Bug 55372

Summary: Bind JPDA_ADDRESS by default to localhost
Product: Tomcat 8 Reporter: Michael Osipov <michaelo>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: enhancement    
Priority: P2    
Version: 8.0.0-RC1   
Target Milestone: ----   
Hardware: All   
OS: All   

Description Michael Osipov 2013-08-06 19:16:14 UTC
The default setting of JPDA_ADDRESS=8000 poses some security risk. In many corporate environments daily or weekly security scans are normal.

People, like me, sometimes forget to shutdown Tomcat in debug mode. Port 8000 is open to anyone.

Default JPDA_ADDRESS should be changed to localhost:8000 to minimize security scan reports and possible VM hijacks.

Since this is a breaking change, this can be done for Tomcat 8.
Comment 1 Michael Osipov 2013-08-06 19:32:35 UTC
This would of course imply that one would need an SSH tunnel to that machine.
Comment 2 Mark Thomas 2013-08-06 21:25:35 UTC
Or just change JPDA_ADDRESS back to 8000 in setenv.sh

This has been applied to trunk and will be in 8.0.0-RC2 onwards. I'll also add a note to the migration page.
Comment 3 Michael Osipov 2013-08-07 07:50:20 UTC
(In reply to Mark Thomas from comment #2)
> Or just change JPDA_ADDRESS back to 8000 in setenv.sh
> 
> This has been applied to trunk and will be in 8.0.0-RC2 onwards. I'll also
> add a note to the migration page.

Looks good but your did leave out the catalina.bat and res/ide-support/netbeans/README.txt. Was that intentional? Though, I do not know how to port forward a port with RDP.
Comment 4 Mark Thomas 2013-08-07 07:51:48 UTC
(In reply to Michael Osipov from comment #3)
> (In reply to Mark Thomas from comment #2)
> > Or just change JPDA_ADDRESS back to 8000 in setenv.sh
> > 
> > This has been applied to trunk and will be in 8.0.0-RC2 onwards. I'll also
> > add a note to the migration page.
> 
> Looks good but your did leave out the catalina.bat and

That was an oversight. I'll fix that shortly.

> res/ide-support/netbeans/README.txt. Was that intentional? Though, I do not
> know how to port forward a port with RDP.

netbeans I know nothing about.
Comment 5 Michael Osipov 2013-08-07 08:32:42 UTC
(In reply to Mark Thomas from comment #4)
> [..]
> > res/ide-support/netbeans/README.txt. Was that intentional? Though, I do not
> > know how to port forward a port with RDP.
> 
> netbeans I know nothing about.

This is a user guide. Nothing crucial but examples should resemble the catalina.sh settings.