CVE-2026-pendingで見つかった重大なセキュリティの問題はJobserverとRuntimeが外部のインターネットと通信できない状態でも影響がありますか？

Hi,

Since applying the R2026-01 Runtime patch, the monitoring port doesn't seem to be operational at all.

When I set it to true, the entire server goes DOWN.

If I set it to false, the server goes to UP: but the MonitoringPort is misconfigured.

Was this what the patch was supposed to do? Is there an alternative way to use the monitoring port, or was this simply an emergency measure to disable its functionality until a proper fix can be applied to the JMX code?

We're having the same issues with server down after applying the patch.

On 2026-01 and 2026-02v2 the server will appear down in TAC if the monitoring port is enabled. Will cycle up/down if disabled.

Actually - it seems to have been fixed in 2026-02. There is a clear distinction between a Job Server config and a Runtime Server config, so monitoring and process message ports no longer appear under the Runtime Server ports config and np DOWN status is generated by them.

However, please note that you need an updated version of TAC to see this change. So it would be best to upgrade to the latest QTAC-1884 (it also worked in QTAC-1883).

Ok, thx. Had issues with both on a live runtime.

Upgraded a minimal conf:ed runtime to 2026_01 to exclude anything we had adjusted. Will try bumping it up to _02v2 then.

On QTAC-1884 as well.

Bumped it up to 2026-02v2, look like my problem now is that my monitoring port is only listening on 127.0.0.1 so the tac will not be able to access it on a separate server.
The patch restricted 3 others to localhost, fixed those but can't seem to find a way to change that.

You can change IP assignment in /runtime/etc/org.apache.karaf.management.cfg

But you can now turn off the Job Server section and then the Runtime Server section isn't affected by the monitoring port anymore