Bug 55372 - Bind JPDA_ADDRESS by default to localhost
Bind JPDA_ADDRESS by default to localhost
Status: RESOLVED FIXED
Product: Tomcat 8
Classification: Unclassified
Component: Catalina
8.0.0-RC1
All All
: P2 enhancement (vote)
: ----
Assigned To: Tomcat Developers Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2013-08-06 19:16 UTC by Michael Osipov
Modified: 2013-08-07 08:32 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Osipov 2013-08-06 19:16:14 UTC
The default setting of JPDA_ADDRESS=8000 poses some security risk. In many corporate environments daily or weekly security scans are normal.

People, like me, sometimes forget to shutdown Tomcat in debug mode. Port 8000 is open to anyone.

Default JPDA_ADDRESS should be changed to localhost:8000 to minimize security scan reports and possible VM hijacks.

Since this is a breaking change, this can be done for Tomcat 8.
Comment 1 Michael Osipov 2013-08-06 19:32:35 UTC
This would of course imply that one would need an SSH tunnel to that machine.
Comment 2 Mark Thomas 2013-08-06 21:25:35 UTC
Or just change JPDA_ADDRESS back to 8000 in setenv.sh

This has been applied to trunk and will be in 8.0.0-RC2 onwards. I'll also add a note to the migration page.
Comment 3 Michael Osipov 2013-08-07 07:50:20 UTC
(In reply to Mark Thomas from comment #2)
> Or just change JPDA_ADDRESS back to 8000 in setenv.sh
> 
> This has been applied to trunk and will be in 8.0.0-RC2 onwards. I'll also
> add a note to the migration page.

Looks good but your did leave out the catalina.bat and res/ide-support/netbeans/README.txt. Was that intentional? Though, I do not know how to port forward a port with RDP.
Comment 4 Mark Thomas 2013-08-07 07:51:48 UTC
(In reply to Michael Osipov from comment #3)
> (In reply to Mark Thomas from comment #2)
> > Or just change JPDA_ADDRESS back to 8000 in setenv.sh
> > 
> > This has been applied to trunk and will be in 8.0.0-RC2 onwards. I'll also
> > add a note to the migration page.
> 
> Looks good but your did leave out the catalina.bat and

That was an oversight. I'll fix that shortly.

> res/ide-support/netbeans/README.txt. Was that intentional? Though, I do not
> know how to port forward a port with RDP.

netbeans I know nothing about.
Comment 5 Michael Osipov 2013-08-07 08:32:42 UTC
(In reply to Mark Thomas from comment #4)
> [..]
> > res/ide-support/netbeans/README.txt. Was that intentional? Though, I do not
> > know how to port forward a port with RDP.
> 
> netbeans I know nothing about.

This is a user guide. Nothing crucial but examples should resemble the catalina.sh settings.