Summary

Security Advisory ID : BSA-2018-743

Component : Hard-coded Credentials

Revision : 3.1: Final

A vulnerability in Brocade Network Advisor could allow an unauthenticated, remote attacker to log into the JMX Console of an affected system using an undocumented 
User credentials. The vulnerability is due to the presence of an undocumented, user credentials with encrypted default password. A remote unauthenticated user who has access to Network Advisor client libraries and able to decrypt the Jboss credentials could gain access to the JMX Console.

Affected Products
Brocade Network Advisor All Versions.

Products Confirmed Not Vulnerable
No other Brocade Fibre Channel technology products from Broadcom are currently known to be affected by this vulnerability.

Solution
JMX console access must be secured by denying inbound access to the port on the host running Brocade Network Advisor. Optionally, customers may block access at the firewall.
JMX console runs on 24604 (in default configuration) or the 5th port from Jboss start port user configured during installation.

Recommended Action
Brocade recommends that all customers run supported Network Advisor Version and block JMX Console access.

Note:
A separate vulnerability affects Brocade Network Advisor Version Before 14.3.1. The issue is described in BSA-2018-841. Brocade Network Advisor Version Before 14.3.1 is no longer supported.  Customers must ensure they are running supported Network Advisor Versions.

Credits:
Brocade is grateful to Jakub Palaczynski and Hans-Martin Münch from MOGWAI LABS GmbH for reporting the issue.

Revision History

Version	Change	Date
1.0	Initial Publication	December 19, 2018
2.0	Updated the solution section	July 10, 2019
3.0	Major update in Summary and Solution	August 12, 2019
4.0	Solution update	January 13, 2021