...
From the security point of view, the JVMTI provides access to fields that would normally be inaccessible. The interface also provides facilities for changing the behavior of a running Java program, for example, threads can be suspended or stopped. The JVMTI profiling tools can measure the time that a thread takes to execute, leaving applications vulnerable to timing attacks.
Noncompliant Code Example
The JVMTI works by using agents that communicate with the running JVM. These agents are usually loaded at JVM startup via one of the command line options, -agentlib or -agentpath.
...
Agents may run under the default security manager without requiring any permissions to be granted. While the JVMTI is useful for debuggers and profilers, such levels of access may be inappropriate for all users of the JVM.
Compliant Solution
Do not start the JVM with any agents enabled on an production machine. This compliant solution eliminates the -agentlib command line argument and installs a security manager, as required by ENV30-J. Create a secure sandbox using a Security Manager.
...
Also, it is necessary to disable the environment variable JAVA_TOOL_OPTIONS so that JVMTI agents cannot be specified via this route.
Risk Assessment
Deploying a Java application with the JVM Tool Interface enabled can allow an attacker to monitor or modify its behavior.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
ENV01- J | low | unlikely | medium | P2 | L3 |
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
| Wiki Markup |
|---|
\[[JVMTI 06|AA. Java References#JVMTI 06]\] \[[Long 05|AA. Java References#Long 05]\] Section 2.6, The JVM Tool Interface |
...