Java provides several APIs that allow outside programs to monitor a running Java program. These APIs permit the Java program to be monitored remotely by programs on distinct hosts. Such features are handy for debugging the program, or fine-tuning its performance. However, if a Java program is deployed in production with remote monitoring enabled, an attacker can connect to the JVM and inspect its behavior and data, including potentially sensitive information. An attacker can also exert some control over the program's behavior. Therefore remote monitoring must be disabled when running a Java program in production.
JVM Tool Interface (JVMTI)
| Wiki Markup |
|---|
The JVM Tool Interface \[[JVMTI 2006|AA. Bibliography#JVMTI 06]\] provides facilities for querying the internals of a JVM and includes methods for monitoring and modifying the behavior of a running Java program. These low level facilities require the use of the Java Native Interface (JNI) and C language programming. The JVM Tool Interface is typically used by development and monitoring tools. |
From a security point of view, the JVMTI provides access to fields that are normally inaccessible. The interface also provides facilities for changing the behavior of a running Java program; for example, threads can be suspended or stopped. The JVMTI profiling tools can measure the time that a thread takes to execute, leaving applications vulnerable to timing attacks.
Java Platform Debugger Architecture (JPDA)
| Wiki Markup |
|---|
The Java Platform Debugger Architecture (JPDA) \[[JPDA 2004|AA. Bibliography#JPDA 04]\] builds on the JVM Tool Interface. It provides high-level facilities for debugging running Java programs, often used for debugging programs running in remote environments. |
| Wiki Markup |
|---|
The JDPA facilities are similar to the reflection facilities \[[Reflection 2006|AA. Bibliography#Reflection 06]\] used for inspecting and modifying field values. In particular, it is possible to get or set the values of fields. Access control is not enforced, so, for example, even the values of {{private}} fields can be accessed or modified. |
As JPDA supports remote debugging, which means that a remote host can access the debugger. An attacker can exploit this feature unless appropriate protection is enabled. A security manager can ensure that only known, trusted hosts are given permissions to use the debugger interface.
Java SE Monitoring and Management features
The Java SE Monitoring and Management features fall into four broad categories:
- The Java Management Extensions (JMX) technology: This technology serves as the underlying interface for local and remote monitoring and management.
- Instrumentation for the Java Virtual Machine (JVM): These facilities enable out-of-the-box monitoring and management of the JVM and are based on the JMX specification.
- Monitoring and Management Application Programming Interfaces (API): These facilities use the
java.lang.managementpackage to provide the monitoring and management interface. Applications can use this package to monitor themselves or to let JMX technology compliant tools to monitor and manage them. - Monitoring and Management tools: Tools such as
Jconsoleimplement the JMX interface to provide monitoring and management facilities.
| Wiki Markup |
|---|
The JMX API provides the underlying facilities both for inspecting applications running in a JVM, as well as for controlling their operation \[[JMX 2006|AA. Bibliography#JMX 06]\]. These facilities can be used either locally (from the machine that runs the JVM) or remotely. If exploited, the monitoring and management facilities can seriously compromise the security of Java applications. For example, an attacker can obtain information about the number of classes loaded and threads running, thread state along with traces of live threads, system properties, VM arguments, and memory consumption. |
| Wiki Markup |
|---|
Local monitoring and management is enabled by default when a JVM is started; remote monitoring and management is not. When remote monitoring and management is enabled, access is password-controlled by default. However, password control can be disabled. Disabling password authentication is insecure because any user who can discover the port number that the JMX service is listening on can monitor and control the Java applications running on the JVM \[[JMXG 2006|AA. Bibliography#JMXG 06]\]. |
| Wiki Markup |
|---|
The JVM Remote monitoring and management facility uses a secure communication channel (SSL) by default. However, if an attacker can start a bogus RMI registry on the monitored machine before the legitimate RMI registry is started, JMX passwords can be intercepted. Also, SSL can be disabled when using remote monitoring and management which could, again, compromise security. See The Java SE Monitoring and Management Guide \[[JMXG 2006|AA. Bibliography#JMXG 06]\] for further details and for avoidance strategies. |
It is conceivable that both password authentication and SSL might be disabled during development and debugging. If this configuration were carried forward to a production environment, there would be no security in place to prevent an attacker from monitoring and controlling the deployed application.
Noncompliant Code Example (JVMTI)
In this noncompliant code example, the JVMTI works by using agents that communicate with the running JVM. These agents are usually loaded at JVM startup via one of the command line options, -agentlib or -agentpath.
...
Agents may run under the default security manager without requiring any permissions to be granted. While the JVMTI is useful for debuggers and profilers, such levels of access are inappropriate for deployed production code.
Noncompliant Code Example (JPDA)
This noncompliant code example uses command line arguments to invoke the JVM so that it can be debugged from a running debugger application by listening for connections using shared memory at transport address mysharedmemory.
| Code Block | ||
|---|---|---|
| ||
${JDK_PATH}/bin/java -agentlib:jdwp=transport=dt_shmem,address=mysharedmemory ApplicationName
|
Likewise, the -Xrunjdwp, which is equivalent to -agentlib, and -Xdebug, which is used by the jdb tool, command line arguments also enable application debugging.
Noncompliant Code Example (JVM monitoring)
This noncompliant code example invokes the JVM with command line arguments that permit remote monitoring via port 8000. This may result in a security vulnerability when the password is weak or the SSL protocol is misapplied.
| Code Block | ||
|---|---|---|
| ||
${JDK_PATH}/bin/java -Dcom.sun.management.jmxremote.port=8000 ApplicationName |
Compliant Solution
Do not start This compliant solution starts the JVM with without any agents enabled on a production machine. Avoid using the the -agentlib, -Xrunjdwp and -Xdebug command line arguments on production machines. This compliant solution removes the -agentlib command line argument and also installs a security manager for good measure.
| Code Block | ||
|---|---|---|
| ||
${JDK_PATH}/bin/java -Djava.security.manager ApplicationName
|
Clear the environment variable JAVA_TOOL_OPTIONS in the manner appropriate for your platform, for example, by setting it to an empty string value or by {{ unset}}ing it. This prevents JVMTI agents from receiving arguments via this route. The command line argument {{-Xnoagent can also be used to disable the debugging features supported by the old Java debugger (oldjdb).
This compliant solution disables monitoring by remote machines. By default, local monitoring is enabled in Java 6. In earlier versions, the system property com.sun.management.jmxremote had to be set to enable local monitoring. Although the unsupported -XX:+DisableAttachMechanism command line option may be used to disable local Java tools from monitoring the JVM, it is always possible to use native debuggers and other tools to perform monitoring. Fortunately, monitoring tools require at least as many privileges as the owner of the JVM process possesses, reducing the threat of local exploitation through privilege escalation.
Local monitoring uses temporary files and sets the file permissions to those of the owner of the JVM process. Ensure that adequate file protection is in place on the system running the JVM so that the temporary files are accessed appropriately. See rules IDS03-J. Validate all data passed in through environment variables and non-default properties, and FIO03-J. Remove temporary files before termination for additional information.
| Wiki Markup |
|---|
The Java SE Monitoring and Management Guide \[[JMXG 2006|AA. Bibliography#JMXG 06]\] provides further advice: |
Local monitoring with
jconsoleis useful for development and prototyping. Usingjconsolelocally is not recommended for production environments becausejconsoleitself consumes significant system resources. Rather, usejconsoleon a remote system to isolate it from the platform being monitored.
Moving jconsole to a remote system removes its system resource load from the production environment.
Noncompliant Code Example (remote debugging)
Remote debugging requires the use of sockets as the transport (transport=dt_socket). Remote debugging also requires specification of the type of application (server=y, where y denotes that the JVM is the server and is waiting for a debugger application to connect to it) and the port number to listen on (address=9000).
| Code Block | ||
|---|---|---|
| ||
${JDK_PATH}/bin/java -agentlib:jdwp=transport=dt_socket, server=y,address=9000 ApplicationName
|
Remote debugging is dangerous because an attacker can spoof the client IP address and connect to the JPDA host. Depending on the attacker's position in the network, they could glean debugging information by sniffing the network traffic that the JPDA host sends to the forged IP address.
Compliant Solution (remote debugging)
Restrict remote debugging to trusted hosts by modifying the security policy file to grant appropriate permissions only to those trusted hosts. For example, specify the permission java.net.SocketPermission for the JPDA host and remove the permission from other hosts.
The JPDA host can serve either as a server or as a client. When the attacker cannot sniff the network to determine the identity of machines that use the JPDA host (for example, through use of a secure channel), prefer specifying the JPDA host as the client and the debugger application as the server by changing the value of the server argument to n.
This compliant solution allows the JPDA host to attach to a trusted debugger application.
| Code Block | ||
|---|---|---|
| ||
${JDK_PATH}/bin/java -agentlib:jdwp=transport=dt_socket, server=n,address=9000 ApplicationName
|
When it is necessary to run a JVM with debugging enabled, avoid granting permissions that are not needed by the application. In particular, avoid granting socket permissions to arbitrary hosts, that is, omit the permission java.net.SocketPermission "*", "connect,accept".
Exceptions
ENV06:EX0: A Java program may be remotely monitored using any of these technologies if it can be guaranteed that no program outside the local trust boundary can access the program. For example, if the program lives on a local network that is both completely trusted and disconnected from any larger networks, including the Internet, then remote monitoring is permitted.
Risk Assessment
Deploying a Java application with the JVM Tool Interface, JPD, or remote monitoring enabled can allow an attacker to monitor or modify its behavior.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
ENV06-J | low high | unlikely probable | medium low | P2 P18 | L3 L1 |
Automated Detection
Not amenable to automated static analysis.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Bibliography
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="00aab61a-2040-45d4-9f99-5ed828284f03"><ac:plain-text-body><![CDATA[ | [[JMX 2006 | AA. Bibliography#JMX 06]] |
| ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="8909b7b0-fd70-45d2-9dd6-bd35f7867fee"><ac:plain-text-body><![CDATA[ | [[JMXG 2006 | AA. Bibliography#JMXG 06]] |
| ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="0a2d7964-22b8-4e7a-a5fa-ed9e7b71c245"><ac:plain-text-body><![CDATA[ | [[JPDA 2004 | AA. Bibliography#JPDA 04]] |
| ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="bfc527f7-06e9-4adb-b555-e66b5e5d1f3c8b5bfc13-7bdf-41dd-9006-41bfea8e59ad"><ac:plain-text-body><![CDATA[ | [[JVMTI 2006 | AA. Bibliography#JVMTI 06]] |
| ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="377ea7173dd655f1-8d940a73-43f34983-8431bd08-25cef5a7dc0c266333a28cd0"><ac:plain-text-body><![CDATA[ | [[Long 2005 | AA. Bibliography#Long 05]] | Section 2.6, The JVM Tool Interface, Section 2.7, Debugging, Section 2.8, Monitoring and Management | ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c64ef038-9efb-4b75-9800-2a6d9fa08244"><ac:plain-text-body><![CDATA[ | [[Reflect 2006 | AA. Bibliography#Reflect 06]] | [Reflection | http://java.sun.com/javase/6/docs/technotes/guides/reflection/index.html], Sun Microsystems, Inc. (2006) | ]]></ac:plain-text-body></ac:structured-macro> |
...