-
Enhancement
-
Resolution: Unresolved
-
P4
-
None
-
None
-
generic
-
generic
A DESCRIPTION OF THE PROBLEM :
Remote debugging can be a security issue since it can allow remote code execution. That is probably why JDK-8041435 (not public) changed the behavior to not bind to all network interfaces by default, see also release notes https://www.oracle.com/java/technologies/javase/9-all-relnotes.html#JDK-8041435 (emphasis mine):
> A hostname of asterisk (*) may be used to achieve the old behavior which is to bind the JDWP socket connector to all available interfaces; _this is not secure and not recommended_.
The problem is that many users are likely not aware of this, and third-party online guides might just recommend using `*:` without mentioning the security implications. For example IntelliJ IDEA unfortunately seems to be doing this at the moment: https://youtrack.jetbrains.com/issue/IDEA-349570
It might therefore be good if the JDK detected usage of `*:`, or in general usage of a non-loopback address (in case that is a security issue as well), and then print a warning message on the console. That warning message should ideally:
- be difficult to overlook, for example by being separated with `*********` lines or similar from other enclosing text
- mention that binding to non-loopback interfaces is insecure
- in case it can detect that the user used `*:` as argument, mention that this string is what makes the configuration insecure (in case users are not very familiar with the configuration options)
- if possible mention secure alternatives or configuration which can make it more secure
-- SSH tunnel?
--JDK-8061228?
-- linking to relevant Oracle JDK documentation pages if there are any
-- recommending for local remote debugging to just omit `*:`
-- restricting access to the machine, or only using it for example inside a local Docker container
Remote debugging can be a security issue since it can allow remote code execution. That is probably why JDK-8041435 (not public) changed the behavior to not bind to all network interfaces by default, see also release notes https://www.oracle.com/java/technologies/javase/9-all-relnotes.html#JDK-8041435 (emphasis mine):
> A hostname of asterisk (*) may be used to achieve the old behavior which is to bind the JDWP socket connector to all available interfaces; _this is not secure and not recommended_.
The problem is that many users are likely not aware of this, and third-party online guides might just recommend using `*:` without mentioning the security implications. For example IntelliJ IDEA unfortunately seems to be doing this at the moment: https://youtrack.jetbrains.com/issue/IDEA-349570
It might therefore be good if the JDK detected usage of `*:`, or in general usage of a non-loopback address (in case that is a security issue as well), and then print a warning message on the console. That warning message should ideally:
- be difficult to overlook, for example by being separated with `*********` lines or similar from other enclosing text
- mention that binding to non-loopback interfaces is insecure
- in case it can detect that the user used `*:` as argument, mention that this string is what makes the configuration insecure (in case users are not very familiar with the configuration options)
- if possible mention secure alternatives or configuration which can make it more secure
-- SSH tunnel?
--
-- linking to relevant Oracle JDK documentation pages if there are any
-- recommending for local remote debugging to just omit `*:`
-- restricting access to the machine, or only using it for example inside a local Docker container