliant starting in version 7.2.0 of RSA Identity Governance & Lifecycle 120Number of Views Authentication Manager 8.1 SP1 conflict between NTP time and VMWare Host time, both set 110Number of Views RSA Authentication Agent agent type values in Authentication Manager 8.x 346Number of Views
Trending Articles
RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager 8.9 Setup and Configuration Guide RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide How to 'Trust' the RSA Authentication Manager Security Console Self-Signed Root CA certificate and prevent Cert warnings.
Don't see what you're looking for?