You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2013/08/06 21:16:14 UTC

[Bug 55372] New: Bind JPDA_ADDRESS by default to lcaolhost

https://issues.apache.org/bugzilla/show_bug.cgi?id=55372

            Bug ID: 55372
           Summary: Bind JPDA_ADDRESS by default to lcaolhost
           Product: Tomcat 8
           Version: 8.0.0-RC1
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: 1983-01-06@gmx.net

The default setting of JPDA_ADDRESS=8000 poses some security risk. In many
corporate environments daily or weekly security scans are normal.

People, like me, sometimes forget to shutdown Tomcat in debug mode. Port 8000
is open to anyone.

Default JPDA_ADDRESS should be changed to localhost:8000 to minimize security
scan reports and possible VM hijacks.

Since this is a breaking change, this can be done for Tomcat 8.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 55372] Bind JPDA_ADDRESS by default to localhost

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=55372

--- Comment #4 from Mark Thomas <ma...@apache.org> ---
(In reply to Michael Osipov from comment #3)
> (In reply to Mark Thomas from comment #2)
> > Or just change JPDA_ADDRESS back to 8000 in setenv.sh
> > 
> > This has been applied to trunk and will be in 8.0.0-RC2 onwards. I'll also
> > add a note to the migration page.
> 
> Looks good but your did leave out the catalina.bat and

That was an oversight. I'll fix that shortly.

> res/ide-support/netbeans/README.txt. Was that intentional? Though, I do not
> know how to port forward a port with RDP.

netbeans I know nothing about.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 55372] Bind JPDA_ADDRESS by default to localhost

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=55372

--- Comment #1 from Michael Osipov <19...@gmx.net> ---
This would of course imply that one would need an SSH tunnel to that machine.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 55372] Bind JPDA_ADDRESS by default to localhost

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=55372

--- Comment #3 from Michael Osipov <19...@gmx.net> ---
(In reply to Mark Thomas from comment #2)
> Or just change JPDA_ADDRESS back to 8000 in setenv.sh
> 
> This has been applied to trunk and will be in 8.0.0-RC2 onwards. I'll also
> add a note to the migration page.

Looks good but your did leave out the catalina.bat and
res/ide-support/netbeans/README.txt. Was that intentional? Though, I do not
know how to port forward a port with RDP.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 55372] Bind JPDA_ADDRESS by default to localhost

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=55372

Michael Osipov <19...@gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|Bind JPDA_ADDRESS by        |Bind JPDA_ADDRESS by
                   |default to lcaolhost        |default to localhost

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 55372] Bind JPDA_ADDRESS by default to localhost

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=55372

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #2 from Mark Thomas <ma...@apache.org> ---
Or just change JPDA_ADDRESS back to 8000 in setenv.sh

This has been applied to trunk and will be in 8.0.0-RC2 onwards. I'll also add
a note to the migration page.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: [Bug 55372] Bind JPDA_ADDRESS by default to localhost

Posted by Brian Burch <br...@PingToo.com>.

On 07/08/13 09:32, bugzilla@apache.org wrote:
> https://issues.apache.org/bugzilla/show_bug.cgi?id=55372
>
> --- Comment #5 from Michael Osipov <19...@gmx.net> ---
> (In reply to Mark Thomas from comment #4)
>> [..]
>>> res/ide-support/netbeans/README.txt. Was that intentional? Though, I do not
>>> know how to port forward a port with RDP.
>>
>> netbeans I know nothing about.
>
> This is a user guide. Nothing crucial but examples should resemble the
> catalina.sh settings.

The appropriate section of the netbeans README is:

    The external Tomcat instance must be started with its jvm enabled for
    debugging by adding extra arguments to JAVA_OPTS, e.g.
    -Xdebug -Xrunjdwp:transport=dt_socket,address=8000,server=y,suspend=n

This paragraph is (I think) ide-agnostic, and refers to setting up the 
server for debugging by any local or remote client.

I use nix and my catalina.sh is started by /etc/init.d/tomcatX, which 
primes JAVA_OPTS when I want debugging. I've just checked catalina.sh 
and noticed there are four JPDA_* parameters too.

My first thought is to leave the README alone. Anyone wanting to use 
netbeans to debug tomcat on a different host ought not to be spoon-fed. 
On the other hand, given the comment is related to a change where by 
default tc will not listen on any interface except lo, perhaps I should 
say so in the README. How far is far enough? wdyt?

Brian

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 55372] Bind JPDA_ADDRESS by default to localhost

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=55372

--- Comment #5 from Michael Osipov <19...@gmx.net> ---
(In reply to Mark Thomas from comment #4)
> [..]
> > res/ide-support/netbeans/README.txt. Was that intentional? Though, I do not
> > know how to port forward a port with RDP.
> 
> netbeans I know nothing about.

This is a user guide. Nothing crucial but examples should resemble the
catalina.sh settings.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org