• RSA Governance & Lifecycle 8.0.0 P03 HF01 and later

A security vulnerability was identified in the AFX module related to the insecure configuration of the Java JMX agent. Specifically, the JMX agent was running without SSL and password authentication, potentially allowing unauthenticated remote access for monitoring or management, and posing a risk of remote code execution.

https://community.rsa.com/s/article/RSA-2024-08-RSA-Governance-and-Lifecycle-Critical-Security-Update-for-Unauthenticated-JMX-Agent-and-Older-Version-of-Log4j-1-x

In RSA Governance & Lifecycle 8.0.0 GA through 8.0.0 P03:

• The JMX and broker services within ActiveMQ were originally configured without secure authentication.
• In earlier implementation, the files jmx.access and jmx.password were used for JMX authentication, but these stored credentials in clear text, which posed a security risk.

In RSA Governance & Lifecycle 8.0.0 P03 HF01 and later:
As part of the resolution:

• ActiveMQ has been upgraded to version 5.16.x, eliminating the insecure configuration of both the broker and JMX services.
• SSL-based communication has been enabled for all JMX connections, replacing username/password-based authentication.
• The files jmx.access and jmx.password  remain on the system for internal technical reasons, but:
  • They are non-functional dummy files.
  • The application does not use or rely on them in any way.
  • Their presence does not pose a security risk.

Any vulnerability scans that flag the presence of jmx.access or jmx.password in RSA Governance & Lifecycle 8.0.0 P03 HF01 or later, can be safely considered false positives. These files are inert and retained solely for compatibility purposes.