Remote debugging should print warning when binding to external address
some-java-user-99206970363698485155 at vodafonemail.de
some-java-user-99206970363698485155 at vodafonemail.de
Mon Jan 20 20:07:41 UTC 2025
Hello,
in JDK 9 the behavior of the JDWP socket connector was changed to only
allow local connections by default [1]. This was likely done for two
reasons:
1. In earlier versions JDWP would also listen for external connections
by default
2. When JDWP is exposed externally it represents a big security risk
because it allows remote code execution
Especially the second point might not be obvious to average users, but
it is well known to security researchers and malicious actors.
The problem is that besides this JDK 9 release note which probably
nowadays no one is going to read anymore, these security implications
seem to be nowhere properly and well visible documented. So what
happened is that multiple forums, blogs and IDEs (e.g.
https://youtrack.jetbrains.com/issue/IDEA-349570) started suggesting
using `*` (= bind to all interfaces) without mentioning the security
implications prominently, or at all. This completely defeats why this
change in the JDK was done in the first place.
Therefore I think it would be good if the JDWP connector, when `*` (and
maybe `0.0.0.0`) is used, printed a big warning on console which cannot
be overlooked, telling the user that this might be insecure.
For example something like this or similar (any suggestions are welcome):
> $ java
> "-agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=*:5005"
> DebugTest.java
> Listening for transport dt_socket at address: 5005
> ******** SECURITY WARNING ********
> Listening on all network interfaces for debug connections
> (`address=*:<port>`) is insecure and can lead to remote code execution
> if the machine is reachable from the internet and no firewall prevents
> the connection.
> Prefer listening only for local connections (`address=<port>`), and if
> remote access is necessary use tools such as SSH to secure the connection.
> **********************************
It might also be good to create a page for example on https://dev.java/
and link to it in this console message, which explains how SSH can be
used for this and which contains more information.
The alternative is spending a lifetime chasing down blogs and comments
which recommend using `*` and telling them to stop doing this or at
least to mention the security implications.
Additionally maybe the documentation should mention the security
implications of JDWP, though I am not sure if there is one canonical
page about it. All information on oracle.com seem to be rather technical
specification documents, the closest might be
https://docs.oracle.com/en/java/javase/23/docs/specs/jpda/conninv.html
Compare this also with how other tools are handling security
implications of remote debugging, e.g. Node.js with
https://nodejs.org/en/learn/getting-started/debugging#security-implications
Kind regards
[1]
https://www.oracle.com/java/technologies/javase/9-all-relnotes.html#JDK-8041435
Side note: I am rather certain I had also reported this on the JDK bug
tracker through https://bugreport.java.com quite a while ago (unless I
am misremembering this) also referring to the IDEA bug report
IDEA-349570 in the description, but it seems the JDK bug report was
never created and I never got a response (?). See also my general
concerns with the current bug reporting in
https://mail.openjdk.org/pipermail/web-discuss/2022-January/000593.html.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/serviceability-dev/attachments/20250120/e3a28eb9/attachment-0001.htm>
More information about the serviceability-dev
mailing list