listening all local addresses by default is not security best practice

Wed, 23 Nov 2022 11:32:05 -0800 

Hi there,

Product:<https://bz.apache.org/bugzilla/describecomponents.cgi>

Ant

Apache httpd-2

Apache httpd-test


APR

POI

Rivet

Taglibs


Tomcat 10

Tomcat 8

Tomcat 9


Tomcat Connectors

Tomcat Modules

Tomcat
 Native

WebSH

Component:<https://bz.apache.org/bugzilla/describecomponents.cgi?product=Tomcat%209>

Catalina

Cluster

Connectors


Documentation

EL

Examples

Jasper


JASPIC

Manager

Packaging

Servlet


Util

WebSocket
          (show
 other 
bugs<https://bz.apache.org/bugzilla/buglist.cgi?component=Connectors&product=Tomcat%209&bug_status=__open__>)
Version:<https://bz.apache.org/bugzilla/page.cgi?id=fields.html#version>

9.0.0.M1

9.0.0.M3

9.0.0.M4


9.0.0.M6

9.0.0.M8

9.0.0.M9


9.0.0.M10

9.0.0.M11

9.0.0.M13


9.0.0.M15

9.0.0.M17

9.0.0.M18


9.0.0.M19

9.0.0.M20

9.0.0.M21


9.0.0.M22

9.0.0.M25

9.0.0.M26


9.0.1

9.0.2

9.0.4

9.0.5


9.0.6

9.0.7

9.0.8


9.0.10

9.0.11

9.0.12


9.0.13

9.0.14

9.0.16

9.0.17


9.0.19

9.0.20

9.0.21


9.0.22

9.0.24

9.0.26


9.0.27

9.0.29

9.0.30


9.0.31

9.0.33

9.0.34

9.0.35


9.0.36

9.0.37

9.0.38


9.0.39

9.0.40

9.0.41


9.0.43

9.0.44

9.0.45


9.0.46

9.0.48

9.0.50

9.0.52


9.0.53

9.0.54

9.0.55


9.0.56

9.0.58

9.0.59


9.0.60

9.0.62

9.0.63


9.0.64

9.0.65

9.0.67

9.0.68


9.0.69

9.0.x

unspecified


Hardware:<https://bz.apache.org/bugzilla/page.cgi?id=fields.html#rep_platform>

All

DEC

HP

Macintosh


PC

SGI

Sun

Other


All

Windows XP

Windows
 Server 2003

Windows Vista

Windows Server 2008

Windows
 7

Windows Server 2008 R2

Windows 8

Windows
 Server 2012

Windows Server 2012 R2

Windows 10

Windows
 Server 2016

Mac OS X 10.6

Mac OS X 10.7

Mac
 OS X 10.8

Mac OS X 10.9

Mac OS X 10.10

Mac
 OS X 10.11

Mac OS X 10.12

Mac OS X 10.13

Linux


BSD/OS

FreeBSD

NetBSD

OpenBSD


AIX

BeOS

HP-UX

IRIX


Neutrino

OpenVMS

Solaris

SunOS


NetWare

other




The default behaviour of http connector is listenning all interfaces. It is 
found in the description of "address" in attributes section. 
(https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support)

In terms of security default, it could be not best practice. In case of 
unexpected mistakes made by people, default behaviour of exposing the server to 
every possible network may pose a potential threat on security.

CWE-1327: Binding to an Unrestricted IP Address: 
https://cwe.mitre.org/data/definitions/1327.html

The issue should be a security enhancement. I recommend changing default 
behaviour to a single interface/network, e.g loopback interface 127.0.0.1 and 
adding configuration option with default value OFF for 0.0.0.0 or : :.

Hope that I make it clear.

Reply via email to