You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2013/12/25 11:11:36 UTC
[Bug 55931] New: Security: Tomcat7 opens 2 additional random ports
that listen for all IPs when JMX is enabled
https://issues.apache.org/bugzilla/show_bug.cgi?id=55931
Bug ID: 55931
Summary: Security: Tomcat7 opens 2 additional random ports that
listen for all IPs when JMX is enabled
Product: Tomcat 7
Version: 7.0.47
Hardware: Other
OS: other
Status: NEW
Severity: major
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: michael_furman@hotmail.com
I run 7.0.47 using Java 1.7.0_45-b18 on Centos6.
I enabled JMX using the following options:
CATALINA_OPTS="${CATALINA_OPTS} -Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.port=9123
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=false
-Dcom.sun.management.jmxremote.local.only=true"
Unfortunately, when I check what ports are opened I discover 2 additional
random ports:
netstat -plunt | grep java
Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name
tcp 0 0 :::60555 :::*
LISTEN 22752/java
tcp 0 0 ::ffff:127.0.0.1:8080 :::*
LISTEN 22752/java
tcp 0 0 :::9123 :::*
LISTEN 22752/java
tcp 0 0 :::40867 :::*
LISTEN 22752/java
Please note that each restart only configured ports 8080 and 9123 remains same,
and two additional ports change values.
It is security problem, since Tomcat listen for all IPs.
Why JMX in Tomcat opens 2 additional ports?
How can I configure these ports?
How can I configure `::ffff:127.0.0.1` will appear before all ports opened by
JMX?
I have configured JmxRemoteLifecycleListener
http://tomcat.apache.org/tomcat-7.0-doc/config/listeners.html#JMX_Remote_Lifecycle_Listener_-_org.apache.catalina.mbeans.JmxRemoteLifecycleListener
Using the following configuration:
<Listener className="org.apache.catalina.mbeans.JmxRemoteLifecycleListener"
rmiRegistryPortPlatform="9123" rmiServerPortPlatform="10002"
rmiBindAddress="localhost"/>
In this case only one random port (60714 in the list below) appears:
tcp 0 0 ::ffff:127.0.0.1:8080 :::*
tcp 0 0 ::ffff:127.0.0.1:10002 :::*
tcp 0 0 ::ffff:127.0.0.1:9123 :::*
tcp 0 0 :::60714 :::*
Why JMX in Tomcat opens 1 additional port?
How can I configure the port?
How can I configure `::ffff:127.0.0.1` will appear before all ports opened by
JMX?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 55931] Security: Tomcat7 opens 2 additional random ports that
listen for all IPs when JMX is enabled
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55931
--- Comment #2 from Michael <mi...@hotmail.com> ---
Dear Mark,
What do you mean by “JMXLifecylceListener in JMXREmote.jar”?
I configured JmxRemoteLifecycleListener from catalina-jmx-remote.jar.
Do you mean this class or something else?
Regarding JMX
You absolutely correct: Java is opened 3 ports when JMX is configured and not
Tomcat.
When I configured JmxRemoteLifecycleListener I can control over 2 ports:
rmiRegistryPortPlatform and rmiServerPortPlatform
My questions:
1) What is 3-d port opened by Java? Why it is not used when connecting with
JConsole?
2) Why it is not controlled by JmxRemoteLifecycleListener?
Can it be controlled by JmxRemoteLifecycleListener? Is it enhancement request
or it is not possible?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 55931] Security: Tomcat7 opens 2 additional random ports that
listen for all IPs when JMX is enabled
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55931
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |INVALID
--- Comment #1 from Mark Thomas <ma...@apache.org> ---
That is how JMX works. It is controlled by the JVM, not Tomcat.
If you want greater control of those ports, use the JMXLifecylceListener in
JMXREmote.jar from the extras package.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 55931] Security: Tomcat7 opens 2 additional random ports that
listen for all IPs when JMX is enabled
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55931
--- Comment #4 from Konstantin Kolinko <kn...@gmail.com> ---
(In reply to Michael from comment #2)
There are two cases in OP's report
"Case A": without JmxRemoteLifecycleListener
"Case B": with JmxRemoteLifecycleListener
> What is 3-d port opened by Java?
Take a thread dump. You will see what threads actually listen on network ports.
>From there you may guess why.
My result on Fedora 19 with OpenJDK "1.7.0_45" (OpenJDK Client VM (build
24.45-b08, mixed mode, sharing)) running without JmxRemoteLifecycleListener
("Case A") is that I also see 3 open IPv6 ports.
The thread dumps shows that there is one thread named "RMI TCP Accept-9123" and
two threads named "RMI TCP Accept-0" and all three of them have the following
stack trace:
at java.net.ServerSocket.accept(ServerSocket.java:498)
at
sun.rmi.transport.tcp.TCPTransport$AcceptLoop.executeAcceptLoop(TCPTransport.java:388)
at
sun.rmi.transport.tcp.TCPTransport$AcceptLoop.run(TCPTransport.java:360)
at java.lang.Thread.run(Thread.java:744)
If I add the following to the setenv.sh, it turns on debug logging [1]
CATALINA_OPTS="${CATALINA_OPTS} -Dsun.rmi.transport.tcp.logLevel=VERBOSE"
[1]
http://docs.oracle.com/javase/7/docs/technotes/guides/rmi/sunrmiproperties.html
With the logging I see how those three ports are being opened, but I do not
know why.
I suspect that the cause for the additional port is some bug in initialization
of RMI Registry. As such, it should be fixed in the JRE.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 55931] Security: Tomcat7 opens 2 additional random ports that
listen for all IPs when JMX is enabled
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55931
--- Comment #3 from Chuck Caldarale <ch...@unisys.com> ---
(In reply to Michael from comment #2)
> My questions:
Bugzilla is not a support forum; post your questions on the Tomcat users'
mailing list.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org