There's just so many bad practices here...
First, a production machine should not have debugging enabled. Problem
solved.
Second, a development machine with debugging enabled should not be
exposed to the internet. Problem solved.
Next, someone would have to gain access to the machine to do that. Don't
let untrusted people have access to the machine. Problem solved.
Observing reasonable practices eliminates any potential threat.
On 8/15/2024 12:49 PM, Bhavesh Mistry wrote:
Hello Tomcat Users and Development Team,
I recently came to know that with Java Attach API, anyone with access can
attach to a local process and manipulate Java Byte code.
For example, password harvesting is attached to the Filter Chain.
https://github.com/rebeyond/memShell
What I found is to run JVM with *-XX:+DisableAttachMechanism*, but the
problem it will disable jstack,jcmd, etc all debug tools that are needed to
debug Application issues.
Do you guys any recommendations and how to add authentication to Java
Attach API?
Any pointers would be really helpful and suggestions.
Thanks,
Bhavesh
--
George Sexton
(303) 438 9585 x102
MH Software, Inc.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
