Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8329414

Remote debugging should print security warning when binding to all interfaces

XMLWordPrintable

    • Icon: Enhancement Enhancement
    • Resolution: Unresolved
    • Icon: P4 P4
    • None
    • None
    • core-svc
    • generic
    • generic

      A DESCRIPTION OF THE PROBLEM :
      Remote debugging can be a security issue since it can allow remote code execution. That is probably why JDK-8041435 (not public) changed the behavior to not bind to all network interfaces by default, see also release notes https://www.oracle.com/java/technologies/javase/9-all-relnotes.html#JDK-8041435 (emphasis mine):
      > A hostname of asterisk (*) may be used to achieve the old behavior which is to bind the JDWP socket connector to all available interfaces; _this is not secure and not recommended_.

      The problem is that many users are likely not aware of this, and third-party online guides might just recommend using `*:` without mentioning the security implications. For example IntelliJ IDEA unfortunately seems to be doing this at the moment: https://youtrack.jetbrains.com/issue/IDEA-349570

      It might therefore be good if the JDK detected usage of `*:`, or in general usage of a non-loopback address (in case that is a security issue as well), and then print a warning message on the console. That warning message should ideally:
      - be difficult to overlook, for example by being separated with `*********` lines or similar from other enclosing text
      - mention that binding to non-loopback interfaces is insecure
      - in case it can detect that the user used `*:` as argument, mention that this string is what makes the configuration insecure (in case users are not very familiar with the configuration options)
      - if possible mention secure alternatives or configuration which can make it more secure
        -- SSH tunnel?
        -- JDK-8061228?
        -- linking to relevant Oracle JDK documentation pages if there are any
        -- recommending for local remote debugging to just omit `*:`
        -- restricting access to the machine, or only using it for example inside a local Docker container



            Unassigned Unassigned
            webbuggrp Webbug Group
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated: