66362 – listening all local addresses by default is not security best practice

Bug 66362 - listening all local addresses by default is not security best practice

Summary: listening all local addresses by default is not security best practice

Status:	RESOLVED INVALID

Alias:	None

Product:	Tomcat 9
Classification:	Unclassified
Component:	Connectors (show other bugs)
Version:	unspecified
Hardware:	PC Linux

Importance:	P2 enhancement (vote)
Target Milestone:	-----
Assignee:	Tomcat Developers Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-11-23 18:04 UTC by tommydu1123
Modified:	2022-11-23 18:29 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description tommydu1123 2022-11-23 18:04:18 UTC

Hi there,

The default behaviour of http connector is listenning all interfaces. It is found in the description of "address" in attributes section. (https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support)

In terms of security default, it could be not best practice. In case of unexpected mistakes made by people, default behaviour of exposing the server to every possible network may pose a potential threat on security. (CWE-1327: Binding to an Unrestricted IP Address: https://cwe.mitre.org/data/definitions/1327.html)

The issue should be a security enhancement. I recommend changing default behaviour to a single interface/network, e.g loopback interface 127.0.0.1 and adding configuration option with default value OFF for 0.0.0.0 or : :.

If there have been any previous discusstion about this, could you please tell me more?

Hope that I make it clear.

Comment 1 Mark Thomas 2022-11-23 18:29:41 UTC

Bugzilla is not a discussion forum. Please take your question to the users mailing list.