Remote debugging should print warning when binding to external address
Chris Plummer
chris.plummer at oracle.com
Thu Jan 30 03:45:49 UTC 2025
On 1/21/25 12:57 PM, some-java-user-99206970363698485155 at vodafonemail.de
wrote:
>>> It seems I wasn't informed that the report had been created; at
>>> least I cannot find the confirmation mail for it. Note that I had
>>> specified a different private contact e-mail address.
>>
>> It's because the bug isn't public.
> ... but I am the reporter!? It could of course be that there was an
> attempt to inform me but it did not reach me for whatever reason
> (please don't mention the e-mail address, I used for reporting, here
> on this mailing list though).
>
> That is unfortunately exactly what I had been criticizing in
> https://mail.openjdk.org/pipermail/web-discuss/2022-January/000593.html;
> as external reporter it can be extremely intransparent what happens to
> a report.
>
>> Yes, the bug is marked confidential.
> I don't really understand that. Unless I accidentally leaked private
> information in the report, I think it contains exactly the information
> I wrote in the original e-mail of this thread. And this is not secret
> information, it is basically what had been mentioned in the JDK 9
> release notes originally. It is rather weird to withhold this
> information from users, especially since malicious actors are long
> aware of the security issues see for example
> https://www.alibabacloud.com/blog/analysis-of-jdwpminer-mining-trojan-remote-debugging-with-java-causes-hidden-risks_598002
> or just search for "jdwp exploit" or similar.
>
> (Aleksei Ivanov I have included you as direct recipient of this mail;
> but this mail might still be awaiting approval on serviceability-dev@,
> so in case you respond before that it might be confusing for others.)
>
https://bugs.openjdk.org/browse/JDK-8329414 is no longer confidential.
You should be able to view it now.
Chris
More information about the serviceability-dev
mailing list