...
From a security point of view, the JVMTI provides access to fields that are normally inaccessible. The interface also provides facilities for changing the behavior of a running Java program, ; for example, threads can be suspended or stopped. The JVMTI profiling tools can measure the time that a thread takes to execute, leaving applications vulnerable to timing attacks.
Noncompliant Code Example
The In this noncompliant code example, the JVMTI works by using agents that communicate with the running JVM. These agents are usually loaded at JVM startup via one of the command line options, -agentlib or -agentpath.
...
| Wiki Markup |
|---|
Some JVMs allow agents to be started when the JVM is already running. This is insecure in a production environment. Refer to the JVMTI documentation \[[JVMTI 2006|AA. Bibliography#JVMTI 06]\] for platform -specific information on enabling/disabling this feature. |
...
Clear the environment variable JAVA_TOOL_OPTIONS in the manner appropriate for your platform, for example, by setting it to an empty string value , or by {{unset}}ing it. This prevents JVMTI agents from receiving arguments via this route.
...