edit-icon download-icon

[Vulnerability notice] Remote command execution vulnerability caused by Java Remote Debug

Last Updated: May 07, 2018

Description

Java virtual machines provide Java debugger and JDB debugging capabilities for Java. You can enable the Remote Debug mode during application compilation to facilitate remote code debugging.

However, the Remote Debug mode does not have an identity verification in place. As a result, hackers may connect to the port directly to intrude into the host by running system commands. This may lead to unauthorized access to the server and data leaks.

Fix

  • Turn off the Remote Debug mode.

    • Directly close the Java Debug mode process.
      1. java -Xdebug -Xrunjdwp:server=y,transport=dt_socket,address=7001,suspend=n
    • Use the Tomcat middleware to turn off the Remote Debug mode.

      1. Comment out line 2 in startup.sh.
        1. declare -x CATALINA_OPTS="-server -Xdebug -Xnoagent -Djava.compiler=NONE-Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8788"
      2. Restart Tomcat for the corresponding project.
  • Use ECS security group to limit access from external IP addresses to the Remote Debug port.

Thank you! We've received your feedback.