On 8/6/23 13:25, Amit Pande wrote:
My apologies if I missed any conclusion here.
From the description of address attribute on HTTP connector:
"For servers with more than one IP address, this attribute specifies which address
will be used for listening on the specified port. By default, the connector will listen
all local addresses. Unless the JVM is configured otherwise using system properties, the
Java based connectors (NIO, NIO2) will listen on both IPv4 and IPv6 addresses when
configured with either 0.0.0.0 or ::. The APR/native connector will only listen on IPv4
addresses if configured with 0.0.0.0 and will listen on IPv6 addresses (and optionally
IPv4 addresses depending on the setting of ipv6v6only) if configured with ::."
Is it possible to update the behavior to listen to loopback address only like
was done for AJP connectors.
On my Tomcat 9.0.78 netstat output - I see Tomcat using 0.0.0.0 by default unless we
define address as "127.0.0.1" :
tcp 0 0 0.0.0.0:39054 0.0.0.0:* LISTEN
28539/java
Given the documentation quoted above, I would expect that Tomcat would
bind to ::1 unless otherwise specified ("all LOCAL addresses", emphasis
mine). The behavior you demonstrate above, and the code agree that
Tomcat will listen on all PUBLIC interfaces, not local ones, by default.
I believe the documentation should be changed to reflect reality,
because changing this default could break a lot of installations.
Changing the default AJP binding to localhost made sense because a
publicly-exposed AJP connector is very insecure, while having HTTP(S)
exposed publicly should not present much risk at all.
Also, is it right that we will need to have two connectors for IPv4 and IPv6 with address
"127.0.0.1" and "::1" respectively to enable binding only on loopback addresses?
If we configure two connectors (IPv4 and IPv6 loopback), if one isn't
available, we see:
org.apache.catalina.LifecycleException: Protocol handler
initialization failed
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:1011)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1040)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:307)
at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:477)
Caused by: java.net.SocketException: Protocol family unavailable
at sun.nio.ch.Net.bind0(Native Method)
which has caused confusion/concerns.
What would be a better way to bind on "all available loopback addresses?
That *would* be handy if ::1 would bind to "all local [IPv4 and IPv6, as
appropriate] addresses" just like APR does. Can you please file a BZ
ticket for that? I'm surprised it doesn't already work like that,
honestly, because it seems completely obvious to me that's how it
/should/ work.
-chris
-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Monday, November 28, 2022 5:21 PM
To: users@tomcat.apache.org
Subject: [External] Re: listening all local addresses by default is not
security best practice
To whom it may concern,
On 11/23/22 14:31, tommydu1...@outlook.com wrote:
Hi there,
Product:<https://nam12.safelinks.protection.outlook.com/?url=https%3A%
2F%2Fbz.apache.org%2Fbugzilla%2Fdescribecomponents.cgi&data=05%7C0
1%7CAmit.Pande%40veritas.com%7C13ea9fddeb604e4b7dca08dad1978243%7Cfc8e
13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C638052745907718347%7CUnknown%7C
TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVC
I6Mn0%3D%7C3000%7C%7C%7C&sdata=o%2FwWU7LgTdFLS3L5njjEruLLho9JnSw2O
LV0%2BO%2BnR5c%3D&reserved=0>
>
> [snip]
The default behaviour of http connector is listenning all interfaces.
False.
It is found in the description of "address" in attributes section.
(https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftom
cat.apache.org%2Ftomcat-9.0-doc%2Fconfig%2Fhttp.html%23SSL_Support&
;data=05%7C01%7CAmit.Pande%40veritas.com%7C13ea9fddeb604e4b7dca08dad19
78243%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C638052745907718347%
7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik
1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=p3R8MryiKpauAppYJLbrGLP
FzIUJpONDxvQj%2BlYepnI%3D&reserved=0)
It's listed in another section, and does not say all interfaces.
In terms of security default, it could be not best practice. In case of
unexpected mistakes made by people, default behaviour of exposing the server to
every possible network may pose a potential threat on security.
Good thing Tomcat does not default to that configuration.
CWE-1327: Binding to an Unrestricted IP Address:
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcwe.
mitre.org%2Fdata%2Fdefinitions%2F1327.html&data=05%7C01%7CAmit.Pan
de%40veritas.com%7C13ea9fddeb604e4b7dca08dad1978243%7Cfc8e13c0422c4c55
b3eaca318e6cac32%7C0%7C0%7C638052745907718347%7CUnknown%7CTWFpbGZsb3d8
eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3
000%7C%7C%7C&sdata=pZzdfOpc0Cw5kVThNxWZLBZIoW4xXQSoSldTtMn6OEM%3D&
amp;reserved=0
The issue should be a security enhancement. I recommend changing default
behaviour to a single interface/network, e.g loopback interface 127.0.0.1 and
adding configuration option with default value OFF for 0.0.0.0 or : :.
Sounds great. So what exactly needs to be changed? You want us to pick only
IPv4 or IPv6?
If not, what you describe is exactly the default configuration that you will
get.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
