From bf65929fdc607d5bb953a507c2f0c7256ae8e5b6 Mon Sep 17 00:00:00 2001
From: "Christopher L. Shannon (cshannon)" <christopher.l.shannon@gmail.com>
Date: Wed, 1 Feb 2023 07:04:56 -0500
Subject: [PATCH] AMQ-9201 - Update Jolokia default access configuration

(cherry picked from commit 6120169e563b55323352431dfe9ac67a8b4de6c2)

Bug: https://issues.apache.org/jira/browse/AMQ-9201
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-41678

---
 assembly/src/release/conf/jolokia-access.xml | 34 +++++++++++++++++++-
 1 file changed, 33 insertions(+), 1 deletion(-)

diff --git a/assembly/src/release/conf/jolokia-access.xml b/assembly/src/release/conf/jolokia-access.xml
index 8cad1cd40e..97b099a5b7 100644
--- a/assembly/src/release/conf/jolokia-access.xml
+++ b/assembly/src/release/conf/jolokia-access.xml
@@ -22,8 +22,35 @@
     <strict-checking/>
   </cors>
 
-  <!-- deny calling operations or getting attributes from these mbeans -->
+  <!-- By default don't allow write or exec operations -->
+  <commands>
+    <command>read</command>
+    <command>list</command>
+    <command>version</command>
+    <command>search</command>
+  </commands>
+
+  <allow>
+    <!-- Allow all operations for the broker itself -->
+    <mbean>
+      <name>org.apache.activemq:*</name>
+      <attribute>*</attribute>
+      <operation>*</operation>
+    </mbean>
+    <!-- Allow all operations for Jolokia Config -->
+    <mbean>
+      <name>jolokia:type=Config</name>
+      <operation>*</operation>
+    </mbean>
+  </allow>
+
+  <!-- deny all operations or getting attributes from these mbeans -->
   <deny>
+    <mbean>
+      <name>org.apache.logging.log4j2:*</name>
+      <attribute>*</attribute>
+      <operation>*</operation>
+    </mbean>
     <mbean>
       <name>com.sun.management:type=DiagnosticCommand</name>
       <attribute>*</attribute>
@@ -34,6 +61,11 @@
       <attribute>*</attribute>
       <operation>*</operation>
     </mbean>
+    <mbean>
+      <name>jdk.management.jfr:type=FlightRecorder</name>
+      <attribute>*</attribute>
+      <operation>*</operation>
+    </mbean>
   </deny>
 
 </restrict>
-- 
2.39.5