Bhavesh,
On 8/15/24 14:49, Bhavesh Mistry wrote:
I recently came to know that with Java Attach API, anyone with access can
attach to a local process and manipulate Java Byte code.
For example, password harvesting is attached to the Filter Chain.
https://github.com/rebeyond/memShell
What I found is to run JVM with *-XX:+DisableAttachMechanism*, but the
problem it will disable jstack,jcmd, etc all debug tools that are needed to
debug Application issues.
Do you guys any recommendations and how to add authentication to Java
Attach API?
Java Attach API requires one of the following:
1. Agent specified at JVM launch time (e.g. -javaagent)
2. Agent attached at runtime /as the same OS user/
3. Agent attached at runtime as root
That's already a pretty high bar for security. If your attacker has
root, it's already game over. If your attacker has login as the Tomcat
user, they can presumably stop, start, and deploy any code into Tomcat
already. Access to the JVM via the Attach API is no more concerning than
having access to the Tomcat user.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
