My apologies if I missed any conclusion here.
>From the description of address attribute on HTTP connector:
"For servers with more than one IP address, this attribute specifies which
address will be used for listening on the specified port. By default, the
connector will listen all local addresses. Unless the JVM is configured
otherwise using system properties, the Java based connectors (NIO, NIO2) will
listen on both IPv4 and IPv6 addresses when configured with either 0.0.0.0 or
::. The APR/native connector will only listen on IPv4 addresses if configured
with 0.0.0.0 and will listen on IPv6 addresses (and optionally IPv4 addresses
depending on the setting of ipv6v6only) if configured with ::."
Is it possible to update the behavior to listen to loopback address only like
was done for AJP connectors.
On my Tomcat 9.0.78 netstat output - I see Tomcat using 0.0.0.0 by default
unless we define address as "127.0.0.1" :
tcp 0 0 0.0.0.0:39054 0.0.0.0:* LISTEN
28539/java
Also, is it right that we will need to have two connectors for IPv4 and IPv6
with address "127.0.0.1" and "::1" respectively to enable binding only on
loopback addresses?
If we configure two connectors (IPv4 and IPv6 loopback), if one isn't
available, we see:
org.apache.catalina.LifecycleException: Protocol handler initialization
failed
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:1011)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1040)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:307)
at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:477)
Caused by: java.net.SocketException: Protocol family unavailable
at sun.nio.ch.Net.bind0(Native Method)
which has caused confusion/concerns.
What would be a better way to bind on "all available loopback addresses?
Thanks,
Amit
-----Original Message-----
From: Christopher Schultz <[email protected]>
Sent: Monday, November 28, 2022 5:21 PM
To: [email protected]
Subject: [External] Re: listening all local addresses by default is not
security best practice
To whom it may concern,
On 11/23/22 14:31, [email protected] wrote:
> Hi there,
>
> Product:<https://nam12.safelinks.protection.outlook.com/?url=https%3A%
> 2F%2Fbz.apache.org%2Fbugzilla%2Fdescribecomponents.cgi&data=05%7C0
> 1%7CAmit.Pande%40veritas.com%7C13ea9fddeb604e4b7dca08dad1978243%7Cfc8e
> 13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C638052745907718347%7CUnknown%7C
> TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVC
> I6Mn0%3D%7C3000%7C%7C%7C&sdata=o%2FwWU7LgTdFLS3L5njjEruLLho9JnSw2O
> LV0%2BO%2BnR5c%3D&reserved=0>
>
> [snip]
> The default behaviour of http connector is listenning all interfaces.
False.
> It is found in the description of "address" in attributes section.
> (https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftom
> cat.apache.org%2Ftomcat-9.0-doc%2Fconfig%2Fhttp.html%23SSL_Support&
> ;data=05%7C01%7CAmit.Pande%40veritas.com%7C13ea9fddeb604e4b7dca08dad19
> 78243%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C638052745907718347%
> 7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik
> 1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=p3R8MryiKpauAppYJLbrGLP
> FzIUJpONDxvQj%2BlYepnI%3D&reserved=0)
It's listed in another section, and does not say all interfaces.
> In terms of security default, it could be not best practice. In case of
> unexpected mistakes made by people, default behaviour of exposing the server
> to every possible network may pose a potential threat on security.
Good thing Tomcat does not default to that configuration.
> CWE-1327: Binding to an Unrestricted IP Address:
> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcwe.
> mitre.org%2Fdata%2Fdefinitions%2F1327.html&data=05%7C01%7CAmit.Pan
> de%40veritas.com%7C13ea9fddeb604e4b7dca08dad1978243%7Cfc8e13c0422c4c55
> b3eaca318e6cac32%7C0%7C0%7C638052745907718347%7CUnknown%7CTWFpbGZsb3d8
> eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3
> 000%7C%7C%7C&sdata=pZzdfOpc0Cw5kVThNxWZLBZIoW4xXQSoSldTtMn6OEM%3D&
> amp;reserved=0
>
> The issue should be a security enhancement. I recommend changing default
> behaviour to a single interface/network, e.g loopback interface 127.0.0.1 and
> adding configuration option with default value OFF for 0.0.0.0 or : :.
Sounds great. So what exactly needs to be changed? You want us to pick only
IPv4 or IPv6?
If not, what you describe is exactly the default configuration that you will
get.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
