...
Compliant Solution
To be compliant, ensure that the JVMTI is disabled by default. A JVM that is already running should not be vulnerable to JVMTI based attacksdo not start the JVM with any agents enabled.
| Code Block | ||
|---|---|---|
| ||
TODO ${JDK_PATH}/bin/java -Djava.security.manager ApplicationName |
Also, it is necessary to disable the environment variable JAVA_TOOL_OPTIONS so that JVMTI agents cannot be specified by this mechanism.
Risk Assessment
Failing to appreciate that a Java application can be monitored and modified via the JVM Tool Interface may lead to an application being deployed that is open to attack from malicious users.
...