Page History

...

From a security point of view, the JVMTI provides access to fields that are normally inaccessible. The interface also provides facilities for changing the behavior of a running Java program; for example, threads can be suspended or stopped. The JVMTI profiling tools can measure the time that a thread takes to execute, leaving applications vulnerable to timing attacks.

Noncompliant Code Example

In this noncompliant code example, the JVMTI works by using agents that communicate with the running JVM. These agents are usually loaded at JVM startup via one of the command line options, -agentlib or -agentpath.

...

Agents may run under the default security manager without requiring any permissions to be granted. While the JVMTI is useful for debuggers and profilers, such levels of access are inappropriate for deployed production code.

Compliant Solution

Do not start the JVM with any agents enabled on a production machine. This compliant solution removes the -agentlib command line argument and installs a security manager, as required by rule ENV02-J. Create a secure sandbox using a Security Manager.

...

Clear the environment variable JAVA_TOOL_OPTIONS in the manner appropriate for your platform, for example, by setting it to an empty string value or by {{unset}}ing it. This prevents JVMTI agents from receiving arguments via this route.

Risk Assessment

Deploying a Java application with the JVM Tool Interface enabled can allow an attacker to monitor or modify its behavior.

Automated Detection

Not amenable to automated static analysis.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Bibliography

...