<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hello,</p>
<p>in JDK 9 the behavior of the JDWP socket connector was changed to
only allow local connections by default [1]. This was likely done
for two reasons:</p>
<ol>
<li>In earlier versions JDWP would also listen for external
connections by default</li>
<li>When JDWP is exposed externally it represents a big security
risk because it allows remote code execution</li>
</ol>
<p>Especially the second point might not be obvious to average
users, but it is well known to security researchers and malicious
actors.</p>
<p>The problem is that besides this JDK 9 release note which
probably nowadays no one is going to read anymore, these security
implications seem to be nowhere properly and well visible
documented. So what happened is that multiple forums, blogs and
IDEs (e.g. <a class="moz-txt-link-freetext"
href="https://youtrack.jetbrains.com/issue/IDEA-349570">https://youtrack.jetbrains.com/issue/IDEA-349570</a>)
started suggesting using `*` (= bind to all interfaces) without
mentioning the security implications prominently, or at all. This
completely defeats why this change in the JDK was done in the
first place.<br>
</p>
<p>Therefore I think it would be good if the JDWP connector, when
`*` (and maybe `0.0.0.0`) is used, printed a big warning on
console which cannot be overlooked, telling the user that this
might be insecure.<br>
For example something like this or similar (any suggestions are
welcome):<br>
</p>
<blockquote type="cite">$ java
"-agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=*:5005"
DebugTest.java<br>
Listening for transport dt_socket at address: 5005<br>
******** SECURITY WARNING ********<br>
Listening on all network interfaces for debug connections
(`address=*:<port>`) is insecure and can lead to remote code
execution if the machine is reachable from the internet and no
firewall prevents the connection.<br>
Prefer listening only for local connections
(`address=<port>`), and if remote access is necessary use
tools such as SSH to secure the connection.<br>
**********************************</blockquote>
It might also be good to create a page for example on <a
class="moz-txt-link-freetext" href="https://dev.java/">https://dev.java/</a>
and link to it in this console message, which explains how SSH can
be used for this and which contains more information.<br>
<p>The alternative is spending a lifetime chasing down blogs and
comments which recommend using `*` and telling them to stop doing
this or at least to mention the security implications.<br>
</p>
<p>Additionally maybe the documentation should mention the security
implications of JDWP, though I am not sure if there is one
canonical page about it. All information on oracle.com seem to be
rather technical specification documents, the closest might be <a
class="moz-txt-link-freetext"
href="https://docs.oracle.com/en/java/javase/23/docs/specs/jpda/conninv.html">https://docs.oracle.com/en/java/javase/23/docs/specs/jpda/conninv.html</a><br>
Compare this also with how other tools are handling security
implications of remote debugging, e.g. Node.js with
<a class="moz-txt-link-freetext"
href="https://nodejs.org/en/learn/getting-started/debugging#security-implications">https://nodejs.org/en/learn/getting-started/debugging#security-implications</a></p>
<p>Kind regards</p>
<p><br>
</p>
<p>[1]
<a class="moz-txt-link-freetext"
href="https://www.oracle.com/java/technologies/javase/9-all-relnotes.html#JDK-8041435">https://www.oracle.com/java/technologies/javase/9-all-relnotes.html#JDK-8041435</a><br>
</p>
<p><br>
</p>
<p>Side note: I am rather certain I had also reported this on the
JDK bug tracker through <a class="moz-txt-link-freetext"
href="https://bugreport.java.com">https://bugreport.java.com</a>
quite a while ago (unless I am misremembering this) also referring
to the IDEA bug report IDEA-349570 in the description, but it
seems the JDK bug report was never created and I never got a
response (?). See also my general concerns with the current bug
reporting in <a class="moz-txt-link-freetext"
href="https://mail.openjdk.org/pipermail/web-discuss/2022-January/000593.html">https://mail.openjdk.org/pipermail/web-discuss/2022-January/000593.html</a>.<br>
</p>
</body>
</html>